CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

Slides:



Advertisements
Similar presentations
IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
Advertisements

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.2: IPsec.
Internet Security CSCE 813 IPsec
IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Network Layer Security: IPSec
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
IPSec Isaac Ghansah.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
CS470, A.SelcukIPsec Attacks1 IPsec ESP Attacks CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
THE USE OF IP ESP TO PROVIDE A MIX OF SECURITY SERVICES IN IP DATAGRAM SREEJITH SREEDHARAN CS843 PROJECT PRESENTATION 04/28/03.
1 IPsec Youngjip Kim Objective Providing interoperable, high quality, cryptographically-based security for IPv4 and IPv6 Services  Access.
IP Security. IPSEC Objectives n Band-aid for IPv4 u Spoofing a problem u Not designed with security or authentication in mind n IP layer mechanism for.
IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.
IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.
Protocol Basics. IPSec Provides two modes of protection –Tunnel Mode –Transport Mode Authentication and Integrity Confidentiality Replay Protection.
IP Security: Security Across the Protocol Stack
IPSec in a Multi-OS Environment. What is IPSec? IPSec stands for Internet Protocol Security It is at a most basic level a way of adding security to your.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security
Information management 1 Groep T Leuven – Information department 1/26 IPSec IP Security (IPSec)
TCP/IP Protocols Contains Five Layers
IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 part 4: Securing IP.
Karlstad University IP security Ge Zhang
IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.
IP Security.  In CERTs 2001 annual report it listed 52,000 security incidents  the most serious involving:  IP spoofing intruders creating packets.
Chapter 6 IP Security. We have considered some application specific security mechanisms in last chapter eg. S/MIME, PGP, Kerberos however there are security.
IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.
IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.
1 CMPT 471 Networking II Authentication and Encryption © Janice Regan,
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
Encapsulated Security Payload Header ● RFC 2406 ● Services – Confidentiality ● Plus – Connectionless integrity – Data origin authentication – Replay protection.
1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.
Lecture 6 W.Lilakiatsakun.  Internet Protocol  IPv4 /IPv6  IPsec  ICMP  Routing Protocol  RIP/OSPF  BGP  Attack on Layer3 Layer 3 Technology.
Internet Security CSCE 813 IPsec. CSCE813 - Farkas2 TCP/IP Protocol Stack Application Layer Transport Layer Network Layer Data Link Layer.
Authentication Header ● RFC 2402 ● Services – Connectionless integrity – Data origin authentication – Replay protection – As much header authentication.
Security IPsec 1 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Cryptography and Network Security (CS435) Part Thirteen (IP Security)
IPSec  general IP Security mechanisms  provides  authentication  confidentiality  key management  Applications include Secure connectivity over.
IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
1 IPSec: An Overview Dr. Rocky K. C. Chang 4 February, 2002.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Network Layer Security Network Systems Security Mort Anvari.
IPSEC Modes of Operation. Breno de MedeirosFlorida State University Fall 2005 IPSEC  To establish a secure IPSEC connection two nodes must execute a.
K. Salah1 Security Protocols in the Internet IPSec.
8-1Network Security Virtual Private Networks (VPNs) motivation:  institutions often want private networks for security.  costly: separate routers, links,
IP Security (IPSec) Authentication Header (AH) Dr Milan Marković.
@Yuan Xue CS 285 Network Security IP Security Yuan Xue Fall 2013.
IPSec Detailed Description and VPN
UNIT 7- IP Security 1.IP SEC 2.IP Security Architecture
CSE 4905 IPsec.
Chapter 16 – IP Security If a secret piece of news is divulged by a spy before the time is ripe, he must be put to death, together with the man to whom.
Chapter 18 IP Security  IP Security (IPSec)
Internet and Intranet Fundamentals
IT443 – Network Security Administration Instructor: Bo Sheng
IPSec IPSec is communication security provided at the network layer.
IP Security and VPN Most of the slides are derived from the slides (Chapter-8) by the authors of «Computer Networking: A Top Down Approach», and from the.
CSCE 815 Network Security Lecture 13
תרגול 11 – אבטחה ברמת ה-IP – IPsec
Virtual Private Networks (VPNs)
Virtual Private Networks (VPNs)
Presentation transcript:

