IPSec vs OpenSSL vs PGP [closed]

2019-05-22 19:40发布

问题:

IPSec is employed at the IP level, SSL at the transport level and PGP at the application level. In some lecture not it says:

IPSEC: Most general solution but least flexible SSL: Still very general and some flexibility PGP: Least general but very flexibel.

I guess the general refers to what kind of protocol I can secure. With IPSEC I can secure everything that uses TCP or UDP. PGP is the least general because it just encrypts emails and is therefore very specific. Is that understanding right?

However I have no idea for what the flexibilty refers in this context, anyone an idea? Has this to do with extensibility?

Thanks

回答1:

IPSEC: Its an Internet layer protocol, which means anything that runs above the IP layer, such as TCP or UDP for example, or any other newer protocol, will be encrypted by IPSEC. Now however, it is a protocol for encryption/authentication of the packets/protocol above it and only this, thus its less flexible in SOME sense compared to the other two but its still fairly flexible if you need network encryption.

SSL: Is another encryption protocol, similar (I guess) to IPSEC, however it operates at a higher layer than IPSEC. Basically it operates on the Application layer which means it is a protocol that runs on top of TCP, UDP, etc...

Now one problem with IPSEC is that its flexible in some respect in that its lower in the network layer, however this also poses problem in that devices needs to support IPSEC protocol itself, and often cheap consumer routers don't. So in a sense SSL would be more flexible than IPSEC because it operates on a higher layer.

PGP: Is a completely different domain from SSL/IPSEC, because SSL/IPSEC restricts their-selves to network encryption, they don't deal with encryption of files or any other data, all they deal with is the encryption of "bytes" that are going over the network and once the other end has read in the bytes its going to be sitting there unencrypted.

Now PGP is an application/standard that you can use to encrypt files with your destination public key and then only the destination's private key can decrypt the file. Anyway you can encrypt a file, email, or what so ever then transport it over the network to the destination and it would achieve the same thing. But on the other hand you can also store the file on disk encrypted or copy it to an external harddrive for example, and walk down the hallway and give it to your destination.

So in summary IPSEC/SSL are somewhat roughly equivalent, they run on different network layers, and PGP is an entirely different domain from IPSEC/SSL but you can still use PGP to encrypt some piece of data and then transfer it over the network.

So really in the sense of flexibility, especially in the PGP context is in that you can use it for other things such as storing encrypted files on disk, or can use your private key to sign some piece of documentation/file and anyone can use your public key to prove that it came from you.



回答2:

Every encryption protocol only works if you have support at both ends.

SSL was the easiest to deploy, because it was built into the browsers and the web servers. For the most part, everybody who wanted to run a web server already had SSL support built-in---they just had to be technically savvy to turn it on (and to purchase a cert or willing to live with a warning to the end user.

One of the nice things about SSL is that it has key-management built in.

IPSEC does provide host-to-host encryption. However the underlying design was so flexible that multiple IPSEC systems couldn't communicate with either other unless they were identically configured. Worse, key management wasn't part of the protocol for many years. Even there there were grand plans for systems that automatically recognized that there were IPSEC-enabled systems on both ends and automatically engaged, this never worked (still doesn't work).

PGP is a static message encryption system. It doesn't encrypt stuff that's interactive. And you shouldn't use PGP, you should use S/MIME, as its already integrated into Apple Mail, Evolution, Outlook Express, Outlook, Thunderbird, etc.

So yes, IPSEC would be a better choice, but it's too hard to use. PGP doesn't do enough. SSL hit the sweet spot, which is why it dominates.