Version B.00 H7076S Module 3 Slides

Slides:

Advertisements

Similar presentations

Internet Protocol Security (IP Sec)

Advertisements

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

Internet Security CSCE 813 IPsec

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

Protocol Basics. IPSec Provides two modes of protection –Tunnel Mode –Transport Mode Authentication and Integrity Confidentiality Replay Protection.

32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.

1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.

Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

Information management 1 Groep T Leuven – Information department 1/26 IPSec IP Security (IPSec)

IT:Network:Apps.  RRAS does nice job of routing ◦ NAT is nice ◦ BASIC firewall ok but somewhat weak  Communication on network (WS to SRV) is in clear.

1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.

Karlstad University IP security Ge Zhang

FINAL YEAR PROJECT. FINAL YEAR PROJECT IMPLEMENTATION OF VPN USING IPSEC.

IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.

1 CMPT 471 Networking II Authentication and Encryption © Janice Regan,

IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.

Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.

Group 9 Chapter 8.3 – 8.6. Public Key Algorithms  Symmetric Key Algorithms face an inherent problem  Keys must be distributed to all parties but kept.

Virtual Private Network Chapter 4. Lecturer : Trần Thị Ngọc Hoa2 Objectives  VPN Overview  Tunneling Protocol  Deployment models  Lab Demo.

IPSec  general IP Security mechanisms  provides  authentication  confidentiality  key management  Applications include Secure connectivity over.

IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.

Network Layer Security Network Systems Security Mort Anvari.

K. Salah1 Security Protocols in the Internet IPSec.

CSEN 1001 Computer and Network Security Amr El Mougy Mouaz ElAbsawi.

8-1Network Security Virtual Private Networks (VPNs) motivation:  institutions often want private networks for security.  costly: separate routers, links,

11 SECURING NETWORK TRAFFIC WITH IPSEC Chapter 6.

第六章 IP 安全. Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Computer and Network Security

VPNs & IPsec Dr. X Slides adopted by Prof. William Enck, NCSU.

VPNs and IPSec Review VPN concepts Encryption IPSec Lab.

IP Security - Chapter 6 of William Stallings. Network Security Essentials (2nd edition). Prentice Hall Slides by Henric Johnson Blekinge Institute.

IPSec Detailed Description and VPN

Chapter 5 Network Security Protocols in Practice Part I

UNIT 7- IP Security 1.IP SEC 2.IP Security Architecture

CSE 4905 IPsec.

Chapter 18 IP Security  IP Security (IPSec)

Somesh Jha University of Wisconsin

SECURING NETWORK TRAFFIC WITH IPSEC

Internet and Intranet Fundamentals

CSE 4905 IPsec II.

IT443 – Network Security Administration Instructor: Bo Sheng

Network Security.

IPSec IPSec is communication security provided at the network layer.

BINF 711 Amr El Mougy Sherif Ismail

CSE565: Computer Security Lecture 23 IP Security

S/MIME T ANANDHAN.

Cryptography and Network Security

IP Security - Chapter 6 of William Stallings. Network Security Essentials (2nd edition). Prentice Hall Slides by Henric Johnson Blekinge Institute.

IP Security - Chapter 6 of William Stallings. Network Security Essentials (2nd edition). Prentice Hall Slides by Henric Johnson Blekinge Institute.

VPNs and IPSec Review VPN concepts Encryption IPSec Lab.

Slides have been taken from:

Network Security (contd.)

Cryptographic Protocols

Virtual Private Networks (VPNs)

Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls

Virtual Private Networks (VPNs)

Advanced Computer Networks

Chapter 6 IP Security.

CSE 5/7349 – February 15th 2006 IPSec.

Cryptography and Network Security

Presentation transcript:

Version B.00 H7076S Module 3 Slides IPSec Overview Version B.00 H7076S Module 3 Slides

IPSec Functionality Confidentiality Eavesdroppers on the network cannot view users’ data. Authentication The claimed sender is in fact the actual sender. Integrity Data has not been altered during transit in the network. Non-repudiation Senders of data cannot claim that they did not send the data. Transparent Network Applications do not need modification to take advantage Security of network security.

Capturing Packets Off the Internet Bad Guy K-CLASS Users in San Francisco Server in Chicago It is trivial to snoop on Internet traffic, including passwords sent over the network. Malicious people exist who actually do these things.

