Encryption
Encryption mathematically transforms data to appear as meaningless random numbers. The original data is called plaintext and the encrypted data is called ciphertext. The opposite process, called decryption, performs the inverse operation to recover the original plaintext from the ciphertext.
The process by which the plaintext is transformed to ciphertext and back again is called an algorithm. All algorithms use a small piece of information, a key, in the arithmetic process of converted plaintext to ciphertext, or vice-versa. IPsec uses symmetrical algorithms, in which the same key is used to both encrypt and decrypt the data.
The security of an encryption algorithm is determined by the length of the key that it uses. FortiGate IPsec VPNs offer the following encryption algorithms, in descending order of security:
AES256 | A 128-bit block algorithm that uses a 256-bit key. |
AES192 | A 128-bit block algorithm that uses a 192-bit key. |
AES128 | A 128-bit block algorithm that uses a 128-bit key. |
3DES | Triple-DES, in which plain text is DES-encrypted three times by three keys. |
DES | Digital Encryption Standard, a 64-bit block algorithm that uses a 56-bit key |
The default encryption algorithms provided on FortiGate units make recovery of encrypted data almost impossible without the proper encryption keys
There is a human factor in the security of encryption. The key must be kept secret, known only to the sender and receiver of the messages. Also, the key must not be something that unauthorized parties might easily guess, such as the sender’s name, birthday or simple sequence such as 123456.