Presentation is loading. Please wait.

Presentation is loading. Please wait.

IPSEC : KEY MANAGEMENT PRESENTATION BY: SNEHA A MITTAL(121427)

Published bySheila Hutchinson Modified over 9 years ago

Similar presentations

Presentation on theme: "IPSEC : KEY MANAGEMENT PRESENTATION BY: SNEHA A MITTAL(121427)"— Presentation transcript:

1 IPSEC : KEY MANAGEMENT PRESENTATION BY: SNEHA A MITTAL(121427)
NISHU RASTOGI (121418) BHOOMIKA PARMAR (121406) MONIKA MITTAL (121414) ROHIT JAIN (121424) SUBMITTED TO: Dr. C. RAMAKRISHNA (ASSOCIATE PROFESSOR) (CSE DEPARTMENT) NITTTR CHANDIGARH

2 overview KEY MANAGEMENT FOR IPSEC TYPES OF KEY MANAGEMENT
ISAKMP/OAKLEY OAKLEY KEY DETERMINATION PROTOCOL DIFFIE HELLMAN KEY EXCHANGE FEATURES ISAKMP PAYLOAD TYPES CONCLUSION

3 KEY MANAGEMENT FOR IPSEC
The key management portion of IPSec involves the determination and distribution of secret keys. A typical requirement is four keys for communication between two applications: transmit and receive pairs for both AH and ESP.

4 TYPES Two types of key management according to the IPSec Architecture document : Manual Automated.

5 Manual A system administrator manually configures each system with its own keys and with the keys of other communicating systems. This is practical for small, relatively static environments.

6 Automated An automated system enables the on-demand creation of keys for SAs Facilitates the use of keys in a large distributed system with an evolving configuration.

7 ISAKMP/OAKLEY The default automated key management protocol for IPSec is referred to as ISAKMP/Oakley Consists of the following elements: Oakley Key Determination Protocol Internet Security Association and Key Management Protocol (ISAKMP)

8 OAKLEY KEY DETERMINATION PROTOCOL
Oakley is a refinement of the Diffie-Hellman key exchange algorithm but providing added security. Oakley is generic in that it does not dictate specific formats. Oakley KDP = Diffie-Hellman Key Exchange + authentication & cookies

9 DIFFIE HELLMAN KEY EXCHANGE
A & B agree on 2 numbers n and g (g is primitive relative mod (n)) A chooses a large random number x & calculates X = gx mod (n) {A Sends X, g, and n to B} B chooses a large random number y & calculates Y = gy mod (n) {Then B sends Y to A} Finally A calculates k = Yx mod (n) & B calculates k’ = Xy mod (n)

10 DIFFIE HELLMAN KEY EXCHANGE
Features: Secret keys are created only when needed. Exchange requires no pre existing infrastructure Weaknesses: Don’t provide info about identities of parties Man – in – the – middle attack can be done.

11 features Five main features of Oakley
Cookies help resist clogging attacks Enables two parties to negotiate a group. Nonce helps resist message replay attacks Enables exchange of Diffie Helman Public key values Authentication helps resist man-in-the-middle attacks

12 CLOGGING ATTACKS A form of denial of service attacks
Attacker sends a large number of public key Yi in crafted IP packets, forcing the victim’s computer to compute secret keys Ki = YiX mod p over and over again Diffie-Hellman is computationally intensive because of modular exponentiations

13 PREVENTING CLOGGING ATTACKS USING COOKIES
Cookies help Before doing computation, recipient sends a cookie (a random number) back to source and waits for a confirmation including that cookie This prevents attackers from making DH requests using crafted packets with crafted source addresses

14 GROUPS GROUPS SUPPORTED: Modular exponentiation with a 768-bit modulus
Elliptic curve group over 2155 Elliptic curve group over 2185

15 NONCES NONCES: NONCE is a locally generated pseudo random numbers
Nonces appear in responses & are encrypted during certain portions of key exchange to secure their user

16 AUTHENTICATION METHODS USED IN OAKLEY
Digital Signatures Public Key Encryption Secret Key Encryption

17

18 ISAKMP ISAKMP provides
A framework for Internet key management The specific protocol support, including formats, for negotiation of security attributes. ISAKMP by itself does not dictate a specific key exchange algorithm rather, ISAKMP consists of a set of message types that enable the

19 ISAKMP Rather ISAKMP consists of a set of message types that enable the use of a variety of key exchange algorithms. Oakley is the specific key exchange algorithm mandated for use with the initial version of ISAKMP.

20 ISAKMP ISAKMP: Internet Security Association and Key Management Protocol Specifies key exchange formats Each type of payload has the same form of a payload header ISAKMP header

21 ISAKMP Payload Types SA: for establishing a security association
Proposal: for negotiating an SA Transform: for specifying encryption and authentication algorithms Key-exchange: for specifying a key-exchange algorithm Identification: for carrying info and identifying peers Certificate-request: for requesting a public-key certificate

22 ISAKMP Payload Types Certificate: contain a public-key certificate
Hash: contain the hash value of a hash function Signature: contain the output of a digital signature function Nonce: contain a nonce Notification: notify the status of the other types of payloads Delete: notify the receiver that the sender has deleted an SA or SAs 8-bit Next payload Reserved 16-bit Payload length

23 CONCLUSION The default automated key management protocol for IPsec is referred to as ISAKMP/Oakley Oakley is a refinement of the Diffie-Hellman key exchange algorithm but providing added security. ISAKMP provides a framework for Internet key management

24 REFERENCES Cryptography And Network Security
- Principles And Practice, Fourth Edition, “William Stallings”

25 THANK YOU

Download ppt "IPSEC : KEY MANAGEMENT PRESENTATION BY: SNEHA A MITTAL(121427)"

Similar presentations

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
ISA 662 IKE Key management for IPSEC Prof. Ravi Sandhu.

ISA 662 IKE Key management for IPSEC Prof. Ravi Sandhu.
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Cryptography and Network Security

Cryptography and Network Security
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.

IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.
ISAKMP RFC 2408 Internet Security Association & Key Management Protocol Protocol Establish, modify, and delete SAs Negotiate crypto keys Procedures Authentication.

ISAKMP RFC 2408 Internet Security Association & Key Management Protocol Protocol Establish, modify, and delete SAs Negotiate crypto keys Procedures Authentication.
Header and Payload Formats

Header and Payload Formats
Security at the Network Layer: IPSec

Security at the Network Layer: IPSec
Network Security Essentials Chapter 8 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Network Security Essentials Chapter 8 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Network Layer Security: IPSec

Network Layer Security: IPSec
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.

Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.

Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.

Similar presentations

Ads by Google