Symmetric Cryptography: Encryption and Decryption Data Key Encrypted Data Encryption Algorithm Data Decryption Algorithm Encrypted Data Key K-CLASS

How ESP Encryption Works ESP = Encapsulating Security Payload Data (aka Payload) IP Hdr TCP Hdr Original IP Packet The same packet after encryption and addition of the ESP Header IP Hdr ESP Hdr TCP Hdr Data (aka Payload) Encrypted The functionality provided by ESP and encryption is confidential.

A Closer Look at ESP An ESP header contain two fields: An ESP header identifier A security parameter index (SPI) value The SPI value is an index into the security association table in memory. The entry in the security association table defines how the packet is encrypted. IP Hdr ESP Hdr TCP Hdr Data (aka Payload) Encrypted ESP 2 Security Association Table in Memory SPI Algorithm Key Lifetime 1 MD5 12505812097 1 day 2 DES 34209482543 1 hour

Authentication: Method Digest Value Data Key Message Digest Value Message Digest Algorithm Message Digest Algorithm Equal? Data Message Digest Value Message Digest Value Data Key K-CLASS

How Authentication Headers Work AH = Authentication Header Data IP Hdr TCP Hdr Original IP Packet The same packet after the addition of the AH header: Data IP Hdr TCP Hdr AH Hdr Authenticated with a Message Digest Value The functionality provided by AH and the message digest is authentication and data integrity.

A Closer Look at AH Headers An AH header contain three fields: An AH header identifier A security parameter index (SPI) value A message digest value The SPI value is an index into the security association table in memory. The entry in the security association table defines how the packet is authenticated. IP Hdr AH Hdr TCP Hdr Data Authenticated AH 1 39475 Security Association Table in Memory SPI Algorithm Key Lifetime 1 MD5 12505812097 1 day 2 DES 34209482543 1 hour

Combined AH and ESP Original IP Packet Data IP Hdr TCP Hdr Original IP Packet The same packet after the addition of the AH header: Data IP Hdr TCP Hdr AH Hdr ESP Hdr Encrypted Authenticated with a Message Digest Value AH 1 39475 ESP 2 Security Association Table in Memory SPI Algorithm Key Lifetime 2 DES 34209482543 1 hour 1 MD5 12505812097 1 day

Symmetric Key Bootstrap Problem K-CLASS K-CLASS ServerA ServerB Security Association Table in ServerA Memory Security Association Table in ServerB Memory SPI Algorithm Key Lifetime 1 ??? ???????????? ???? 2 DES 34209482543 1 hour SPI Algorithm Key Lifetime 1 MD5 12505812097 1 day 2 ??? ???????????? ???? How do systems agree on an initial key? Initial encryption algorithm? Lifetime? How do systems exchange initial key information without the data being stolen by a hacker with a sniffer?

Internet Key Exchange (IKE) Overview iked process iked process Security Association Table Security Association Table SPI Algorithm Key Lifetime 1 ??? ???????????? ???? 2 DES 34209482543 1 hour SPI Algorithm Key Lifetime 1 MD5 12505812097 1 day 2 ??? ???????????? ???? The iked daemon is responsible for : Initially establishing security association table entries with other iked daemons. Agreeing on security algorithms, key values, and key lifetimes with other iked daemons. Maintaining the security association table and agreeing upon new keys when the lifetime for a key expires.

Protecting against an IKED Bluff process iked process iked process SPI Algorithm Key Lifetime 1 ??? ????????? ???? 2 DES 34209483 1 hour Security Association Table SPI Algorithm Key Lifetime 1 ??? ????????? ???? 2 DES 34209483 1 hour Security Association Table Security Association Table SPI Algorithm Key Lifetime 1 ??? ????????? ???? 2 DES 34209483 1 hour I will install IPSec on my system and maybe those customer systems will establish a secure connection with my computer. Conclusion: Need a Primary Authentication Mechanism

Overcoming Security Obstacles Problem: Data packets travel across the network in clear text! Solution: Use IPSec to authenticate (AH) or encrypt (ESP) packets. Problem: How to securely establish IPSec keys Solution: Use Internet Key Exchange (IKE) protocol. Problem: How to securely establish a IKE keys. Solution: Use Diffie-Hellman algorithm. Problem: Diffie-Hellman is prone to “Man-in-the-Middle” attacks. Solution: Use Pre-Shared key authentication or public-key authentication. Problem: Pre-shared keys are not practical; public-keys require authentication. Solution: Use Security Certificates and manage them through a Public Key Infrastructure (PKI)