IPSEC : KEY MANAGEMENT PRESENTATION BY: SNEHA A MITTAL(121427)

Slides:



Advertisements
Similar presentations
IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
Advertisements

ISA 662 IKE Key management for IPSEC Prof. Ravi Sandhu.
Internet Protocol Security (IP Sec)
Cryptography and Network Security
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.
ISAKMP RFC 2408 Internet Security Association & Key Management Protocol Protocol Establish, modify, and delete SAs Negotiate crypto keys Procedures Authentication.
Header and Payload Formats
Security at the Network Layer: IPSec
Network Security Essentials Chapter 8 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Network Layer Security: IPSec
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 5 Network Security Protocols in Practice Part I
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
Internet Key Exchange. IPSec – Reminder SPI SA1 2 3 …… SAD.
Cryptography and Network Security
Internet Security CSCE 813 IPsec. CSCE Farkas2 Reading Today: – Oppliger: IPSec: Chapter 14 – Stalllings: Network Security Essentials, 3 rd edition,
Chapter 20: Network Security Business Data Communications, 4e.
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.
Computer Science Public Key Management Lecture 5.
Information Security Principles Assistant Professor Dr. Sana’a Wafa Al-Sayegh 1 st Semester ITGD 2202 University of Palestine.
IPsec: IKE, Internet Key Exchange IPsec does not use Public Key Infrastructure and exchanging keys before an IPsec connection is established is a problem.
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
IP Security Lawrence Taub IPSEC IP security — security built into the IP layer Provides host-to-host (or router-to-router) encryption and.
CSCE 715: Network Systems Security
Lecture 14 ISAKMP / IKE Internet Security Association and Key Management Protocol / Internet Key Exchange CIS CIS 5357 Network Security.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
Information management 1 Groep T Leuven – Information department 1/26 IPSec IP Security (IPSec)
/IPsecurity.ppt 1 - Chapter 6 of William Stallings. Network Security Essentials (2nd edition). Prentice Hall.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 Module 3 City College of San.
Network Security David Lazăr.
IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.
IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.
IP Security.  In CERTs 2001 annual report it listed 52,000 security incidents  the most serious involving:  IP spoofing intruders creating packets.
Chapter 6 IP Security. We have considered some application specific security mechanisms in last chapter eg. S/MIME, PGP, Kerberos however there are security.
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.
IPSec VPN: How does it really work? Yasushi Kono (ComputerLinks Frankfurt)
Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 10: Planning and Managing IP Security.
Chapter 8 IP Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.
Internet Key Exchange IKE ● RFC 2409 ● Services – Constructs shared authenticated keys – Establishes shared security parameters – Common SAs between IPSec.
Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.
Group 9 Chapter 8.3 – 8.6. Public Key Algorithms  Symmetric Key Algorithms face an inherent problem  Keys must be distributed to all parties but kept.
Cryptography and Network Security (CS435) Part Thirteen (IP Security)
IPSec  general IP Security mechanisms  provides  authentication  confidentiality  key management  Applications include Secure connectivity over.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
1 Secure Key Exchange: Diffie-Hellman Exchange Dr. Rocky K. C. Chang 19 February, 2002.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Network Layer Security Network Systems Security Mort Anvari.
1 Internet Key Exchange Rocky K. C. Chang 20 March 2007.
Security Data Transmission and Authentication Lesson 9.
第六章 IP 安全. Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 5 Network Security Protocols in Practice Part I
UNIT 7- IP Security 1.IP SEC 2.IP Security Architecture
IPSecurity.
Reviews Rocky K. C. Chang 20 April 2007.
Chapter 16 – IP Security If a secret piece of news is divulged by a spy before the time is ripe, he must be put to death, together with the man to whom.
CSE565: Computer Security Lecture 23 IP Security
Cryptography and Network Security
Network Security (contd.)
Cryptography and Network Security
Presentation transcript:

IPSEC : KEY MANAGEMENT PRESENTATION BY: SNEHA A MITTAL(121427) NISHU RASTOGI (121418) BHOOMIKA PARMAR (121406) MONIKA MITTAL (121414) ROHIT JAIN (121424) SUBMITTED TO: Dr. C. RAMAKRISHNA (ASSOCIATE PROFESSOR) (CSE DEPARTMENT) NITTTR CHANDIGARH

overview KEY MANAGEMENT FOR IPSEC TYPES OF KEY MANAGEMENT ISAKMP/OAKLEY OAKLEY KEY DETERMINATION PROTOCOL DIFFIE HELLMAN KEY EXCHANGE FEATURES ISAKMP PAYLOAD TYPES CONCLUSION

KEY MANAGEMENT FOR IPSEC The key management portion of IPSec involves the determination and distribution of secret keys. A typical requirement is four keys for communication between two applications: transmit and receive pairs for both AH and ESP.

