CISSP考试指南笔记：4.14 网络加密

Link Encryption vs. End-to-End Encryption

---

Link encryption encrypts all the data along a specific communication path, as in a satellite link, T3 line, or telephone circuit. Not only is the user information encrypted, but the header, trailers, addresses, and routing data that are part of the packets are also encrypted. The only traffic not encrypted in this technology is the data link control messaging information, which includes instructions and parameters that the different link devices use to synchronize communication methods. Link encryption provides protection against packet sniffers and eavesdroppers.

In end-to-end encryption, the headers, addresses, routing information, and trailer information are not encrypted, enabling attackers to learn more about a captured packet and where it is headed.

• End-to-end encryption happens within the applications.

• TLS encryption takes place at the session layer.

• PPTP encryption takes place at the data link layer.

• Link encryption takes place at the data link and physical layers.

Advantages of end-to-end encryption include the following:

• It provides more flexibility to the user in choosing what gets encrypted and how.

• Higher granularity of functionality is available because each application or user can choose specific configurations.

• Each hop device on the network does not need to have a key to decrypt each packet.

Disadvantages of end-to-end encryption include the following:

• Headers, addresses, and routing information are not encrypted, and therefore not protected.

Advantages of link encryption include the following:

• All data is encrypted, including headers, addresses, and routing information.

• Users do not need to do anything to initiate it. It works at a lower layer in the OSI model.

Disadvantages of link encryption include the following:

• Key distribution and management are more complex because each hop device must receive a key, and when the keys change, each must be updated.

• Packets are decrypted at each hop; thus, more points of vulnerability exist.

E-mail Encryption Standards

---

Multipurpose  Internet Mail Extensions

Multipurpose Internet Mail Extensions (MIME) is a technical specification indicating how multimedia data and e-mail binary attachments are to be transferred.

Secure MIME (S/MIME) is a standard for encrypting and digitally signing e-mail and for providing secure data transmissions.

Pretty Good Privacy

Pretty Good Privacy (PGP) was designed by Phil Zimmerman as a freeware e-mail security program and was released in 1991.

PGP does not use a hierarchy of CAs, or any type of formal trust certificates, but instead relies on a “web of trust” in its key management approach. Each user generates and distributes his or her public key, and users sign each other’s public keys, which creates a community of users who trust each other.

Each user keeps in a file, referred to as a key ring, a collection of public keys he has received from other users. Each key in that ring has a parameter that indicates the level of trust assigned to that user and the validity of that particular key.

There is also a field indicating who can sign other keys within Steve’s realm of trust.

 

剩余内容请看本人公众号debugeeker, 链接为CISSP考试指南笔记：4.14 网络加密