Download presentation
Presentation is loading. Please wait.
1
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
2
2 What Does IPSec Do?? Provides security services at the IP layer for other TCP/IP protocols and applications to use. Provides the tools that devices on a TCP/IP need in order to communicate securely. It allows 2 devices to set up a secure path that may traverse across many insecure intermediate systems. Performs (at least) the following tasks: –Defines the set of security protocols to use, so that each one sends data in a format the other can understand. –Defines the specific encryption algorithm to use in encoding data. –Enables key exchange to “unlock” the encrypted data Once this background work is completed, each device must use the protocols, methods and keys previously agreed upon to encode data and send it across the network Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
3
3 How Does It Do This? IPSec Authentication Header (AH): –Provides authentication services for IPSec. –All of Originator verification Data integrity Protection against replay attacks Encapsulating Security Payload (ESP): –Encrypts the payload of the IP datagram. –Can be used with or without authentication Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
4
4 Functions Supported by.. Encryption/Hashing Algorithms: –AH and ESP Generic, do not specify the exact mechanism used for encryption. Negotiate which algorithms are used.. Commonly use MD5 and SHA-1. Security Policies and Associations, and Management Methods: –Security Associations (SA) record algorithms and other parameters for a one-way exchange between 2 principals –Security Policies define the way the SAs are applied at the packet level –SAs can be bundled to exchange SA information Key Exchange Framework and Mechanism: –Uses Internet Key Exchange (IKE) Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
5
5 Implementation choices End-to-end? Network Infrastructure? –Fully integrate with IP? –Implement in software? –Implement in hardware? And apply it in tunnel or transport mode –(See later) Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
6
6 IP Security Overview Applications of IPSec –Secure branch office connectivity over the Internet –Secure remote access over the Internet –Establsihing extranet and intranet connectivity with partners –Enhancing electronic commerce security Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
7
7 IP Security Scenario Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
8
8 IP Security Overview Benefits of IPSec –Transparent to applications (below transport layer (TCP, UDP) –Provide security for individual users IPSec can assure that: –A router or neighbor advertisement comes from an authorized router –A redirect message comes from the router to which the initial packet was sent –A routing update is not forged Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
9
9 IP Security Architecture IPSec documents: –RFC 2401: An overview of security architecture –RFC 2402: Description of a packet authentication extension to IPv4 and IPv6 –RFC 2406: Description of a packet encryption extension to IPv4 and IPv6 –RFC 2408: Specification of key management capabilities Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
10
10 IPSec Document Overview DOI = Domain of Interpretation Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
11
11 IPSec Services Access Control Connectionless integrity Data origin authentication Rejection of replayed packets Confidentiality (encryption) Limited traffic flow confidentiallity Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
12
12 Security Associations (SA) A one way relationship between a sender and a receiver. Identified by three parameters: –Security Parameter Index (SPI) –IP Destination address –Security Protocol Identifier Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
13
13 Authentication Header Provides support for data integrity and authentication (MAC code) of IP packets. Guards against replay attacks. Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
14
14 Transport Mode (AH Authentication) Before AH After AH Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
15
15 Tunnel Mode (AH Authentication) Before AH After AH Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
16
16 End-to-end versus End-to-Intermediate Authentication Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
17
17 Encapsulating Security Payload ESP provides confidentiality services Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
18
18 Encryption and Authentication Algorithms Encryption: –Three-key triple DES –RC5 –IDEA –Three-key triple IDEA –CAST –Blowfish Authentication: –HMAC-MD5-96 –HMAC-SHA-1-96 Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
19
19 ESP Encryption and Authentication Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
20
20 ESP Encryption and Authentication Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
21
21 Key Management Two types: –Manual –Automated Oakley Key Determination Protocol Internet Security Association and Key Management Protocol (ISAKMP) Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
22
22 Oakley Three authentication methods: –Digital signatures –Public-key encryption –Symmetric-key encryption Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
23
23 ISAKMP Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
24
24 TCP/IP Example Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.