Why does encryption not destroy the way networks work?

Question

I've a very basic understanding of how encryption works.

My knowledge insofar is that of CCNA discovery level on the CISCO courses (along with a few other things such as Steve Gibson and Leo Laporte on "Security Now" in various episodes).

My question(s) is(are):

Would encryption not break the networking concept of source ip/mac destination and MAC address in packets / frames?

Because...

Obviously any "unencryption"(keys) data could be sent with the data, but that would break the security, alongside switches being unable to direct data and build their MAC tables on an internal network.

Now i'll make some assumptions on what i know. Either:

1. Switches can use what's in the packets IP & MAC address's encapsulated header, alongisde the data known from prior connections to unencrypt the packets encapsulated with the source and destination frames MAC address.
2. Routers can use what's in the packet / prior connections packets data to unencrypt the packets encapsulated with the source and destination IP adresses.
3. The entire concept of encryption on the internet is unworkable (obviously untrue)
4. source and destination MACs/ip's are sent unencrypted for encrypted packets. (If this is the case, does this mean that a man-in-the-middle could capture all data, record it, then spend as much time as they please brute forcing keys to unencrypt it?)

Or else, my assumptions ar bogus for some reason (Why are they bogus?).

This question is born of entirely theoretical knowledge from learning these courses, so please go in to as much detail as you absolutely are willing, even if you are thinking you're stating the obvious. I'm asking this out of purely academic reasons/intense curiousity, not because i have a practical problem.

Answer 1

To go into possibly unwanted detail: Encryption takes place at the transport layer and above, for precisely the reasons of your concern. The transport layer is the one immediately above IP and other addressing schemes. This means that the information required for these protocols is not encrypted, because the data belongs to a lower layer.

For instance, TLS and its predecessor SSL encrypt at the transport layer. This means that the only data that is unencrypted are the IP headers.

Meanwhile, when you choose to encrypt an email in your favorite email program, it will only encrypt the actual email message, while the IP, TCP, and SMTP headers will all be unencrypted. This message, in turn, might be transmitted over a TLS connection. TLS will then encrypt the TCP and SMTP portions, effectively encrypting the message body twice. The unencrypted IP header would then be enough to get it from your computer to the email server. The email server would then decrypt the TLS, allowing it to see that this is a TCP SMTP message. It would then give that to the SMTP program, which would be able to send it to the correct inbox. Once there, the user's email reader would have the information necessary to decrypt the message body.

Answer 2

Number 4 is true. When an encrypted packet is sent, the data is encrypted, not the source and destination addresses.

Take a look at this SSH login packet:

It is displayed as an encrypted request packet. As you can see, the source and destination details are visible.

Answer 3

Your assumption #4 is partly correct. Most often in technologies such as SSL/TLS, IP addresses & MAC addresses are sent unencrypted. More specifically, if we look at the OSI Networking Model, IP addresses are part of the of level 3, MAC addresses are part of level two whereas SSL/TLS is at level 4. Most encryption technologies work above level 3 so that the addressing can be read by standard routers and switches.

In order to solve the man in the middle problem encryption technologies have to provide some sort of authentication before starting up and encrypted session. In the SSL/TLS example the use of certificates which are provided by a trusted certificate authority (ie Verisign) is used for authentication.

Answer 4

WEP and WPA are tags for the question, which are for wireless networks. These protocols handle encryption for the network layer, but they are used to keep people not on the network from being able to see what the network is sending.

Every node on a wireless network must know the encryption key, so that the network's router can decode all traffic. I believe this implies that any node attached to an encrypted wireless network can sniff all the traffic on that network.

So, WEP and WPA do not protect against malicious users who are on the same network as you. You still need to use other layers of encryption to hide your traffic from them.

Edit:

After reading up on 802.11i (aka WEP2), I see that it uses a separate key for broadcast and multicast packets (Group Temporal Key). Unicast traffic is encrypted using a Pairwise Transient Key, which is a key used for traffic between the base station and one wireless device. WEP also works this way. This means that two wireless devices cannot read each other's traffic since they do not share the same key.

I believe WEP does use one shared key for all the nodes.

In any case, corporate environments often will use VPN technology on top of the wireless link. This added layer of encryption provides security from the wireless device all the way back to the VPN server. Even if the wireless network is sniffed, the VPN packets will still be encrypted.