Internet Protocol Security |
IPSec implements public key cryptography methods for authentication (certificate signing), and key exchange (the Diffie-Hellman algorithm). Public key cryptography has all the capabilities of secret key cryptography, but is generally more secure because it requires two keys—one for signing and encrypting the data, and one for verifying the signature and decrypting the data. This is often referred to as asymmetric cryptography, which simply means that two keys are required for the process.
Each user has a private key that is known only to that person, and a public key that is widely distributed. For example, if Alice wants to send a secured message to Bob, she uses Bob's public key to encrypt the message. Only Bob can decrypt the message because that requires his private key. Although the keys in the pair are related, it is mathematically infeasible to generate one key using the other key. This is why the public key can be widely distributed. The private key, often referred to as the secret key, must remain closely guarded.