Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 11 Page 1 Advanced Network Security Cryptography and Networks: IPSec and SSL/TLS Advanced Network Security Peter Reiher August, 2014.

Published byDerick Whitehead Modified over 9 years ago

Similar presentations

Presentation on theme: "Lecture 11 Page 1 Advanced Network Security Cryptography and Networks: IPSec and SSL/TLS Advanced Network Security Peter Reiher August, 2014."— Presentation transcript:

1 Lecture 11 Page 1 Advanced Network Security Cryptography and Networks: IPSec and SSL/TLS Advanced Network Security Peter Reiher August, 2014

2 Lecture 11 Page 2 Advanced Network Security Outline IPSec SSL and TLS

3 Lecture 11 Page 3 Advanced Network Security IPsec Standard for applying cryptography at the network layer of IP stack Provides various options for encrypting and authenticating packets –On end-to-end basis –Without concern for transport layer (or higher)

4 Lecture 11 Page 4 Advanced Network Security What IPsec Covers Message integrity Message authentication Message confidentiality

5 Lecture 11 Page 5 Advanced Network Security What Isn’t Covered Non-repudiation Digital signatures Key distribution Traffic analysis Handling of security associations Some of these covered in related standards

6 Lecture 11 Page 6 Advanced Network Security Some Important Terms for IPsec Security Association - “ A Security Association (SA) is a simplex ‘connection’ that affords security services to the traffic carried by it.” –Basically, a secure one-way channel SPI (Security Parameters Index) – Combined with destination IP address and IPsec protocol type, uniquely identifies an SA

7 Lecture 11 Page 7 Advanced Network Security General Structure of IPsec Really designed for end-to-end encryption –Though could do link level Designed to operate with either IPv4 or IPv6 Meant to operate with a variety of different ciphers And to be neutral to key distribution methods Has sub-protocols –E.g., Encapsulating Security Payload

8 Lecture 11 Page 8 Advanced Network Security Encapsulating Security Payload (ESP) Protocol Encrypt the data and place it within the ESP The ESP has normal IP headers Can be used to encrypt just the payload of the packet Or the entire IP packet

9 Lecture 11 Page 9 Advanced Network Security ESP Modes Transport mode –Encrypt just the transport-level data in the original packet –No IP headers encrypted Tunnel mode –Original IP datagram is encrypted and placed in ESP –Unencrypted headers wrapped around ESP

10 Lecture 11 Page 10 Advanced Network Security ESP in Transport Mode Extract the transport-layer frame –E.g., TCP, UDP, etc. Encapsulate it in an ESP Encrypt it The encrypted data is now the last payload of a cleartext IP datagram

11 Lecture 11 Page 11 Advanced Network Security ESP Transport Mode Original IP header ESP Hdr Normal Packet Payload ESP Trlr ESP Auth Encrypted Authenticated

12 Lecture 11 Page 12 Advanced Network Security Using ESP in Tunnel Mode Encrypt the IP datagram –The entire datagram Encapsulate it in a cleartext IP datagram Routers not understanding IPsec can still handle it Receiver reverses the process

13 Lecture 11 Page 13 Advanced Network Security ESP Tunnel Mode New IP hdr ESP Hdr Original Packet Payload ESP Trlr ESP Auth Orig. IP hdr Encrypted Authenticated

14 Lecture 11 Page 14 Advanced Network Security Uses and Implications of Tunnel Mode Typically used when there are security gateways between sender and receiver –And/or sender and receiver don’t speak IPsec Outer header shows security gateway identities –Not identities of real parties Can thus be used to hide some traffic patterns

15 Lecture 11 Page 15 Advanced Network Security What IPsec Requires Protocol standards –To allow messages to move securely between nodes Supporting mechanisms at hosts running IPsec –E.g., a Security Association Database Lots of plug-in stuff to do the cryptographic heavy lifting

16 Lecture 11 Page 16 Advanced Network Security The Protocol Components Pretty simple Necessary to interoperate with non-IPsec equipment So everything important is inside an individual IP packet’s payload No inter-message components to protocol –Though some security modes enforce inter-message invariants

