High Speed VPN Using Enhanced AES Algorithm

High Speed VPN Using Enhanced AES Algorithm

Aliyu Ashiru , Supriya Khaitan

Department of Computer Science and Engineering Sharda University

Uttar Pradish, India

Kamaluddeen Ibrahim Yarima, Usman Isah Rabiu Department of Computer Science and Engineering Sharda University

Uttar Pradish, India

Abstract This paper investigates the problems and issues of IPSec VPN technology for transmission of complex multimedia data with respect to remote access communication. Most of todays IPsec VPN uses AES as the encryption algorithm because it is very strong against all attacks; it has not been cracked yet. Encryption and decryption of complex multimedia data (e.g. images) using AES involve much calculation and this result in computational overheads in VPNs, and consequently causes various challenges in VPN such as speed, throughput, packet loss and jitter. In this paper we proposed a enhanced AES algorithm which maintain the strength of AES and which overcome the challenges AES causes to VPNs.

KeywordsIPsec; VPN; ESP; AES; AES; QoS; Encryption algorithm.

1. INTRODUCTION

   Virtual private networks (VPNs) are widely used to ensure secure communications over insecure public networks. VPNs provide security services such as confidentiality, integrity and availability by creating encrypted tunnels between the communicating parties [9]. The term Private means that all the traffic inside the VPN is encrypted and the resources are only shared among an authorized group of users, and are controlled by different levels of access control. The term Virtual indicates that VPN looks like a private network from the users perspective and consists of an independently administered virtual topology, although the underlying network is shared by anyone using the network. Furthermore, VPN is cheap, as it normally uses the public network instead of costly leased line services [10].

   The original goal of Internet Protocol Security (IPSec) is to enable the protection of all types of Internet protocol (IP) communications by protecting multiple peers at the network layer, in both the IPv4 and IPv6 environments. IPSec is a standard for securing internet communication and a widely deployed mechanism for implementing VPNs [3]. IPSec provides security services via the Authentication Header (AH) and Encapsulation Security Payload (ESP) protocols [9].

   1. Authentication Header

      AH provides integrity protection for packet headers and data, as well as user authentication. It can optionally provide replay protection and access protection. AH cannot encrypt any portion of packets. In the initial version of IPsec, the ESP protocol could provide only encryption, not

      authentication, so AH and ESP were often used together to provide both confidentiality and integrity protection for communications. Because authentication capabilities were added to ESP in the second version of IPsec, AH has become less significant; in fact, some IPsec software no longer supports AH. However, AH is still of value because AH can authenticate portions of packets that ESP cannot. Also, many existing IPsec implementations are using AH. AH uses hash message authentication code (HMAC) algorithms, which perform two keyed hashes. Examples of keyed hash algorithms are HMAC-MD5 and HMAC-SHA- 1 [4].

   2. Encapsulating Security Payload

   ESP is the second core IPsec security protocol. In the initial version of IPsec, ESP provided only encryption for packet payload data. Integrity protection was provided by the AH protocol if needed. In the second version of IPsec, ESP can perform authentication to provide integrity protection, although not for the outermost IP header. In all but the oldest IPsec implementations, ESP can be used to provide only encryption; encryption and integrity protection; or only integrity protection. Examples of encryption algorithms used by ESP are AES-Cipher Block Chaining (AES-CBC), AES Counter Mode (AES-CTR), and Triple DES (3DES) [4].

2. PROBLEMS AND ISSUS OF IPSEC VPN Overhead is one of the most challenging issues for IPsec

   based VPN network. It causes different level of QoS parameter badly affected. Overhead not only in between two end points, hosts or between VPN Gateways but also affect intermediate node like routers, hub and ISP network for processing packet traveling through the network [2].

   Major drawback of IPSec VPNs is the fact that it provides access to the entire subnet within the corporate network. This means that the client PC can potentially be used as a means to enter the network by a hacker and also if client PC becomes infected with virus or Trojan, it could potentially spread to the entire network [3]. Access control can also be an issue with IPSec VPNs since they rely on network access controls. Configuration of VPN gateways and client PC before tunneling is established is another issue in IPsec VPN. The use of IPSec causes additional processing and increased packet size. It also cause jitter and packet loss [2].

