Communication Security: Remote Access and Messaging • Chapter 3  133

                    Although public key cryptolography (“User A” generates a random number and
                 encrypts it with “User B’s” public key, and User B decrypts it with their private key
                 [described in Chapter 10]) can be used in IPSec, it does not offer nonrepudiation.
                 The most important factor to consider when choosing an authentication method is
                 that both parties must agree on the method chosen. IPSec uses an SA to describe how
                 parties will use AH and encapsulating security payload to communicate.The SA
                 can be established through manual intervention or by using the Internet Security
                 Association and Key Management Protocol (ISAKMP).The Diffie-Hellman key
                 exchange protocol, described in detail in Chapter 9, is used for the secure exchange
                 of pre-shared keys.

                 ISAKMP

                 The advantage to using IKE over the manual method is that the SA can be estab-
                 lished when needed, and can be set to expire after a certain amount of time. RFC
                 2408 describes the ISAKMP as a framework for establishing, negotiating, modi-
                 fying, and deleting SAs between two parties. By centralizing the management of
                 SAs, ISAKMP reduces the amount of duplicated functionality within each security
                 protocol. ISAKMP also reduces the amount of time required for communications
                 setup, by negotiating all of the services at once.



                 TEST DAY TIP

                      For the Security+ exam remember the three Is: IPSec, IKE, and ISAKMP.




                   Deciding on Encryption and Authentication Methods
                   As mentioned earlier, IPSec is a general framework for secure communi-
               Head of the Class…  method to function. Some of the more common authentication hashes
                   cations. It does not require a particular encryption or authentication

                   are Message Digest 5 (MD5), Secure Hash Algorithm (SHA), and Hashed
                   Message Authentication Code (HMAC). Likewise, some of the more
                   common encryption methods include Data Encryption Standard (DES),
                   Triple Data Encryption Standard (3DES), and Advanced Encryption
                   Standard (AES). (These algorithms will be discussed further in Chapter 9.)
                   When the parties decide on the type of authentication and encryption to
                   be used, they establish an SA between them. Without an SA, communi-
                   cations cannot be established.





                                                                              www.syngress.com