Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 CMPT 471 Networking II Authentication and Encryption © Janice Regan, 2006-2013.

Published byGinger George Modified over 8 years ago

Similar presentations

Presentation on theme: "1 CMPT 471 Networking II Authentication and Encryption © Janice Regan, 2006-2013."— Presentation transcript:

1 1 CMPT 471 Networking II Authentication and Encryption © Janice Regan, 2006-2013

2 2

3 3 IPsec usage  Host to host  May use transport mode  May use tunnel mode  Security Gateway to Security Gateway  Must use tunneling  Host to/from security gateway  For traffic destined to security gateway (for example SNMP message) the gateway is operating as a host and transport mode may be used  Otherwise, if the gateway is operating as a gateway tunneling mode must be used

4 © Janice Regan, 2006-2013 4  IPv4 packet: Transport mode Authentication  IPv4 packet: Tunnel mode Authentication IPv4 AH Authentication authenticated Partially authenticated IPv4 header TCP header TCP data Authentication header IPv4 tunnel header authenticated Partially authenticated IPv4 header TCP header TCP data Authentication header

5 © Janice Regan, 2006-2013 5 AH authentication algorithms HMAC with MD5RFC 2403 HMAC with SHA-1RFC 2404

6 © Janice Regan, 2006-2013 6 Transport Mode Tunnel Mode IPsec: ESP New IP header TCP header TCP data IP header ESP header ESP trailer ESP auth encrypted authenticated Not encrypted or authenticated TCP header TCP data IP header ESP header ESP trailer ESP auth

7 © Janice Regan, 2006-2013 7 ESP authentication algorithms HMAC with MD5RFC 2403 HMAC with SHA-1RFC 2404 Null Authentication

8 © Janice Regan, 2006-2013 8 ESP encryption algorithms DES in CBC modeRFC 2405 Null Encryption

9 © Janice Regan, 2006-2013 9 Security Associations (1)  An SA describes one simplex connection.  If you are using both AH and ESP you need one SA for each.  For two way communication you need one SA for each direction  Three parameters used to uniquely define a security association (SA).  destination address  security protocol (AH or ESP)  Security parameters index (SPI)

10 © Janice Regan, 2006-2013 10 Security Association (2)  SAs are stored in a database The SAD (Security Associations Database) also includes the following information:  Mode of communication (transport or tunnel)  Sequence Number Counter  Anti-Replay Window: to determine whether an inbound AH or ESP packet is a replay.  AH Authentication algorithm type, keys, etc. OR ESP Encryption algorithm and / or authentication, algorithm types, keys etc.  Lifetime of this Security Association

11 © Janice Regan, 2006-2013 11 Encryption  Source uses an encryption key and a particular encryption algorithm to encrypt the data  The data is inserted into a packet and sent to the receiver  The receiver uses a decryption key to decrypt the data. If the keys match the decrypted data is readable otherwise it is not.  The keys may be secret or private keys, or public keys  Private key encryption is often used for long messages public key encryption for short messages. Short messages may include sending private keys in preparation for transmission of longer messages.

12 © Janice Regan, 2006-2013 12 Secret or private keys  Private or secret keys are known only by the sender and receiver. The decryption key is the same as or derivable from the encryption key.  Secret key encryption may also be called symmetric encryption because the same key can be used in both directions  High security, difficult to decrypt without the key.

13 © Janice Regan, 2006-2013 13 Secret or private keys  Requires many keys (one for each pair of users)  Uses an efficient encryption algorithm  Popular example DES, data encryption standard  How do you distribute keys?  Use public key encryption  A central distribution centre

14 © Janice Regan, 2006-2013 14 Public keys (1)  Each user has a public key and a private key  Fewer keys needed (pair for each user, not each pairing of users).  Public key is used to encrypt the message, private key is used to decrypt the message. Private key is not easily derivable from the public key  Sender encrypts using the receiver’s public key  Only receiver can decrypt using its own private key  RSA is an example of this approach.

15 © Janice Regan, 2006-2013 15 Public keys (2)  Encryption/Decryption process is more computationally intensive than private key encryption  Must verify (authenticate) announced public key of a user  Verification may be done by a central authority (pairs users and keys and issues certificates)

16 © Janice Regan, 2006-2013 16 Digital Signature  Used for authentication, integrity and non repudiation (anti replay)  Use private key encryption to sign (encrypt the document or digest) the packet.  Use public key to verify signature (decrypt the document). Since only the sender knows its private key this provides authentication

17 © Janice Regan, 2006-2013 17 Digital Signature  A message signed using a senders private key (known only by that user) indicates that the message comes from that user  Changes to the message between the sender and the receiver require knowledge of the private key, or they will in all likelihood render the message unreadable at the destination  Signature alone does not provide confidentiality, anyone can decrypt using the senders public key

18 © Janice Regan, 2006-2013 18 Digital Signature  Used for authentication, integrity and non repudiation  Can sign entire document or digest of the document.  Algorithms such as SHA1 and MD5 are used to make digests of the document  Can sign the digest rather than the whole document

19 © Janice Regan, 2006-2013 19 Digital Signature  To sign the digest rather than the whole document  The sender uses a hash function to produce a digest of the document with a fixed size  Usually use MD5 (message digest 5) or SHA-1 (secure hash algorithm 1)  The sender encrypts the digest with her private key  The sender sends the document including the encrypted digest

20 © Janice Regan, 2006-2013 20 Digital Signature  To sign the digest rather than the whole document  The receiver creates a digest of the document using the same algorithm as the sender  The receiver decrypts the digest appended to the document using the senders public key  The receiver compares the calculated digest to the decrypted digest from the received message. They must match for the signature to be valid

21 © Janice Regan, 2006-2013 21 With VPN  New encapsulation  Shared keys (all users behind VPN use same key)  Dangerous (one user can hijack traffic, can have man in the middle attack)

Download ppt "1 CMPT 471 Networking II Authentication and Encryption © Janice Regan, 2006-2013."

Similar presentations

Virtual Private Networks (VPNs)

Virtual Private Networks (VPNs)
CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Internet Security CSCE 813 IPsec

Internet Security CSCE 813 IPsec
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.

IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.

IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.
Security at the Network Layer: IPSec

Security at the Network Layer: IPSec
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.

1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
IPSec Isaac Ghansah.

IPSec Isaac Ghansah.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
Chapter 29 Internet Security

Chapter 29 Internet Security
Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.

Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.
IP Security. IPSEC Objectives n Band-aid for IPv4 u Spoofing a problem u Not designed with security or authentication in mind n IP layer mechanism for.

IP Security. IPSEC Objectives n Band-aid for IPv4 u Spoofing a problem u Not designed with security or authentication in mind n IP layer mechanism for.
K. Salah1 Security Protocols in the Internet IPSec.

K. Salah1 Security Protocols in the Internet IPSec.

Similar presentations

Ads by Google