Presentation is loading. Please wait.

Presentation is loading. Please wait.

Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.

Published byLeo Rodgers Modified over 9 years ago

Similar presentations

Presentation on theme: "Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings."— Presentation transcript:

1 Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings

2 Crypto – chapter 16 - noack IP security overview IPSec provides security at the IP layer Varieties AH – Authentication header Transport mode - AH fits after IP header and covers TCP Tunnel mode – New IP header – AH covers original IP and TCP ESP – Encapsulating security payload Transport mode – ESP authenticates and encrypts TCP Tunnel mode – New IP header – ESP authenticates and encrypts original IP and TCP Modes Transport – end-to-end services – not processed by routers Tunnel – intermediate services – processed by routers and firewalls

3 Crypto – chapter 16 - noack Components SA – Security association Carried inside AH and ESP Contents Security parameters index – identifier and specification IP destination address – can be real user or firewall/router Security protocol identifier – is this AH or ESP AH – Authentication header Standard header components Security parameters index (from SA) Sequence number Authentication data ESP – Encapsulation security payload Essentially like AH

4 Crypto – chapter 16 - noack ESP capabilities Encryption algorithms Triple DES RC5 IDEA Three-key triple IDEA CAST Blowfish Authentication algorithms 96-bit MAC Must support HMAC-MD5-96 and HMAC-SHA-1-96 Padding As needed to support block structure and conceal actual payload length

5 Crypto – chapter 16 - noack Transport and tunneling Transport Authenticates/protects TCP layer This means packets and IP headers are seen IP headers and addresses are not protected Tunneling This allows IP tunnels – for example between parts of an organization Allows VPN’s Multiple layers are possible (iterated tunneling) Individual SA applies to only one layer (AH or ESP)

6 Crypto – chapter 16 - noack Key distribution Oakley key distribution protocol Based on Diffie-Hellman Non-specific – does not specify formats, just exchanges Diffie-Hellman weaknesses No identity information Subject to person-in-the-middle attack Computationally intensive – vulnerable to clogging attack Oakley improvements Uses cookies to thwart clogging Allows group negotiation Uses nonces to prevent replays Enables, but authenticates Diffie-Hellman

7 Crypto – chapter 16 - noack Oakley details Groups Actually five methods Modular exponentiation with lengths 768, 1024, 1536 Elliptic curve group over 155 or 185-bit fields with generator specified Nonce usage Used to prevent replay attacks Authentication methods Digital signatures Public key encryption Symmetric-key encryption – requires out-of-band key distribution

8 Crypto – chapter 16 - noack More Oakley Details Recommended cookie Hashes (MD5) source IP and port, destination same, UDP same, locally generated secret Reasoning Fast, specific, contains local secret Groups (confusing term) Modular exponentiation (768,1024,1536) Elliptic curve (155,185) Authentication methods Digital signatures Public-key encryption Symmetric-key encryption

9 Crypto – chapter 16 - noack ISAKMP ISAKMP = ISA key management protocol Manages security associations in general Format Header with cookies and next payload pointer Subsequent payloads with next payload pointer Payload types Security association Proposal Transform Key exchange Identification Certificate Hash Signature Nonce Notification Delete SA’s

10 Crypto – chapter 16 - noack ISAKMP exchange types Exchange types Base 4 messages, establishes SA Identity protection Includes identity verification, 6 messages Authentication only Authentication – agrees on basic SA, 3 messages Aggressive 3 messages – no identity protection Informational 1 message – just SA management

Download ppt "Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings."

Similar presentations

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.

IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.
Security at the Network Layer: IPSec

Security at the Network Layer: IPSec
Henric Johnson1 Chapter 6 IP Security Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 6 IP Security Henric Johnson Blekinge Institute of Technology, Sweden
Network Security Essentials Chapter 8 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Network Security Essentials Chapter 8 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Network Layer Security: IPSec

Network Layer Security: IPSec
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
IP Security (IPSec protocol)

IP Security (IPSec protocol)
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.

1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.

Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.

TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.

Similar presentations

Ads by Google