Network Security (contd.)

Slides:



Advertisements
Similar presentations
IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
Advertisements

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.
Secure connections.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
IP Security: Security Across the Protocol Stack
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
1 Network Security Lecture 8 IP Sec Waleed Ejaz
CSCE 715: Network Systems Security
TCP/IP Protocols Contains Five Layers
Karlstad University IP security Ge Zhang
IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.
IP Security.  In CERTs 2001 annual report it listed 52,000 security incidents  the most serious involving:  IP spoofing intruders creating packets.
Chapter 6 IP Security. We have considered some application specific security mechanisms in last chapter eg. S/MIME, PGP, Kerberos however there are security.
IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.
Chapter 8 IP Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.
Virtual Private Network Chapter 4. Lecturer : Trần Thị Ngọc Hoa2 Objectives  VPN Overview  Tunneling Protocol  Deployment models  Lab Demo.
Cryptography and Network Security (CS435) Part Thirteen (IP Security)
IPSec  general IP Security mechanisms  provides  authentication  confidentiality  key management  Applications include Secure connectivity over.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Network Layer Security Network Systems Security Mort Anvari.
K. Salah1 Security Protocols in the Internet IPSec.
Presentaion on ipsecurity Presentaion given by arun saraswat To lavkush sharma sir arun saraswat1.
第六章 IP 安全. Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
IP Security
CSCI 465 Data Communications and Networks Lecture 26
VPNs & IPsec Dr. X Slides adopted by Prof. William Enck, NCSU.
VPNs and IPSec Review VPN concepts Encryption IPSec Lab.
IPSec Detailed Description and VPN
Chapter 5 Network Security Protocols in Practice Part I
UNIT 7- IP Security 1.IP SEC 2.IP Security Architecture
IPSecurity.
CSE 4905 IPsec.
Encryption and Network Security
Chapter 16 – IP Security If a secret piece of news is divulged by a spy before the time is ripe, he must be put to death, together with the man to whom.
Chapter 18 IP Security  IP Security (IPSec)
Somesh Jha University of Wisconsin
SECURING NETWORK TRAFFIC WITH IPSEC
UNIT.4 IP Security.
IPSec IPSec is communication security provided at the network layer.
CSE565: Computer Security Lecture 23 IP Security
Cryptography and Network Security
No.9: IP Security Network Information Security 网络信息安全
Cryptography and Network Security Chapter 16
Cryptography and Network Security
CSCE 815 Network Security Lecture 13
IP Security - Chapter 6 of William Stallings. Network Security Essentials (2nd edition). Prentice Hall Slides by Henric Johnson Blekinge Institute.
IP Security - Chapter 6 of William Stallings. Network Security Essentials (2nd edition). Prentice Hall Slides by Henric Johnson Blekinge Institute.
VPNs and IPSec Review VPN concepts Encryption IPSec Lab.
Virtual Private Networks (VPNs)
NET 536 Network Security Lecture 5: IPSec and VPN
Cryptography and Network Security Chapter 16
Virtual Private Networks (VPNs)
Cryptography and Network Security Chapter 16
B. R. Chandavarkar CSE Dept., NITK Surathkal
Chapter 6 IP Security.
Cryptography and Network Security
Presentation transcript:

Network Security (contd.) Bijendra Jain (bnj@cse.iitd.ernet.in) 11/21/2018 Tutorial on Network Security: Sep 2003

Tutorial on Network Security: Sep 2003 Lecture 5: IPSec 11/21/2018 Tutorial on Network Security: Sep 2003

Tutorial on Network Security: Sep 2003 IPSec: IP Security An IETF standard IPSec architecture and related standards published as refer RFC 1825 thru RFC 1829 Adrresses security issues arising from authentication and confidentiality connecting a remote host to a server Interconnecting two LANs using a public network Applications: wide-area networking of branch offices using Internet Interconnecting supplier/distributor extranets to enterprise network Telecommuting E-commerce Implemented in clients, servers or in routers 11/21/2018 Tutorial on Network Security: Sep 2003

Tutorial on Network Security: Sep 2003 IPSec Scenario Public Network Enterprise LAN#1 Enterprise LAN#2 PC Server Router 11/21/2018 Tutorial on Network Security: Sep 2003

Security functions covered by IPSec   Authentication header (AH) Encapsulating security payload (ESP), without AH Encapsulating security payload, with AH Access control Yes Connection-less integrity Data origin authentication Rejection of replayed packets Confidentiality (Limited) Flow Confidentiality 11/21/2018 Tutorial on Network Security: Sep 2003

Tutorial on Network Security: Sep 2003 Modes in IPSec Transport Mode The payload in an IP packet is secured E.g. TCP, UDP, ICMP headers, data Tunnel Mode The complete IP packet including its header is secured 11/21/2018 Tutorial on Network Security: Sep 2003

Tutorial on Network Security: Sep 2003 Transport Mode IPSec Public Network Enterprise LAN#1 Enterprise LAN#2 PC Server Router End-to-end authentication and/or encryption 11/21/2018 Tutorial on Network Security: Sep 2003

Tutorial on Network Security: Sep 2003 Tunnel Mode IPSec Public Network Enterprise LAN#1 Enterprise LAN#2 PC Server Router End-system to ROUTER authentication and/or encryption Router-to-router authentication and/or encryption 11/21/2018 Tutorial on Network Security: Sep 2003

