Presentation is loading. Please wait.

Presentation is loading. Please wait.

2003-2004 - Information management 1 Groep T Leuven – Information department 1/26 IPSec IP Security (IPSec)

Published byBernice Cunningham Modified over 8 years ago

Similar presentations

Presentation on theme: "2003-2004 - Information management 1 Groep T Leuven – Information department 1/26 IPSec IP Security (IPSec)"— Presentation transcript:

1 2003-2004 - Information management 1 Groep T Leuven – Information department 1/26 IPSec IP Security (IPSec)

2 2003-2004 - Information management 2 Groep T Leuven – Information department 2/26 IP Security (IPSec) IPSec overview Authentication Header (AH) Encapsulating Security Payload (ESP) Internet Key Exchange (IKE) Main Mode negotiation Quick Mode negotiation Retransmit behavior

3 2003-2004 - Information management 3 Groep T Leuven – Information department 3/26 Overall Architecture (RFC 1825) Framework for security protocols to provide: –Data integrity –Data authentication –Data confidentiality –Security association management –Key management

4 2003-2004 - Information management 4 Groep T Leuven – Information department 4/26 Authentication Header (RFC 1826) Data integrity—no twiddling of bits Origin authentication—definitely came from router Uses keyed-hash mechanism Does not provide confidentiality IP Header plus Data AH Authentication Data (00ABCDEF) Authentication Data (00ABCDEF) IP Header plus Data Router IP HDR Data Router

5 2003-2004 - Information management 5 Groep T Leuven – Information department 5/26 Encapsulating Security Payload (RFC 1827) Confidentiality Data origin authentication Data integrity Replay protection (optional) All Data-Encrypted Router

6 2003-2004 - Information management 6 Groep T Leuven – Information department 6/26 Security Association (SA) Router Firewall Insecure Channel Agreement between two entities on method to communicate securely Unidirectional—two way communication consists of two SAs

7 2003-2004 - Information management 7 Groep T Leuven – Information department 7/26 IKE Policy Negotiation Encryption Algorithm, Hash Algorithm, and Method of Authentication 3DES, MD5, and RSA Signatures, or IDEA, SHA, and DSS Signatures, or Blowfish, SHA, and RSA Encryption 3DES, MD5, and RSA Signatures, or IDEA, SHA, and DSS Signatures, or Blowfish, SHA, and RSA Encryption IDEA, SHA, and DSS Signatures ISAKMP Policy Tunnel

8 2003-2004 - Information management 8 Groep T Leuven – Information department 8/26 IPSec Model Device authentication –Crypto devices obtain digital certificates from CAs Authorization –Packet selection via ACLs –Security Association (SA) established via ISAKMP/OAKLAY Privacy and integrity –IPSec-based encryption and digital signature Certificate Authority Digital Certificate SA Authenticated Encrypted Tunnel Encrypted Clear Text Internal Network Digital Certificate IKE Session

9 2003-2004 - Information management 9 Groep T Leuven – Information department 9/26 IPsec Protocols and Formats Headers Key Exchange Modes Encryption Hashing Headers Key Exchange Modes Encryption Hashing Authentication Header Encapsulating Security Payload ISAKMP/Oakley Diffie-Hellman Transport Tunnel Authentication Header Encapsulating Security Payload ISAKMP/Oakley Diffie-Hellman Transport Tunnel Integrity, authentication Adds confidentiality Negotiates security parameters Uses digital certificates Generates shared secret keys IP payload only, Layer 4 is obscured Both end systems need IPsec Entire datagram No changes to intermediate systems DES, 3DES, RC4, IDEA, AES... HMAC MD5, HMAC SHA1 Integrity, authentication Adds confidentiality Negotiates security parameters Uses digital certificates Generates shared secret keys IP payload only, Layer 4 is obscured Both end systems need IPsec Entire datagram No changes to intermediate systems DES, 3DES, RC4, IDEA, AES... HMAC MD5, HMAC SHA1

10 2003-2004 - Information management 10 Groep T Leuven – Information department 10/26 IPSec Modes IP HDR Encrypted IP HDR DATA IPSec HDR DATA IP HDR DATA IPSec HDR IP HDR New IP HDR Encrypted DATA Tunnel Mode Transport Mode

11 2003-2004 - Information management 11 Groep T Leuven – Information department 11/26 Tunnel and Transport Modes Transport mode for end-to-end session Tunnel mode for everything else HR Server Joe’s PC Transport Mode Tunnel Mode

12 2003-2004 - Information management 12 Groep T Leuven – Information department 12/26 Ipsec—Standards Based Internet Campus Firewall VLANs IPsec Dial

