Written by: Henry Fong (9712925)
Date: 26 March 2001
This report describes the technology aspects of a VPN (Virtual Private Network) implementation named PGPnet developed by Network Associates Inc. and included in the freely distributed PGP package. This software product is based on two major VPN technologies: IPSec and IETF IKE. These two technologies are briefly discussed in this report. To make this PGPnet unique, public key encryption technology is integrated into this product. This report also investigates the benefits and negative effects of using VPN products like PGPnet.
When there is more and more information being transmitted through the Internet, it is vital to have a way to protect the information. Virtual private network is a relatively new technology to make this possible. According to Webopedia, “VPN uses encryption and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted.”
PGPnet is one of the implementations of VPN software. It integrates PGP technology into the product to enhance the security level. In the following sections, the details of PGPnet will be discussed. However, it is necessary to define some technical terms being used throughout the document.
· Security Association (SA) – It contains the information necessary for establishing a secure connection between two specific individuals (it could be router, gateway, terminal etc.). For example, it contains type of encryption, duration of a connection etc)
· Secure Host – It is a host which has IPSec-compliant client software running supporting peer-to-peer connection
· Secure Gateway – It refers to a gateway which has IPSec-compliant software running which supports tunneling
In this section, the underlying technologies being used by PGPnet are briefly discussed. Each technology itself could be a separate report topic so the details are skipped. For detail information of them please refer to the given sources.
IPSec is an open standard developed by the Internet Engineering Task Force to define a way to enable VPN-like services. IPSec acts as a network layer, protecting and authenticating the IP packets between IPSec devices (e.g. hosts).
IPSec optimally provides the following services:
§ Data Confidentiality – Data sender can encrypts the packets before sending to the receiver
§ Date Integrity – Receiver can authenticates the incoming packets to ensure that the data has not been altered
§ Data Origin Authentication—The IPSec receiver can authenticate the source of the IPSec packets sent. This service is dependent upon the data integrity service.
§ Anti-Replay—The IPSec receiver can detect and reject replayed packets.
IPSec supports two transfer modes: transport mode and tunnel mode.
In transport mode, the packets are encrypted before sent. The participating secure hosts shared a single key for encryption/decryption. However, in tunnel mode, the packets are encrypted and encapsulated in another packet. To transfer data in tunnel mode, secured gateway is required.
Although there are two different security protocol used in IPSec (Authentication Header (AH) and Encapsulation Security Payload (ESP)), they are not discussed in this document because of their complexities.
Internet Key Exchange (IKE)
§ ISAKMP defines the management of security associations and keys and the payloads for exchanging key generation and authentication data
§ Oakley is used with ISAKMP to update keying material for SA
IKE is used with IPSec in order to provide a complete set of services. When establishing a secure connection, it is necessary to exchange a secret key (if encryption is applied) between the two individuals. Since the key should only be known by those two individual, there should be a mechanism to exchange the key. PGPnet employs IKE to exchange key, which is most VPN implementations use.
Since completely explaining IKE involves another great amount of information, only one interesting topic is discussed under this section. This is Perfect Forward Secrecy.
PFS is only configurable option related to IKE in PGPnet. PFS means that compromise of a single key only permit data access by that single key. It actually means no key should be generated based on another key. It reduces the information compromised when a key is compromised.
PGPnet’s advantage over other VPN products: PGP extension
PGPnet is unique VPN software because it has PGP extension. It means that PGP encryption is supported. The extension introduces the following advantages:
§ Easy Key Exchange – Instead of exchanging a secret key, a public key is exchanged when establishing connection. It eliminates the problem of compromising the secret key during key exchange
§ Easier Key Management – Since the key pair used for establishing secure connection can be reused for other purposes (e.g. email, ssh), the VPN client does not have to manage different keys for different connections
Nevertheless, using PGP in PGPnet also introduces the some general PGP problems:
§ Ambiguous Identity – It is difficult to tell if the name of key holder is really the person that you want to communicate with.
§ Overhead – It takes more time to do encryption or decryption with PGP
Other aspects of PGPnet
Currently PGPnet is only distributed with Windows version of PGP distribution (ver. 6.5.8+). This restriction greatly reduces the usability of PGPnet. Since a lot of gateways are not using Windows operating system which reduces the possibility of using tunnel mode (which is superior over transport mode). Moreover, most IPSec-compliant router does not support PGP encryption; this limits the popularity of PGPnet.
On the other hand, although the interface is user-friendly, it is not easy to setup and use PGPnet. User is assumed to have basic knowledge of PGP tools and VPNs. But it is actually the case for most VPN software. However, it is reasonable for a system administrator to use the PGPnet, though.
In conclusion, PGPnet is a great VPN software for a small network using Windows. PGPnet is free for non-commercial use, which is a good choice for home networking where security is a concern. Despite the fact that it is not for novice user, the user interface is the best over the same class of products. It supports most common encryption algorithms with the widely used base technology (IPSec, IKE). It is doubtlessly a good choice to use PGPnet on company subnet as a first step to implement VPNs on the corporate networks.
 Network Associates Incorporation is a company specialized in development of anti-virus and network security software (http://www.nai.com)
 PGP Freeware User Guide version 6.5
Mitul Tiwari, IP Based Virtual Private Network, http://www.cse.iitb.ernet.in:8000/proxy/everest/~mits/report/report.html
 The Internet Engineering Task Force is a self-organized group of people who make technical and other contributions to the Internet and its technologies (http://www.ietf.org)
 Mitul Tiwari, IP Based Virtual Private Network, http://www.cse.iitb.ernet.in:8000/proxy/everest/~mits/report/report.html;
Harkins, Carrels, RFC2409, http://www.ietf.org/rfc/rfc2409.txt
 Maughan, Schertler, Schneider, Turner, Internet Security Association and Key Management Protocol - RFC2408, http://www.faqs.org/rfcs/rfc2408.html
 H. Orman, RFC2412, http://www.faqs.org/rfcs/rfc2412.html