   According to research carried by Ritu Malik [7], the average packets loss of five samples of data was almost null or 0.9% for video traffic in her test scenario in case of without providing IPSec in VPN and a 3.5% loss in case of providing IPSec in the VPN. The percentage was obtained based on the total amount of packets transmitted by the origin node towards the destination [7]. The result of research by Ritu Malik shows that after providing the IPSec in every case the voice and video packet loss is higher than the average result of without providing the IPSec this is because the IPSec introduces the overhead while transit because with data it also includes the AH and ESP header [7]. A packet loss rate of 1% produces roughly a loss of one fast video update per second for a video stream producing jerky video. Lost audio packets produce choppy, broken audio [1].

   The jitter for voice packets with IPsec in VPNs was higher (almost 10ms) than the recommended 50ms [7]. If a single packet encountered a jitter of 145 milliseconds or more (relative to a prior packet), an under run condition may occur at the receiving endpoint, potentially causing either blocky, jerky video or undesirable audio [1].

   QoS in a videoconference using IP infrastructure is most affected by the packet loss parameter when using IPSec tunnels. The main reason behind this is the traffic load. When IPSec is used to protect the data between two hosts, or between two gateways, or between a host and a gateway then with the data AH and ESP headers are also included so it increases the overhead and thats why the traffic load also increases. And if traffic load increases then there may be the case of congestion in the network that leads to result in packet loss [7].

   Using AES as the encryption algorithm in VPN makes encryption difficult for large volume of multimedia data. AES performs large computation and makes the encryption speed very slow due to variety of restrictions. It produces significant computational overhead, i.e. required much of processing time and consequently causes packet loss which is one of the major problems of IPsec VPN. For the encryption of any multimedia data we need such algorithms that require less computation because of large size of data [5].

3. PROPOSED ALGORITHM

   1. Methodology

      To overcome the problem of high calculation and computational overhead, we analyzed the Advanced Encryption Standard (AES) and modified it, to reduce the calculation of algorithm and for improving the encryption performance. So we develop and implement an Enhanced AES based algorithm for all kid of data. The basic aim to modify AES is to provide less computation and better security for data. The Enhanced AES algorithm adjusts to provide better encryption speed. In Enhanced AES the block length and the key length are specified according to AES.

      Available key length alternatives in AES are 128, 192 or 256 bits and block length of 128 bits. We assume a key length of 128 bits, which is commonly implemented. The Enhanced -AES encryption and decryption process

      resembles that of AES, in account of number of rounds, data and key size. The round function consists of four stages. To overcome the problem of high calculation we replace the Mixcolumn step with permutation step. Mixcolumn gives better security but it takes large calculation that makes the encryption algorithm slow. The other three junctures remain unbothered as it is in the AES. A single 128-bit block is the input to the encryption and decryption algorithm. This block is a 4×4 square matrix consisting of 16 bytes. This block is copied into the state array. The state array is modified at each stage of encryption or decryption. Similarly the 128-bit key is also depicted into a square matrix. The 128-bit key is expressed into an array of key schedule words: each word is of four bytes. The total key schedule words for ten rounds are 44 words; each round key is similar to one state.

      The algorithm is divided into four operational blocks where we observe the data at either bytes or bit levels and the algorithm is designed to treat any combination of data and is flexible for key size of 128 bits. These four operational blocks represent one round of Enhanced -AES. There are 10 rounds for full encryption. The four different stages that we use for Enhanced -AES Algorithm are:

      • Substitution bytes

      • ShiftRows

      • Permutation

      • AddRoundKey

        Substitution Bytes, ShiftRows and AddRoundKey remain unaffected as it is in the AES. Here the important function is Permutation which is used instead of Mixcolumn. These rounds are managed by the IP table. Permutation is widely used in cryptographic algorithms. Permutation operations are interesting and important from both cryptographic and architectural points of view. The DES algorithm will provide us permutation tables. The inputs to the IP table consist of 128 bits. Enhanced-AES algorithm takes 128 bits as input. The functions Substitution Bytes and ShiftRows are also interpreted as 128 bits whereas the Permutation function also takes 128 bits. In the permutation table each entry indicates a specific position of a numbered input bit may also consist of 256 bits in the output. While reading the table from left to right and then from top to bottom, we observe that the 242th bit of the 256-bit block is in first position, the 226th is in second position and so forth. After applying permutation on 128 bits we again complete set of 128 bits and then perform next remaining functions of algorithm. If we take the inverse permutation it gives again the original bits, the output result is a 128-bit cipher text. For the full decryption of Enhanced-AES algorithm the transformation processes are, Inv-Bytesub, Inv-Shiftrows, Inv-Permutation, and the Addroundkey, which are performed in 10 rounds as it is in the encryption process [5].