13 2003-2004 - Information management 13 Groep T Leuven – Information department 13/26 IPSec Overview Router to Router Router to Firewall PC to Router PC to Server Proposed Internet standard for IP- layer cryptography with IPv4 and IPv6

14 2003-2004 - Information management 14 Groep T Leuven – Information department 14/26 IPSec Process Initiating the IPSec session –Phase one—exchanging keys –Phase two—setting up security associations Encrypting/decrypting packets Rebuilding security associations Timing out security associations

15 2003-2004 - Information management 15 Groep T Leuven – Information department 15/26 Initiating the IPSec Session Phase One — ISAKMP Internet Security Association Key Management Protocol (ISAKMP) Both sides need to agree on the ISAKMP security parameters (ISAKMP SADB) –ISAKMP parameters Encryption algorithm Hash algorithm Authentication method Diffie-Hellman modulus Group lifetime

16 2003-2004 - Information management 16 Groep T Leuven – Information department 16/26 Initiating the IPSec Session Phase Two Both sides need to agree on the IPSec security parameters (IPSec SADB) IPSec parameters –IPSec peer Endpoint of IPSec tunnel –IPSec proxy Traffic to be encrypted/decrypted –IPSec transform Encryption and hashing –IPSec lifetime Phase two SA regeneration time

17 2003-2004 - Information management 17 Groep T Leuven – Information department 17/26 Encrypting and Decrypting Packets Phase one and phase two completes Security Associations (SA) are created at both IPSec endpoints Using the negotiated SADB information –Outbound packets are encrypted –Inbound packets are decrypted

18 2003-2004 - Information management 18 Groep T Leuven – Information department 18/26 Rebuilding Security Associations To ensure that keys are not compromised they are periodically refreshed Security associations will be rebuilt when: –The lifetime expires, or –Data volume has been exceeded, or –Another SA is attempted with identical parameters

19 2003-2004 - Information management 19 Groep T Leuven – Information department 19/26 Security Associations Combination of mutually agreed security services, protection mechanisms, and cryptographic keys ISAKMP SA IPSec SAs –One for inbound traffic –One for outbound traffic Security Parameters Index (SPI) –Helps identify an SA Creating SAs –Main Mode for ISAKMP SA –Quick Mode for IPSec SAs

20 2003-2004 - Information management 20 Groep T Leuven – Information department 20/26 IPSec Headers Authentication Header (AH) –Provides data origin authentication, data integrity, and replay protection for the entire IP datagram Encapsulating Security Payload (ESP) –Provides data origin authentication, data integrity, replay protection, and data confidentiality for the ESP-encapsulated portion of the packet

21 2003-2004 - Information management 21 Groep T Leuven – Information department 21/26 IPSec Modes Transport mode –Typically used for IPSec peers doing end-to-end security –Provides protection for upper-layer protocol data units (PDUs) Tunnel mode –Typically used by network routers to protect IP datagrams –Provides protection for entire IP datagrams

22 2003-2004 - Information management 22 Groep T Leuven – Information department 22/26 AH Transport Mode IPUpper layer PDU IPAH Authenticated Upper layer PDU

23 2003-2004 - Information management 23 Groep T Leuven – Information department 23/26 AH Tunnel Mode AH Authenticated IP IP (new) Upper layer PDU

24 2003-2004 - Information management 24 Groep T Leuven – Information department 24/26 ESP Transport Mode IPESP Auth Data Encrypted Authenticated IPUpper layer PDU

25 2003-2004 - Information management 25 Groep T Leuven – Information department 25/26 ESP with AH Transport Mode IPESP Auth Encrypted Authenticated with AH IP AH Upper layer PDU Authenticated with ESP

26 2003-2004 - Information management 26 Groep T Leuven – Information department 26/26 ESP Tunnel Mode IP (new)ESP Auth Data IP Encrypted Authenticated IPUpper layer PDU

Download ppt "2003-2004 - Information management 1 Groep T Leuven – Information department 1/26 IPSec IP Security (IPSec)"

Similar presentations

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Internet Security CSCE 813 IPsec

Internet Security CSCE 813 IPsec
IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.

IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Security at the Network Layer: IPSec

Security at the Network Layer: IPSec
Henric Johnson1 Chapter 6 IP Security Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 6 IP Security Henric Johnson Blekinge Institute of Technology, Sweden
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
1 IP Security (IPSec) Thomas Lee Chief Technologist –QA

1 IP Security (IPSec) Thomas Lee Chief Technologist –QA
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.

1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.

Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Similar presentations

Ads by Google