difference between IP security issue in authentication, data encryption, and message integration?

Question

I am confused about these terms and what method or algorithm they used to achieved that. From what I learned, there are two ways for data encryption: symmetric key and public key; And message integration are done by using hash algorithm; And authentication method including public key, pre shred key etc. However, whats the relationship between these three or can someone use an example to explain them. I am really confused about these three terms. Thanks!

Answer 1

This is more a general cryptography question than an IPSec question, so I've answered for the general case:

Cryptography is usually used to provide three main properties; authentication, obfuscation (encryption), and data integrity (what I think you mean by "message integration").

To understand what these properties are, why we would want them, how cryptography provides them, and how they relate to one another, consider the following example:

Alice is a broker at a trading firm, and wants to send one of her traders, Bob, an order to buy a certain quantity of a certain stock. Alice is a careful broker, and she has a few concerns:

1. She needs to make sure that Bob gets the right message; if he buys the wrong quantity, or the wrong stock, or something else altogether, Alice loses a lot of money.
2. She needs to make sure that Bob knows the message is from her, and only her. Bob won't make a trade unless Alice tells him to, but he needs a way to make sure that it really is Alice making the order.
3. She needs to make sure that no one else finds out about the trade order before its made, or else another broker will beat her to the punch.

With judicious application of cryptography, we can alleviate all three of Alice's concerns. To summarize, we need to make sure that Bob gets the right message; that Bob can validate that Alice sent the order; and that only Bob can read the order. Lets deal with these one at a time.

1. To make sure that Bob gets the right order, he needs some way of validating that the message he received is in fact the message Alice intended to send. A (relatively) simple way to do this is for Alice to transmit a hash of her message along with said message. A hash of a message is the output of whats called a hash function, with the message as its input. Hash functions have a wide variety of useful properties, but we'll focus on one; change multiplication. That is, changing even one bit in the input will yield a vastly different output; the change "multiplies" from a single swapped bit to a massive divergence. Therefore, when Alice sends Bob the message and its hash, Bob can re-compute the hash of the message he has and compare it against the one Alice sent him. If they match, then he has the right message. However, if even one bit was flipped in the message he received, he will compute a massively different hash, and be able to tell that something caused him to get the wrong message. This is how we can use cryptography (hash functions) to ensure data integrity.
2. We need to make sure that Bob knows the message came from Alice. It's relatively easy to spoof IP or email addresses, so we need something more complex than just looking at the "From:" field; we need cryptography! We need to have Alice do something to the message she sends that only Alice could do, and in such a way that Bob can easily verify. The tool we most often use for this is asymmetric cryptography. In an asymmetric cryptographic system, Alice has two keys that she can use to encrypt data. Encryption is simply using a key and an algorithm to transform data into another form, such that the transformation can be reverse (decryption) later. In a traditional (symmetric) cryptographic system, the same key is used to both encrypt and decrypt data. What makes an asymmetric cryptographic system so awesome, however, is that with the two keys Alice has, A and B, anything encrypted using A can only be decrypted using B, and anything encrypted using B can only be decrypted using A. In addition, B can only decrypt messages encrypted using A, and A can only decrypt messages encrypted using B. Therefore, if you receive a message and are able to decrypt it using B, you know that the sender encrypted it using A. So Alice can keep A private (her "private key") and publish B on the internet for anyone to find. Then, when she sends a message to Bob, she encrypts it using A (in most modern cryptosystems, she would actually encrypt a hash of the message with A, and attach it to the plaintext message; this is called a signature). Bob can then go online, fetch B, and try to use it to decrypt the message he thinks he got from Alice; if it works, then he knows that she sent it, because only Alice has access to A. This is how we use cryptography (asymmetric cryptography) to provide authentication.
3. We still need to secure this message from prying eyes. One simple way to do this (and one most commonly used today) would be for Bob to generate his own pair of asymmetric keys, X and Y, and publish Y on the internet. Then, when she sends the message, Alice can fetch Y and use it to encrypt her order. Since Bob is the only one with access to X, he is the only one who can decrypt the message. Another simple method would be to use a symmetric cryptographic system, where the same key can be used to both encrypt and decrypt data. Then, so long as Alice and Bob both know the key, and no one else does, they can use their shared key to secure their communications. This is how we can use cryptography (asymmetric and symmetric cryptograpic systems) to provide message obfuscation.