Download presentation
Presentation is loading. Please wait.
1
Version B.00 H7076S Module 3 Slides
IPSec Overview Version B.00 H7076S Module 3 Slides
2
IPSec Functionality Confidentiality Eavesdroppers on the network cannot view users’ data. Authentication The claimed sender is in fact the actual sender. Integrity Data has not been altered during transit in the network. Non-repudiation Senders of data cannot claim that they did not send the data. Transparent Network Applications do not need modification to take advantage Security of network security.
3
Capturing Packets Off the Internet
Bad Guy K-CLASS Users in San Francisco Server in Chicago It is trivial to snoop on Internet traffic, including passwords sent over the network. Malicious people exist who actually do these things.
4
Symmetric Cryptography: Encryption and Decryption
Data Key Encrypted Data Encryption Algorithm Data Decryption Algorithm Encrypted Data Key K-CLASS
5
How ESP Encryption Works
ESP = Encapsulating Security Payload Data (aka Payload) IP Hdr TCP Hdr Original IP Packet The same packet after encryption and addition of the ESP Header IP Hdr ESP Hdr TCP Hdr Data (aka Payload) Encrypted The functionality provided by ESP and encryption is confidential.
6
A Closer Look at ESP An ESP header contain two fields:
An ESP header identifier A security parameter index (SPI) value The SPI value is an index into the security association table in memory. The entry in the security association table defines how the packet is encrypted. IP Hdr ESP Hdr TCP Hdr Data (aka Payload) Encrypted ESP Security Association Table in Memory SPI Algorithm Key Lifetime MD day DES hour
7
Authentication: Method Digest Value
Data Key Message Digest Value Message Digest Algorithm Message Digest Algorithm Equal? Data Message Digest Value Message Digest Value Data Key K-CLASS
8
How Authentication Headers Work
AH = Authentication Header Data IP Hdr TCP Hdr Original IP Packet The same packet after the addition of the AH header: Data IP Hdr TCP Hdr AH Hdr Authenticated with a Message Digest Value The functionality provided by AH and the message digest is authentication and data integrity.
9
A Closer Look at AH Headers
An AH header contain three fields: An AH header identifier A security parameter index (SPI) value A message digest value The SPI value is an index into the security association table in memory. The entry in the security association table defines how the packet is authenticated. IP Hdr AH Hdr TCP Hdr Data Authenticated AH Security Association Table in Memory SPI Algorithm Key Lifetime MD day DES hour
10
Combined AH and ESP Original IP Packet
Data IP Hdr TCP Hdr Original IP Packet The same packet after the addition of the AH header: Data IP Hdr TCP Hdr AH Hdr ESP Hdr Encrypted Authenticated with a Message Digest Value AH ESP Security Association Table in Memory SPI Algorithm Key Lifetime DES hour MD day
11
Symmetric Key Bootstrap Problem
K-CLASS K-CLASS ServerA ServerB Security Association Table in ServerA Memory Security Association Table in ServerB Memory SPI Algorithm Key Lifetime ??? ???????????? ???? DES hour SPI Algorithm Key Lifetime MD day ??? ???????????? ???? How do systems agree on an initial key? Initial encryption algorithm? Lifetime? How do systems exchange initial key information without the data being stolen by a hacker with a sniffer?
12
Internet Key Exchange (IKE) Overview
iked process iked process Security Association Table Security Association Table SPI Algorithm Key Lifetime ??? ???????????? ???? DES hour SPI Algorithm Key Lifetime MD day ??? ???????????? ???? The iked daemon is responsible for : Initially establishing security association table entries with other iked daemons. Agreeing on security algorithms, key values, and key lifetimes with other iked daemons. Maintaining the security association table and agreeing upon new keys when the lifetime for a key expires.
13
Protecting against an IKED Bluff
process iked process iked process SPI Algorithm Key Lifetime ??? ????????? ???? DES hour Security Association Table SPI Algorithm Key Lifetime ??? ????????? ???? DES hour Security Association Table Security Association Table SPI Algorithm Key Lifetime ??? ????????? ???? DES hour I will install IPSec on my system and maybe those customer systems will establish a secure connection with my computer. Conclusion: Need a Primary Authentication Mechanism
14
Overcoming Security Obstacles
Problem: Data packets travel across the network in clear text! Solution: Use IPSec to authenticate (AH) or encrypt (ESP) packets. Problem: How to securely establish IPSec keys Solution: Use Internet Key Exchange (IKE) protocol. Problem: How to securely establish a IKE keys. Solution: Use Diffie-Hellman algorithm. Problem: Diffie-Hellman is prone to “Man-in-the-Middle” attacks. Solution: Use Pre-Shared key authentication or public-key authentication. Problem: Pre-shared keys are not practical; public-keys require authentication. Solution: Use Security Certificates and manage them through a Public Key Infrastructure (PKI)
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.