17 Lecture 11 Page 17 Advanced Network Security The Supporting Mechanisms Methods of defining security associations Databases for keeping track of what’s going on with other IPsec nodes –To know what processing to apply to outgoing packets –To know what processing to apply to incoming packets

18 Lecture 11 Page 18 Advanced Network Security Plug-In Mechanisms Designed for high degree of generality So easy to plug in: –Different crypto algorithms –Different hashing/signature schemes –Different key management mechanisms

19 Lecture 11 Page 19 Advanced Network Security Status of IPsec Accepted Internet standard Widely implemented and used –Supported in Windows 2000, XP, Vista, Windows 7, Windows 8 –In Linux 2.6 (and later) kernel The architecture doesn’t require everyone to use it RFC 3602 on using AES in IPsec still listed as “proposed” AES will become default for ESP in IPsec

20 Lecture 11 Page 20 Advanced Network Security SSL and TLS SSL – Secure Socket Layer TLS – Transport Layer Security The common standards for securing network applications in Internet –E.g., web browsing Essentially, standards to negotiate, set up, and apply crypto

21 Lecture 11 Page 21 Advanced Network Security The Basics of SSL Usually a client/server operation Client contacts server A negotiation over authentication, key exchange, and cipher takes place Authentication is performed and key agreed upon Then all packets are encrypted with that key and cipher at application level

22 Lecture 11 Page 22 Advanced Network Security Common Use Server authenticates to client using an X.509 certificate –Typically, client not authenticated Though option allows it Client provides material to server to derive session key Client and server derive same session key, start sending encrypted packets

23 Lecture 11 Page 23 Advanced Network Security Crypto in TLS/SSL Several options supported RSA or elliptic curve for PK part AES, DES, 3DES, or others for session cryptography Not all are regarded as still secure Chosen by negotiation between client and server

24 Lecture 11 Page 24 Advanced Network Security Use of SSL/TLS The core crypto for web traffic Commonly used for many other encrypted communications Used in all major browsers Usually not part of OS per se –But all major OSes include libraries or packages that implement it

25 Lecture 11 Page 25 Advanced Network Security Security Status of SSL/TLS Kind of complex SSL is not very secure Early versions of TLS not so secure Later versions of TLS fairly secure –Depending on cipher choice Recent chosen-plaintext attacks shown to work on all versions –In special circumstances

26 Lecture 11 Page 26 Advanced Network Security Heartbleed And SSL Heartbleed was a recent major security bug In a major implementation of SSL/TLS Essentially allowed remote reading of memory in a site running OpenSSL –Due to poor variable synchronization Compromised certificates, passwords, other things

27 Lecture 11 Page 27 Advanced Network Security What Heartbleed Was A serious security bug With tremendous implications on real security issues Requiring wholesale activity by the entire community –Not just patching the bug

28 Lecture 11 Page 28 Advanced Network Security What Heartbleed Wasn’t A flaw in the SSL/TLS specification It was a bug in one implementation of that specification –Which specifically did not meet the specification requirements A lesson in secure coding Not in secure protocol design

Download ppt "Lecture 11 Page 1 Advanced Network Security Cryptography and Networks: IPSec and SSL/TLS Advanced Network Security Peter Reiher August, 2014."

Similar presentations

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
IPSec.

IPSec.
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
CHAPTER 8: SECURITY IN COMPUTER NETWORKS Encryption Encryption Authentication Authentication E-Mail Security E-Mail Security Secure Sockets Layer Secure.

CHAPTER 8: SECURITY IN COMPUTER NETWORKS Encryption Encryption Authentication Authentication Security Security Secure Sockets Layer Secure.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.

1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Lecture 22 Internet Security Protocols and Standards

Lecture 22 Internet Security Protocols and Standards
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Cryptography and Network Security

Cryptography and Network Security
1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.
Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.

Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.

Similar presentations

Ads by Google