5 IP Security Overview IPSec is not a single protocol. IPSec provides a set of security algorithms plus a general framework that allows a pair of communicating entities to use whichever algorithms provide security appropriate for the communication. General IP Security mechanisms provides –Authentication –Confidentiality –Key management Applicable to use over LANs, across public and private WANs, and for the Internet
6 IP Security Overview Applications of IPSec –Secure branch office connectivity over the Internet –Secure remote access over the Internet –Establsihing extranet and intranet connectivity with partners –Enhancing electronic commerce security
7 IP Security Overview Benefits of IPSec –Transparent to applications (below transport layer (TCP, UDP) –Provide security for individual users –IPSec can assure that: A router or neighbor advertisement comes from an authorized router A redirect message comes from the router to which the initial packet was sent A routing update is not forged provides strong security to all traffic crossing the perimeter
9 Authentication Header Authentication Header (AH) provides support for data integrity & authentication of IP packets –End system/router can authenticate user/app –Prevents address spoofing attacks by tracking sequence numbers Based on use of a MAC –HMAC-MD5-96 or HMAC-SHA-1-96 Parties must share a secret key
10 Authentication Header Provides support for data integrity and authentication (MAC code) of IP packets. Guards against replay attacks.
12 Security Associations Security Association (SA) is a one-way relationship between sender & receiver that affords security for traffic flow Defined by 3 parameters: –Security Parameters Index (SPI) –IP Destination Address –Security Protocol Identifier Has a number of other parameters –seq no, AH & EH info, lifetime etc Have a database of Security Associations
13 ESP Encapsulating Security Payload (ESP) provides message content confidentiality & limited traffic flow confidentiality Can optionally provide the same authentication services as AH Supports range of ciphers, modes, padding –DES, Triple-DES, RC5, IDEA, CAST, etc –CBC most common –Pad to meet blocksize, for traffic flow
17 Transport & Tunnel Mode ESP Transport mode is used to encrypt & optionally authenticate IP data –Data protected but header left in clear –Can do traffic analysis but is efficient –Good for ESP host to host traffic Tunnel mode encrypts entire IP packet –Add new header for next hop –Good for VPNs, gateway to gateway security
18 SSL and TLS SSL was originated by Netscape TLS working group was formed within IETF First version of TLS can be viewed as an SSLv3.1
20 Handshake Protocol The most complex part of SSL. Allows the server and client to authenticate each other. Negotiate encryption, MAC algorithm and cryptographic keys. Used before any application data are transmitted.