Presentation is loading. Please wait.

Presentation is loading. Please wait.

IPSec  general IP Security mechanisms  provides  authentication  confidentiality  key management  Applications include Secure connectivity over.

Published byDaniela Reed Modified over 8 years ago

Similar presentations

Presentation on theme: "IPSec  general IP Security mechanisms  provides  authentication  confidentiality  key management  Applications include Secure connectivity over."— Presentation transcript:

1

2 IPSec  general IP Security mechanisms  provides  authentication  confidentiality  key management  Applications include Secure connectivity over internet, office VPN’s, across organizations e-commerce

3 IP Security Scenario

4 Benefits of IPSec  in a firewall/router provides strong security to all traffic crossing the perimeter  is resistant to bypass  is below transport layer, hence transparent to applications  can be transparent to end users  can provide security for individual users if desired

5 IP Security Architecture It involves various aspects such as….  IPSec Document  IPSec Services  Security Association(SA)

6 IPSec Documents-7groups  Architecture  ESP  AH  Encryption Algorithm  Authentication Algorithm  Key Management  Doman of Interpretation(DoI)

7 IPSec Services  Access control  Connectionless integrity  Data origin authentication  Rejection of replayed packets  a form of partial sequence integrity  Confidentiality (encryption)  Limited traffic flow confidentiality

8 Security Associations  a one-way relationship between sender & receiver that affords security for traffic flow  defined by 3 parameters:  Security Parameters Index (SPI)  IP Destination Address  Security Protocol Identifier  has a number of other parameters  seq no, AH & EH info, lifetime etc

9 SA selectors  Security policy database(SPD) contains entries each of which defines a subset of IP traffic and points to an SA  Each SPD entry is defined by a set of IP and upper protocol field values called selectors  The following selectors determine an SPD entry: Destination IP address, Source IP address, UserID, Datasensitivity level, Transport Layer protocol etc

10 Transport and tunnel modes  AH and ESP support two modes tunnel and transport mode  Transport mode provides security for mainly upper layer protocols. Example :TCP,UDP,ICMP packet  Tunnel mode provides protection for the entire packet. The entire packet travels through a tunnel from one IP to another, no routers are able to examine the inner IP.

11 Authentication Header (AH)  provides support for data integrity & authentication of IP packets  end system/router can authenticate user/app  prevents address spoofing attacks by tracking sequence numbers  based on use of a MAC  HMAC-MD5-96 or HMAC-SHA-1-96  parties must share a secret key

12 Authentication Header

13 IPSec Authentication Header (AH) in Transport Mode Data TCP Hdr Orig IP Hdr Data TCP Hdr AH Hdr Orig IP Hdr Next Hdr Payload Len RsrvSecParamIndex Keyed Hash Integrity hash coverage (except for mutable fields in IP hdr) Seq# 24 bytes total AH is IP protocol 51 Insert © 2000 Microsoft Corporation

14 IPSec AH Tunnel ModeData TCP Hdr Orig IP Hdr Integrity hash coverage (except for mutable new IP hdr fields) IP Hdr AH Hdr AH HdrData TCP Hdr Orig IP Hdr New IP header with source & destination IP address © 2000 Microsoft Corporation

15 Encapsulating Security Payload (ESP)  provides message content confidentiality & limited traffic flow confidentiality  can optionally provide the same authentication services as AH  supports range of ciphers, modes, padding  incl. DES, Triple-DES, RC5, IDEA, CAST etc  CBC most common  pad to meet blocksize, for traffic flow

16 Encapsulating Security Payload

17 Transport vs Tunnel Mode ESP  transport mode is used to encrypt & optionally authenticate IP data  data protected but header left in clear  can do traffic analysis but is efficient  good for ESP host to host traffic  tunnel mode encrypts entire IP packet  add new header for next hop  good for VPNs, gateway to gateway security

18 IPSec Encapsulating Security Payload (ESP) in Transport Mode Data TCP Hdr Orig IP Hdr Data TCP Hdr ESP Hdr Orig IP Hdr ESP Trailer ESP Auth Usually encrypted integrity hash coverage SecParamIndex Padding PaddingPadLengthNextHdr Seq# Keyed Hash 22-36 bytes total InitVector ESP is IP protocol 50 Insert Append © 2000 Microsoft Corporation

19 IPSec ESP Tunnel ModeData TCP Hdr Orig IP Hdr ESP Auth Usually encrypted integrity hash coverage Data TCP Hdr ESP Hdr IP Hdr IP HdrIPHdr New IP header with source & destination IP address © 2000 Microsoft Corporation ESP Trailer

20 Combining Security Associations  SA’s can implement either AH or ESP  to implement both need to combine SA’s  form a security bundle  Security associations can be bundled in two ways : transport adjacency and iterated tunneling

21 Authentication + confidentiality  ESP with authentication option  Transport mode ESP  Tunnel mode ESP  There are 4 basic combinations of SA’s(next slide)

22 Combining Security Associations

23 Oakley  a key exchange protocol  based on Diffie-Hellman key exchange  adds features to address weaknesses  cookies, groups (global params), nonces, DH key exchange with authentication

24 ISAKMP  Internet Security Association and Key Management Protocol  provides framework for key management  defines procedures and packet formats to establish, negotiate, modify, & delete SAs  independent of key exchange protocol, encryption alg, & authentication method

25 ISAKMP

26 ISAKMP Payload Types  Hash-{Hash Data}  Proposal-{Proposal#,Protocol ID,SPI size,# of transform}  Transform-{Transform #, Transform ID,SA attribute}  Key Exchange-{Key Exchange Data}  Identification-{ID Type,ID Data}  Signature(SIG)-{Signature Data}  etc……….

27 ISAKMP Exchanges-5 default exchanges  Base Exchange min imizes no: of exchanges –no ID protection use nounce-replay attack  Identity Protection Exchange session keys-encrypted message containing authentication information. ie,DS and certificates validating public keys  Authentication only Exchange Mutual authentication without key exchange

28  Aggressive Exchange min imizes no: of exchanges –no ID protection Informational Exchange-Error/status notification/deletion

29 Summary  have considered:  IPSec security framework  AH  ESP  key management & Oakley/ISAKMP

Download ppt "IPSec  general IP Security mechanisms  provides  authentication  confidentiality  key management  Applications include Secure connectivity over."

Similar presentations

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
NS-H0503-02/11041 IP Security. NS-H0503-02/11042 TCP/IP Example.

NS-H /11041 IP Security. NS-H /11042 TCP/IP Example.
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Internet Security CSCE 813 IPsec

Internet Security CSCE 813 IPsec
IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.

IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.

IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.
Henric Johnson1 Chapter 6 IP Security Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 6 IP Security Henric Johnson Blekinge Institute of Technology, Sweden
Network Security Essentials Chapter 8 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Network Security Essentials Chapter 8 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Network Layer Security: IPSec

Network Layer Security: IPSec
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
IP SECURITY – Chapter 16 IP SECURITY – Chapter 16 Security Mechanisms: email – S/MIME, PGP client/server - Kerberos web access - Secure Sockets Layer network.

IP SECURITY – Chapter 16 IP SECURITY – Chapter 16 Security Mechanisms: – S/MIME, PGP client/server - Kerberos web access - Secure Sockets Layer network.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.

1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.

Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.

Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.

Similar presentations

Ads by Google