   2. Result

   For testing the algorithm we use a very simple code that checks the efficiency of algorithm. This test shows that the Enhanced-AES algorithm is much better than AES algorithm. In this tutorial we have tested several files and in order to check that how fast the Enhanced-AES

   algorithm than the real AES. To test the algorithm we take sixteen byte text compare the calculated elapsed time of both the Modified-AES with AES. Table 1 shows the comparison results performed on file size of sixteen byte text files using Enhanced-AES and the AES algorithm.

   Table 1 Encryption result for text file

   File Size	AES (sec)	En-AES (sec)	Efficiency (sec)
   10 bytes	1.925991	1.874904	0.051093

4. CONCLUSION

Quality of service in transmission of multimedia data (example image) using IP infrastructure is most affected by the packet loss parameter when using IPSec tunnels. The main reason behind this is the traffic load. When IPSec is used to protect the data between two hosts, or between two gateways, or between a host and a gateway then with the data AH and ESP headers are also included so it increases the overhead and thats why the traffic load also increases. And if traffic load increases then there may be the case of congestion in the network that leads to result in packet loss. We can see that using Enhanced AES the speed of encryption and decryption of complex multimedia data is increased. The increase in speed reduces network load and hence minimizes packet loss. Thus Enhanced AES minimizes packet loss without compromising security.

ACKNOWLEDGMENT

We are greatly indebted to express our inevitable gratitude and appreciation to our parents, for moral upbringing, tireless assistance, understanding, encouragement and constant prayers in order to obtain a decent education. May God reward them abundantly and spare them long life in order to reap what they sow in life.

Special thanks and appreciation go to the Head of department of Computer Science and Engineering department, Sharda University; Prof. Ishan Ranjan and other faculties who gave us so generously of their spare time and abundant knowledge, no amount of expression of gratitude would suffice to repay them. We also express our profound sense of gratitude to Mr. Rajiv Kumar, for his kind support, advice and maximum cooperation.

Furthermore, this acknowledgement will not be completed without extending our valuable regards to our families, friends, well-wishers for their forever kindness and love.

REFERENCES

1. Pankaj K. Singh, and Pawan P. Singh, A Novel Approach for the Analysis & Issues of IPSec VPN , International Journal of Science and Research, Vol. 2 Issue 7, July 2013.

2. Miteshkumar S, Parmar, and Arvind D. Meniya, Imperative and Issues of IPSec Based VPN, International Journal of Science and Modern Engineering Vol. 1, Issue 2, Jan. 2013.

3. O. Adeyinka Analysis of problems associated with IPSec VPN Technology School of Computing and Technology, University of East London IEEE 2008.

4. S. Frankel, K. Kent, R. Lewkoski, A. D. Orebaugh, R. W. Ritchey, and S. R. Sharma, Guide to IPSec VPN, National Institute of Standards and Technology 2006

5. P. Kawle, A. Hiwase, G. Bagde, E. Tekam, Modified Advanced Encryption Standard, International Journal of Soft Computing and Engineering Vol. 4, Issue 1, March 2014

6. Huang and F. Kong The research of VPN on WLAN IEEE 2010.

7. Ritu Malik, and Rupali Syal, Performance Analysis of IPSec VPN, International Journal of Computer Application Vol. 8, No. 4, Oct. 2010.

8. S. Hussein and A. Abdul Hadi The Impact of Using Security Protocols in Dedicated Private Network and Virtual Private Network, International Journal of Scientific & Technology Research vol. 2, issue 11, Nov. 2013

9. S. Rahimi and M. Zargham, Analysis of the Security of VPN Configurations in Industrial

   Control Environments, International Journal of critical infrastructure protection 2012. IEEE.

10. D.H Manjaiah, Technical Overview of Virtual Private, International Journal of Scientific Research Vol. 2, Issue 7, July 2013.