CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

Slides:



Advertisements
Similar presentations
IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
Advertisements

IPSec.
CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Internet Security CSCE 813 IPsec
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.
IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Chapter 5 Network Security Protocols in Practice Part I
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 
CMSC 414 Computer and Network Security Lecture 27 Jonathan Katz.
IPSec Access control Connectionless integrity
CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.
CMSC 414 Computer (and Network) Security Lecture 24 Jonathan Katz.
K. Salah1 Security Protocols in the Internet IPSec.
CMSC 414 Computer (and Network) Security Lecture 25 Jonathan Katz.
32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
IP Security: Security Across the Protocol Stack
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
1 Network Security Lecture 8 IP Sec Waleed Ejaz
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.
Lecture 11 Page 1 Advanced Network Security Cryptography and Networks: IPSec and SSL/TLS Advanced Network Security Peter Reiher August, 2014.
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 part 4: Securing IP.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
Karlstad University IP security Ge Zhang
IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.
IP Security.  In CERTs 2001 annual report it listed 52,000 security incidents  the most serious involving:  IP spoofing intruders creating packets.
IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.
Network Security7-1 Today r Reminder Ch7 HW due Wed r Finish Chapter 7 (Security) r Start Chapter 8 (Network Management)
IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.
Chapter 32 Internet Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.
Group 9 Chapter 8.3 – 8.6. Public Key Algorithms  Symmetric Key Algorithms face an inherent problem  Keys must be distributed to all parties but kept.
Encapsulated Security Payload Header ● RFC 2406 ● Services – Confidentiality ● Plus – Connectionless integrity – Data origin authentication – Replay protection.
1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.
Cryptography and Network Security (CS435) Part Thirteen (IP Security)
IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
CMSC 414 Computer and Network Security Lecture 27 Jonathan Katz.
1 IPSec: An Overview Dr. Rocky K. C. Chang 4 February, 2002.
IPSEC Modes of Operation. Breno de MedeirosFlorida State University Fall 2005 IPSEC  To establish a secure IPSEC connection two nodes must execute a.
K. Salah1 Security Protocols in the Internet IPSec.
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 27 November 23, 2004.
Securing Access to Data Using IPsec Josh Jones Cosc352.
8-1Network Security Virtual Private Networks (VPNs) motivation:  institutions often want private networks for security.  costly: separate routers, links,
Lecture 10 Page 1 CS 236 Online Encryption and Network Security Cryptography is widely used to protect networks Relies on encryption algorithms and protocols.
@Yuan Xue CS 285 Network Security IP Security Yuan Xue Fall 2013.
SECURE WIRELESS LAN KEAMANAN JARINGAN PROGRAM STUDI TEKNIK TELEKOMUNIKASI FAKULTAS TEKNIK ELEKTRO TELKOM UNIVERSITY.
Chapter 5 Network Security Protocols in Practice Part I
CSE 4905 IPsec.
Encryption and Network Security
Chapter 18 IP Security  IP Security (IPSec)
Internet and Intranet Fundamentals
IT443 – Network Security Administration Instructor: Bo Sheng
IPSec IPSec is communication security provided at the network layer.
Virtual Private Networks (VPNs)
Lecture 36.
Lecture 36.
Presentation transcript:

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz

Network security in practice

Network layers  Application  Transport  Network  Data link  Physical

Roughly…  Application layer: the communicating processes themselves and the actual messages transmitted  Transport layer: handles transmissions on an “end-to-end” basis  Network layer: handles transmissions on a “hop-by-hop” basis

Examples  Application layer: PGP, SSH  Transport layer: SSL/TLS  Network layer: IPsec  Security not usually provided at the data link layer, except possible within closed networks (e.g., military)  Security at the physical layer? (Shielded wires…)

Security in what layer?  Depends on the purpose… –What information needs to be protected? –What is the attack model? –Who shares keys in advance? –Should the user be involved?  E.g., a network-layer protocol cannot authenticate two end-users to each other  An application-layer protocol cannot protect IP header information  Also affects efficiency, ease of deployment, etc.

Example: PGP vs. SSL vs. IPsec  PGP is an application-level protocol for “secure ” –Can provide security on “insecure” systems –Users choose when to use PGP; user must be involved –Alice’s signature on an proves that Alice actually generated the message, and it was received unaltered; also non-repudiation –In contrast, SSL would secure “the connection” from Alice’s computer

Example: PGP vs. SSL vs. IPsec  SSL sits “on top of” the transport layer –End-to-end security, best for connection- oriented sessions –User does not need to be involved –The OS does not have to be changed –Easy to modify applications to use SSL –If SSL rejects packet accepted by TCP, then TCP rejects “correct” packet when it arrives! SSL must then close the connection…

Example: PGP vs. SSL vs. IPsec  IPsec sits “on top of” the network layer –End-to-end or hop-by-hop security Best for connectionless channels –Need to modify OS –All applications are “protected” by default, without requiring any change to applications or actions on behalf of users –Can only authenticate hosts, not users –User completely unaware that IPsec is running

Take home message…  Best solution may involve changes at both the OS and applications layers –The “best” solution is not to run SSL and IPsec! –Would have been better to design system with security in mind from the beginning… –(Keep in mind for future systems…)

IPsec: AH and ESP

Overview  IPsec consists of two components –AH/ESP Used once a key is established (either using IKE or out-of-band) –IKE Can be used to establish a key

Security associations (SAs)  An SA is a crypto-protected connection –One SA in each direction…  At each end, the SA contains a key, the identity of the other party, the sequence number, and crypto parameters  IPsec header indicates which SA to use –Chosen by destination –Won’t go into more detail…

More on SAs…  Parties will maintain a database of SAs for currently-open connections –Used both to send and receive packets

AH vs. ESP  Authentication header (AH) –Provides integrity only  Encapsulating security payload (ESP) –Provides encryption and/or integrity  Both provide cryptographic protection of everything beyond the IP headers –AH additionally provides integrity protection of some fields of the IP header

Transport vs. tunnel mode  Transport mode: add IPsec information between IP header and rest of packet –IP header | IPsec | packet –Most logical when IPsec used end-to-end

Transport vs. tunnel mode  Tunnel mode: keep original IP packet intact; add new header information –New IP header | IPSec | old header | packet –Can be used when IPSec is applied at intermediate point along path (e.g., for firewall- to-firewall traffic) E.g., change source/destination info… –Results in slightly longer packet –Note that data may be encrypted multiple times

Firewalls…  Problem if data used for decision-making (like higher-layer information) is encrypted end-to-end –Arguments pro and con as to whether this data should be encrypted or not

More on AH  AH provides integrity protection on header –But some fields change en route!  Only immutable fields are included in the integrity check  Mutable but predictable fields are also included in the integrity check –E.g., payload length –The final value of the field is used

More on AH vs. ESP  Recall that ESP provides encryption and/or authentication  So why do we need AH? –AH also protects the IP header –Export restrictions –Firewalls need some high-level data to be unencrypted  None of these are compelling…

The future of IPsec?  In the long run, it seems that AH will become obsolete –Better to encrypt everything anyway –No real need for AH –Certain performance disadvantages –AH is complex… –Etc.  IPsec is still evolving

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.