Transport vs. Tunnel modes ? 11/21/2018 Tutorial on Network Security: Sep 2003

Tutorial on Network Security: Sep 2003 IPSec Tunnel mode Advantages: Only routers need to implement IPSec functions Implement VPN (Virtual private network) Public Network Enterprise LAN Router 11/21/2018 Tutorial on Network Security: Sep 2003

IPSec: Authentication Header Original IP packet Encoded packet in “transport mode”? Encoded packet in “tunnel mode”? Original IP hdr TCP header TCP data Authen. hdr NEW IP hdr 11/21/2018 Tutorial on Network Security: Sep 2003

IPSec: packet format for AH Reserved (16 bits) Payload length Next header Identifier (32 bits) Sequence number (32 bits) AH (variable length, default 96 bits) Based on: MD5, or SHA-1 Covers TCP/UDP/ICMP header, data and portions of “non-mutable” IP headers Payload (IP or TCP packet) Original/new IP header 11/21/2018 Tutorial on Network Security: Sep 2003

IPSec: ESP (Encryption) Original IP packet Encoded packet in “transport mode”? Encoded packet in “tunnel mode”? Original IP hdr TCP header TCP data ESP hdr ESP trailer AH (optional) NEW IP hdr 11/21/2018 Tutorial on Network Security: Sep 2003

IPSec: packet format for ESP Identifier (32 bits) Sequence number (32 bits) Payload (TCP, or IP packet with padding, pad length, next header), suitably encrypted using 3DES, RC5 or … Original/new IP header Authentication Header based on MD5, etc. encrypted authenticated Pad length, … 11/21/2018 Tutorial on Network Security: Sep 2003

Combining security functions Authentication with confidentiality ESP, with AH An AH inside a ESP (both in transport mode) Server PC Public Network Router Enterprise LAN Enterprise LAN Router 11/21/2018 Tutorial on Network Security: Sep 2003

Combining security functions An AH inside a ESP (both in transport mode), and all this within a ESP tunnel across the routers PC Server Public Network Enterprise LAN Router 11/21/2018 Tutorial on Network Security: Sep 2003

Tutorial on Network Security: Sep 2003 Key exchange Key generation and exchange using some “physical means” Automated generation of keys Oakley key determination and exchange Based on Diffie-Hellman key generation algorithm Oakley key exchanged protocol 11/21/2018 Tutorial on Network Security: Sep 2003

Diffie-Hellman key generation A distributed key generation scheme Given q - a large prime number a – a primitive root of q (1 <= ak mod q < q, and distinct for all 1 <= k < q) A: picks XA (keeps it secret), computes and sends YA  aXA mod q to B B: picks XB (keeps it secret), computes and sends YB  aXB mod q A A and B compute the secret shared key aXA XB YBXA or YAXB 11/21/2018 Tutorial on Network Security: Sep 2003

Diffie-Hellman key generation Man-in-the-middle attack Assumes ability to intercept, and spoof XA, A2B XE, A2B A B E XE, B2A XB, B2A aXA*XE aXB*XE 11/21/2018 Tutorial on Network Security: Sep 2003

Diffie-Hellman key generation Issues with the algorithm: What is the value of q, a? Make available several sets, and let the parties negotiate Man-in-the-middle attack Use some form of authentication Denial of service attack, arises from address-spoofing Use cookies: Replay attacks Use nonces 11/21/2018 Tutorial on Network Security: Sep 2003

Tutorial on Network Security: Sep 2003 Cookies Cookies: A requests B’s attention B responds with a “cookie” (a random number), K A must return K in its subsequent messages Characteristics of cookies: Should depend upon data specific to B Should use some secret information Cookie generation and verification must be fast B should not have to save the cookie Example method used: Hash sender/receiver IP address TCP port nos. and a secret value 11/21/2018 Tutorial on Network Security: Sep 2003

Tutorial on Network Security: Sep 2003 Oakley Key exchange 11/21/2018 Tutorial on Network Security: Sep 2003

Oakley Key exchange: part 1 A to B ID of A, ID of B Initiator cookie, CK-A Encryption, hash, authentication algorithms Specific Diffie Hellman group (q, a) public key yA = aXA mod q Nonce NA SignedKR(A)[ID of A, ID of B, NA, q, a, yA] 11/21/2018 Tutorial on Network Security: Sep 2003

Oakley Key exchange: part 2 B to A ID of B, ID of A Responder cookie, CK-B, Returned initiator cookie, CK-A Encryption, hash, authentication algorithms Specific Diffie Hellman group (q, a) public key yB = aXB mod q Nonce NA, NB SignedKR(B)[ID of B, ID of A, NA, NB, q, a, yB yA] 11/21/2018 Tutorial on Network Security: Sep 2003

Oakley Key exchange: part 3 A to B ID of A, ID of B Returned cookie, CK-B, initiator cookie, CK-A Encryption, hash, authentication algorithms Specific Diffie Hellman group (q, a) public key yA = aXA mod q Nonce NA, NB SignedKR(A)[ID of A, ID of B, NA, NB, q, a, yB yA] 11/21/2018 Tutorial on Network Security: Sep 2003

Tutorial on Network Security: Sep 2003 Thanks 11/21/2018 Tutorial on Network Security: Sep 2003

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.