Presentation is loading. Please wait.

Presentation is loading. Please wait.

IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.

Published byIngrid Yearsley Modified over 9 years ago

Similar presentations

Presentation on theme: "IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication."— Presentation transcript:

1 IPSec In Depth

2 Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication is applied to data in the IPSec header as well as the data contained as payload

3 IPSec Encapsulating Security Payload (ESP) in Transport Mode Data TCP Hdr Orig IP Hdr Data TCP Hdr ESP Hdr Orig IP Hdr ESP Trailer ESP Auth Usually encrypted integrity hash coverage SecParamIndex Padding PaddingPadLengthNextHdr Seq# Keyed Hash 22-36 bytes total InitVector ESP is IP protocol 50 Insert Append © 2000 Microsoft Corporation

4 IPSec ESP Tunnel ModeData TCP Hdr Orig IP Hdr ESP Auth Usually encrypted integrity hash coverage Data TCP Hdr ESP Hdr IP Hdr IP HdrIPHdr New IP header with source & destination IP address © 2000 Microsoft Corporation ESP Trailer

5 Authentication Header (AH) Authentication is applied to the entire packet, with the mutable fields in the IP header zeroed out If both ESP and AH are applied to a packet, AH follows ESP

6 IPSec Authentication Header (AH) in Transport Mode Data TCP Hdr Orig IP Hdr Data TCP Hdr AH Hdr Orig IP Hdr Next Hdr Payload Len RsrvSecParamIndex Keyed Hash Integrity hash coverage (except for mutable fields in IP hdr) Seq# 24 bytes total AH is IP protocol 51 Insert © 2000 Microsoft Corporation

7 IPSec AH Tunnel ModeData TCP Hdr Orig IP Hdr Integrity hash coverage (except for mutable new IP hdr fields) IP Hdr AH Hdr AH HdrData TCP Hdr Orig IP Hdr New IP header with source & destination IP address © 2000 Microsoft Corporation

8 Internet Key Exchange (IKE) Phase I –Establish a secure channel(ISAKMP SA) –Authenticate computer identity Phase II –Establishes a secure channel between computers intended for the transmission of data (IPSec SA)

9 Main Mode Main mode negotiates an ISAKMP SA which will be used to create IPSec Sas Three steps –SA negotiation –Diffie-Hellman and nonce exchange –Authentication

10 Main Mode (Kerberos) Initiator Responder Header, SA Proposals Header, Selected SA Proposal Header, D-H Key Exchange, Nonce i, Kerberos Token i Header, D-H Key Exchange, Nonce r, Kerberos Token r Header, Id i, Hash i Header, Id r, Hash r Encrypted

11 Main Mode (Certificate) Initiator Responder Header, D-H Key Exchange, Nonce i Header, Id i, Certificate i, Signature i, Certificate Request Header, D-H Key Exchange, Nonce r,Certificate Request Header, Id r, Certificate r, Signature r Encrypted Header, SA Proposals Header, Selected SA Proposal

12 Main Mode (Pre-shared Key) Initiator Responder Header, D-H Key Exchange, Nonce i Header, Id i, Hash i Header, D-H Key Exchange, Nonce r Header, Id r, Hash r Encrypted Header, SA Proposals Header, Selected SA Proposal

13 Quick Mode All traffic is encrypted using the ISAKMP Security Association Each quick mode negotiation results in two IPSec Security Associations (one inbound, one outbound)

14 Quick Mode Negotiation Header, Hash Header, Connected Notification Encrypted Initiator Responder Header, IPSec Selected SA Header, IPSec Proposed SA

Download ppt "IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication."

Similar presentations

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Internet Security CSCE 813 IPsec

Internet Security CSCE 813 IPsec
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
ISAKMP RFC 2408 Internet Security Association & Key Management Protocol Protocol Establish, modify, and delete SAs Negotiate crypto keys Procedures Authentication.

ISAKMP RFC 2408 Internet Security Association & Key Management Protocol Protocol Establish, modify, and delete SAs Negotiate crypto keys Procedures Authentication.
Security at the Network Layer: IPSec

Security at the Network Layer: IPSec
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
Network Layer Security: IPSec

Network Layer Security: IPSec
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
1 IP Security (IPSec) Thomas Lee Chief Technologist –QA

1 IP Security (IPSec) Thomas Lee Chief Technologist –QA
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.

1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.

Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.

IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.

Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
IPSec Access control Connectionless integrity

IPSec Access control Connectionless integrity
1 IPsec Youngjip Kim 2004. 05. 24. 2 Objective Providing interoperable, high quality, cryptographically-based security for IPv4 and IPv6 Services  Access.

1 IPsec Youngjip Kim Objective Providing interoperable, high quality, cryptographically-based security for IPv4 and IPv6 Services  Access.

Similar presentations

Ads by Google