Common Encryption Types

Symmetric Encryption

  • Uses single shared key for both encryption and decryption
  • Key distribution is the primary security challenge - both parties must securely exchange the key beforehand
  • Fast processing makes it ideal for encrypting large amounts of data
  • Examples: AES (Advanced Encryption Standard), DES (Data Encryption Standard), 3DES

AES Implementation:

  • AES-128, AES-192, AES-256 (numbers indicate key length in bits)
  • Industry standard for VPNs, wireless security (WPA2/WPA3), and IPsec tunnels
  • Used in Cisco devices for encrypting management traffic and tunnel data

Asymmetric Encryption (Public Key Cryptography)

  • Uses key pair - public key (shared openly) and private key (kept secret)
  • Solves key distribution problem but requires more processing power
  • Public key encrypts, private key decrypts OR private key signs, public key verifies
  • Examples: RSA, Elliptic Curve Cryptography (ECC), Diffie-Hellman

RSA Key Sizes:

  • 1024-bit: Legacy, considered weak
  • 2048-bit: Current minimum standard
  • 4096-bit: High security applications

Encryption Comparison Table

Type Key Management Speed Use Case Network Examples
Symmetric Shared secret Fast Bulk data encryption IPSec ESP, SSL/TLS data phase
Asymmetric Key pairs Slow Key exchange, digital signatures SSL/TLS handshake, SSH authentication

Hash Functions

  • One-way mathematical functions that create fixed-length output (digest) from variable input
  • Cannot be reversed - used for data integrity verification, not encryption
  • Common algorithms: MD5 (128-bit, deprecated), SHA-1 (160-bit, deprecated), SHA-2 family (SHA-256, SHA-512)
  • Network applications: Password storage, digital signatures, HMAC (Hash-based Message Authentication Code)

Digital Signatures Process

  1. Hash the original message
  2. Encrypt hash with sender’s private key (creates signature)
  3. Recipient decrypts signature with sender’s public key
  4. Compare decrypted hash with newly computed hash of received message

Vocabulary

Cipher: Algorithm used for encryption/decryption
Plaintext: Original, unencrypted data
Ciphertext: Encrypted data output
Key Space: Total number of possible keys (larger = more secure)
Salt: Random data added to passwords before hashing to prevent rainbow table attacks
HMAC: Hash-based Message Authentication Code - combines hashing with secret key for integrity and authentication

Notes

Practical Implementation

  • Modern networks use hybrid approach: asymmetric encryption for initial key exchange, then symmetric for actual data transfer
  • SSH uses this model - RSA/ECDSA for authentication, AES for session encryption
  • Certificate authorities (CAs) use asymmetric encryption to sign digital certificates

Performance Considerations

  • Symmetric encryption is roughly 1000x faster than asymmetric
  • Hardware acceleration available on enterprise routers/switches for crypto operations
  • Consider CPU impact when enabling encryption on high-throughput links

Security Best Practices

  • Never use deprecated algorithms (DES, MD5, SHA-1) in production
  • Key rotation policies essential for long-term security
  • Perfect Forward Secrecy (PFS) ensures session keys aren’t compromised if long-term keys are stolen