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk

CS470, A.SelcukIPsec – AH & ESP2 IPsec Cryptographic protection of the IP traffic, transparent to the user Main components: –Internet Key Exchange (IKE): IPsec key exchange protocol –Authentication Header (AH): Authentication of the IP packet (optional) –Encapsulating Security Payload (ESP): Encryption/authentication of the IP packet (optional)

CS470, A.SelcukIPsec – AH & ESP3 Uses of IPsec Can be used to provide user-, host-, or network-level protection (the granularity) Protocol modes: –Transport mode: Host applies IPsec to transport layer packet –Tunnel mode: Gateway applies IPsec to the IP packet of a host from the network (IP in IP tunnel) Typical uses: –Remote access to network (host-to-gateway) –Virtual private networks (gateway-to-gateway)

CS470, A.SelcukIPsec – AH & ESP4 Security Association & Policy Security Policy Database Specifies what kind of protection should be applied to packets (according to source-destination address, port numbers, UserID, data sensitivity level, etc.) Security Association (SA) –An IPsec-protected connection (one-way) –Specifies the encryption/auth. algorithm, key, etc. –Identified by security parameter index (SPI) destination IP address protocol identifier (AH or ESP)

CS470, A.SelcukIPsec – AH & ESP5 SA Database Contains the relevant information for each SA: –AH information (auth. algorithm, key, key lifetime, etc.) –ESP information (auth./encryption algorithm, key, key lifetime, etc.) –Sequence number counter –Anti-replay window (at the destination SA) –Lifetime of the SA –Others (protocol mode, path MTU, etc.)

CS470, A.SelcukIPsec – AH & ESP6 IPsec Packet Processing Outbound packets: –The proper SA is chosen from the security policy database –From the SA database, the SPI and SA parameters are retrieved –The IPsec protection is performed; packet passed to IP Inbound packets: –By the SPI, the SA is found –IPsec auth./decryption is performed –Packet passed to upper layer protocol

CS470, A.SelcukIPsec – AH & ESP7 Authentication Header (AH) | Next Header | Payload Len | RESERVED | | Security Parameters Index (SPI) | | Sequence Number Field | | | + Authentication Data (variable) | | | Auth. alg.: HMAC (with MD5, SHA1, etc.) CBC-MAC (3DES, RC5, AES, etc.) Typically, IV is included in the payload Authentication covers immutable fields of IP header as well as the payload.

CS470, A.SelcukIPsec – AH & ESP8 IPv4 Header |Version| IHL |Type of Service| Total Length | | Identification |Flags| Fragment Offset | | Time to Live | Protocol | Header Checksum | | Source Address | | Destination Address | | Options | Padding | Mutable fields (according to AH): ToS, flags, frag.offset, TTL, checksum

CS470, A.SelcukIPsec – AH & ESP9 AH with IPv4 BEFORE APPLYING AH IPv4 |orig IP hdr | | | |(any options)| TCP | Data | AFTER APPLYING AH IPv4 |orig IP hdr | | | | |(any options)| AH | TCP | Data | | | except for mutable fields

CS470, A.SelcukIPsec – AH & ESP10 AH Controversies Authentication is provided by ESP as well (hence, AH is useless) Protecting immutable fields doesn’t add much Destination address may be mutable (due to NAT) Not efficient to compute (MAC at the beginning)

CS470, A.SelcukIPsec – AH & ESP11 Encapsulating Security Payload (ESP) | Security Parameters Index (SPI) | ^Auth |Cov- | Sequence Number | |erage | ---- | Payload Data (variable) | | ^ ~ ~ | | | | |Conf |Cov- | | Padding (0-255 bytes) | |erage* | | | | Pad Length | Next Header | v v | Authentication Data (variable) | ~ | Encryption: usually a block cipher in CBC mode IV is typically included in the payload (not encrypted)

CS470, A.SelcukIPsec – AH & ESP12 ESP with IPv4 BEFORE APPLYING ESP IPv4 |orig IP hdr | | | |(any options)| TCP | Data | AFTER APPLYING ESP IPv4 |orig IP hdr | ESP | | | ESP | ESP| |(any options)| Hdr | TCP | Data | Trailer |Auth| | |

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.