TYPES Two types of key management according to the IPSec Architecture document : Manual Automated.

Manual A system administrator manually configures each system with its own keys and with the keys of other communicating systems. This is practical for small, relatively static environments.

Automated An automated system enables the on-demand creation of keys for SAs Facilitates the use of keys in a large distributed system with an evolving configuration.

ISAKMP/OAKLEY The default automated key management protocol for IPSec is referred to as ISAKMP/Oakley Consists of the following elements: Oakley Key Determination Protocol Internet Security Association and Key Management Protocol (ISAKMP)

OAKLEY KEY DETERMINATION PROTOCOL Oakley is a refinement of the Diffie-Hellman key exchange algorithm but providing added security. Oakley is generic in that it does not dictate specific formats. Oakley KDP = Diffie-Hellman Key Exchange + authentication & cookies

DIFFIE HELLMAN KEY EXCHANGE A & B agree on 2 numbers n and g (g is primitive relative mod (n)) A chooses a large random number x & calculates X = gx mod (n) {A Sends X, g, and n to B} B chooses a large random number y & calculates Y = gy mod (n) {Then B sends Y to A} Finally A calculates k = Yx mod (n) & B calculates k’ = Xy mod (n)

DIFFIE HELLMAN KEY EXCHANGE Features: Secret keys are created only when needed. Exchange requires no pre existing infrastructure Weaknesses: Don’t provide info about identities of parties Man – in – the – middle attack can be done.

features Five main features of Oakley Cookies help resist clogging attacks Enables two parties to negotiate a group. Nonce helps resist message replay attacks Enables exchange of Diffie Helman Public key values Authentication helps resist man-in-the-middle attacks

CLOGGING ATTACKS A form of denial of service attacks Attacker sends a large number of public key Yi in crafted IP packets, forcing the victim’s computer to compute secret keys Ki = YiX mod p over and over again Diffie-Hellman is computationally intensive because of modular exponentiations

PREVENTING CLOGGING ATTACKS USING COOKIES Cookies help Before doing computation, recipient sends a cookie (a random number) back to source and waits for a confirmation including that cookie This prevents attackers from making DH requests using crafted packets with crafted source addresses

GROUPS GROUPS SUPPORTED: Modular exponentiation with a 768-bit modulus Elliptic curve group over 2155 Elliptic curve group over 2185

NONCES NONCES: NONCE is a locally generated pseudo random numbers Nonces appear in responses & are encrypted during certain portions of key exchange to secure their user

AUTHENTICATION METHODS USED IN OAKLEY Digital Signatures Public Key Encryption Secret Key Encryption

ISAKMP ISAKMP provides A framework for Internet key management The specific protocol support, including formats, for negotiation of security attributes. ISAKMP by itself does not dictate a specific key exchange algorithm rather, ISAKMP consists of a set of message types that enable the

ISAKMP Rather ISAKMP consists of a set of message types that enable the use of a variety of key exchange algorithms. Oakley is the specific key exchange algorithm mandated for use with the initial version of ISAKMP.

ISAKMP ISAKMP: Internet Security Association and Key Management Protocol Specifies key exchange formats Each type of payload has the same form of a payload header ISAKMP header

ISAKMP Payload Types SA: for establishing a security association Proposal: for negotiating an SA Transform: for specifying encryption and authentication algorithms Key-exchange: for specifying a key-exchange algorithm Identification: for carrying info and identifying peers Certificate-request: for requesting a public-key certificate

ISAKMP Payload Types Certificate: contain a public-key certificate Hash: contain the hash value of a hash function Signature: contain the output of a digital signature function Nonce: contain a nonce Notification: notify the status of the other types of payloads Delete: notify the receiver that the sender has deleted an SA or SAs 8-bit Next payload Reserved 16-bit Payload length

CONCLUSION The default automated key management protocol for IPsec is referred to as ISAKMP/Oakley Oakley is a refinement of the Diffie-Hellman key exchange algorithm but providing added security. ISAKMP provides a framework for Internet key management

REFERENCES Cryptography And Network Security - Principles And Practice, Fourth Edition, “William Stallings”

THANK YOU

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.