Presentation is loading. Please wait.

Presentation is loading. Please wait.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet."— Presentation transcript:

1 Encapsulation Security Payload Protocol Lan Vu

2 OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet processing 7.Why ESP? 8.Security Considerations 9.ESP Performance Impacts 10.Conclusion

3 INTRODUCTION AND TERMS Internet Protocol Security (IPSec): a security function implemented at the IP level of the protocol stack. Security Association (SA): is used to track a given communication session. It defines the information about the traffic security protocol, the authentication algorithm, and the encryption algorithm to be used. Also, it gives the information on data flow, lifetime of the SA and sequence numbering to guard against replay attacks.

4 ESP OVERVIEW ESP protocol (i.e. traffic security protocol) is used in an IPsec transmitted over IP. ESP is identified by protocol number 50. ESP provides optional services to provide the protection for anything such as authentication, encryption, and integrity check for IP datagrams. It operates on a per-packet basis. + Encryption scrambles the data packet to prevent unauthorized people from reading the message. + Authentication verifies that the source address was not forged. + Anti replay mechanism ensures the packet was not tampered while in route to its destination.

5 ESP OVERVIEW (cont.) The desired services to be used are selectable upon establishment of the security association (SA). Encryption is selectable independent of any other services. If encryption is enabled, then integrity check and authentication should be turned on as well. If only encryption is used, intruders could forge packets in order to mount a cryptanalytic attack.

6 ESP PACKET FORMAT There is an ESP header, an ESP trailer, and ESP authentication data. The payload is located (encapsulated) between the header and the trailer, which gives the protocol its name.

7 PACKET FIELDS The ESP packet contains the following fields: Security Parameter Index (SPI) This field is 32 bits in length Sequence Number This 32-bit field is an increasing counter, and again follows the AH definitions. It is used to prevent replay attacks. Payload Data + This field is mandatory. + It consists of a variable number of bytes of data described by the Next Header field. + PD is encrypted with the cryptographic algorithm selected during SA establishment. If the algorithm requires initialization vectors (CBC), they will be included here as well. + Algorithms supported: –DES (CBC) – TDEA (three key) –IDEA – Three key triple IDEA –CAST – Blowfish –RC5

8 PACKET FIELDS (CONT.) Padding: ie. to ensure that the bits to be encrypted are a multiple of blocksize Authentication Data + This optional field is variable in length. + Authenticate packet using MD5 or SHA-1 with a key (i.e. HMAC) or without a key to create a unique “hash” or “digest” of the contents of the packet. + IP header is not covered in the AD + The AD is calculated from the SPI to the Next Header field inclusive.

9 ESP MODES Transport Mode Here the ESP header is inserted immediately after the IP header. The ESP trailer and the optional authentication data are appended to the payload. In transport mode, ESP neither authenticates nor encrypts the IP header. But this mode has a low computational overhead.

10 ESP MODES (CONT.) Tunnel Mode Here, a new IP packet is made with a new IP header. ESP/Transport is then applied and the original datagram is the payload for the new packet. If authentication and encryption have been initiated, the packet is protected. However, the new IP header is not protected.

11 ESP PACKET PROCESSING Sender Processes: 1.Look up SA 2.Packet encryption and authentication data +Encapsulate the original next layer protocol information or the entire original IP datagram +Add necessary padding +Encrypt the result using the key and encryption algorithm mode specified in SA +Compute the authenticate data over the ESP packet using hash functions. 3.Generate sequence number

12 ESP PACKET PROCESSING Receiver Processes: 1.Determines the appropriate SA 2.Verify sequence number 3.Verify the decryption and authentication + Decrypts and integrity check the ESP payload data, padding, pad length, and next header using the key, algorithm, algorithm mode indicated by SA + If the check fail, discard the packet and log the SPI value, date/time received, source address, destination address, the sequence number. + Process any padding + Check the next header field, if the value is “59”, the packet is discard. + Extract the original IP datagram or transport-layer fram from the ESP Payload Data field.

13 WHY ESP? Data origin authentication is a security service that verifies the identity of the claimed source of data Confidentiality is the security service that protects data from unauthorized parties. + the disclosure of application level data is protected by encrypting the payload data. + the disclosure of external characteristics of communication, also known as the traffic-flow confidentiality that is support by concealing source and destination addresses, message length, or frequency of communication. Anti-replay detects arrival of duplicate IP datagram (using sliding receive window). It is supported by the sequence number which is an unsigned 32-bit field contains a monotonically increasing counter value in ESP header

14 SECURITY CONSIDERATIONS The quality of the security provides by this ESP mechanism depends on -The strength of the implemented cryptographic algorithms - The strength of the key being used -The correct implementation of the cryptographic algorithms -The security of the key management protocol -The correct implementation of IP -Several security mechanisms in all of the participating systems. The ESP protocol is described as a security service focuses only on the IP layer. Not solve the secure of the system.

15 SECURITY CONSIDERATIONS (cont.) Advantage: + Higher-level services protect a single protocol. + Lower level services protect a single medium. Therefore, Can protect any protocol running above IP and any medium which IP runs over. + Attacks on higher-level protocols more difficult. Limitations + Not end-to-end + Authenticate machine not users + Does not stop traffic analysis In general, to provide an effective security environment, one should consider the combination of different mechanisms and algorithms as well as weight the strength and weakness for each of them to meet his or her needs.

16 PERFORMANCE IMPACTS The encapsulating security approach used by ESP can noticeably impact network performance in participating systems 1.Protocol processing in participating systems will be more complex when encapsulating security is used, requiring both more time and more processing power. 2.Use of encryption will also increase the communications latency. The increased latency is primarily due to the encryption and decryption required for each IP datagram containing an Encapsulating Security Payload

17 Conclusion Encapsulating Security Payload covers packet format and general issues for packet encryption. It offers the security service at the IP layer. Hence, it could be used in the conjunction with other security mechanisms in designing robust distributed systems.

18 REFERENCES 1. R. Atkinson. IP encapsulating security payload (ESP). Request for Comments (Proposed Standard) RFC 1827, Internet Engineering Task Force, August 1995. 2. FreeS/Wan Project. http://www.freeswan.org http://www.freeswan.org 3. S. Kent and R. Atkinson. IP Encapsulating Security Payload. Request for Comments (2406), Internet Engineering Task Force, November 1998. http://www.networksorcery.com/enp/rfc/rfc2406.txt http://www.networksorcery.com/enp/rfc/rfc2406.txt 4. R. Anderson. Security Engineering. A Guide to Building Dependable Distributed Systems. Wiley, p.378, 2001. 5. IPSEC and Windows 2000: a step by step guide http://www.ccs.neu.edu/home/peterm/IPSEC2000.html

Download ppt "Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet."

Similar presentations

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Internet Security CSCE 813 IPsec

Internet Security CSCE 813 IPsec
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.

IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.

1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.

Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.

Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Cryptography and Network Security

Cryptography and Network Security
1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
THE USE OF IP ESP TO PROVIDE A MIX OF SECURITY SERVICES IN IP DATAGRAM SREEJITH SREEDHARAN CS843 PROJECT PRESENTATION 04/28/03.

THE USE OF IP ESP TO PROVIDE A MIX OF SECURITY SERVICES IN IP DATAGRAM SREEJITH SREEDHARAN CS843 PROJECT PRESENTATION 04/28/03.
Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.

Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.

Similar presentations

Ads by Google