Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Security (contd.)

Published byHilary Rose Modified over 5 years ago

Similar presentations

Presentation on theme: "Network Security (contd.)"— Presentation transcript:

1 Network Security (contd.)
Bijendra Jain 11/21/2018 Tutorial on Network Security: Sep 2003

2 Tutorial on Network Security: Sep 2003
Lecture 5: IPSec 11/21/2018 Tutorial on Network Security: Sep 2003

3 Tutorial on Network Security: Sep 2003
IPSec: IP Security An IETF standard IPSec architecture and related standards published as refer RFC 1825 thru RFC 1829 Adrresses security issues arising from authentication and confidentiality connecting a remote host to a server Interconnecting two LANs using a public network Applications: wide-area networking of branch offices using Internet Interconnecting supplier/distributor extranets to enterprise network Telecommuting E-commerce Implemented in clients, servers or in routers 11/21/2018 Tutorial on Network Security: Sep 2003

4 Tutorial on Network Security: Sep 2003
IPSec Scenario Public Network Enterprise LAN#1 Enterprise LAN#2 PC Server Router 11/21/2018 Tutorial on Network Security: Sep 2003

5 Security functions covered by IPSec
Authentication header (AH) Encapsulating security payload (ESP), without AH Encapsulating security payload, with AH Access control Yes Connection-less integrity Data origin authentication Rejection of replayed packets Confidentiality (Limited) Flow Confidentiality 11/21/2018 Tutorial on Network Security: Sep 2003

6 Tutorial on Network Security: Sep 2003
Modes in IPSec Transport Mode The payload in an IP packet is secured E.g. TCP, UDP, ICMP headers, data Tunnel Mode The complete IP packet including its header is secured 11/21/2018 Tutorial on Network Security: Sep 2003

7 Tutorial on Network Security: Sep 2003
Transport Mode IPSec Public Network Enterprise LAN#1 Enterprise LAN#2 PC Server Router End-to-end authentication and/or encryption 11/21/2018 Tutorial on Network Security: Sep 2003

8 Tutorial on Network Security: Sep 2003
Tunnel Mode IPSec Public Network Enterprise LAN#1 Enterprise LAN#2 PC Server Router End-system to ROUTER authentication and/or encryption Router-to-router authentication and/or encryption 11/21/2018 Tutorial on Network Security: Sep 2003

9 Transport vs. Tunnel modes
? 11/21/2018 Tutorial on Network Security: Sep 2003

10 Tutorial on Network Security: Sep 2003
IPSec Tunnel mode Advantages: Only routers need to implement IPSec functions Implement VPN (Virtual private network) Public Network Enterprise LAN Router 11/21/2018 Tutorial on Network Security: Sep 2003

11 IPSec: Authentication Header
Original IP packet Encoded packet in “transport mode”? Encoded packet in “tunnel mode”? Original IP hdr TCP header TCP data Authen. hdr NEW IP hdr 11/21/2018 Tutorial on Network Security: Sep 2003

12 IPSec: packet format for AH
Reserved (16 bits) Payload length Next header Identifier (32 bits) Sequence number (32 bits) AH (variable length, default 96 bits) Based on: MD5, or SHA-1 Covers TCP/UDP/ICMP header, data and portions of “non-mutable” IP headers Payload (IP or TCP packet) Original/new IP header 11/21/2018 Tutorial on Network Security: Sep 2003

13 IPSec: ESP (Encryption)
Original IP packet Encoded packet in “transport mode”? Encoded packet in “tunnel mode”? Original IP hdr TCP header TCP data ESP hdr ESP trailer AH (optional) NEW IP hdr 11/21/2018 Tutorial on Network Security: Sep 2003

14 IPSec: packet format for ESP
Identifier (32 bits) Sequence number (32 bits) Payload (TCP, or IP packet with padding, pad length, next header), suitably encrypted using 3DES, RC5 or … Original/new IP header Authentication Header based on MD5, etc. encrypted authenticated Pad length, … 11/21/2018 Tutorial on Network Security: Sep 2003

15 Combining security functions
Authentication with confidentiality ESP, with AH An AH inside a ESP (both in transport mode) Server PC Public Network Router Enterprise LAN Enterprise LAN Router 11/21/2018 Tutorial on Network Security: Sep 2003

16 Combining security functions
An AH inside a ESP (both in transport mode), and all this within a ESP tunnel across the routers PC Server Public Network Enterprise LAN Router 11/21/2018 Tutorial on Network Security: Sep 2003

17 Tutorial on Network Security: Sep 2003
Key exchange Key generation and exchange using some “physical means” Automated generation of keys Oakley key determination and exchange Based on Diffie-Hellman key generation algorithm Oakley key exchanged protocol 11/21/2018 Tutorial on Network Security: Sep 2003

18 Diffie-Hellman key generation
A distributed key generation scheme Given q - a large prime number a – a primitive root of q (1 <= ak mod q < q, and distinct for all 1 <= k < q) A: picks XA (keeps it secret), computes and sends YA  aXA mod q to B B: picks XB (keeps it secret), computes and sends YB  aXB mod q A A and B compute the secret shared key aXA XB YBXA or YAXB 11/21/2018 Tutorial on Network Security: Sep 2003

19 Diffie-Hellman key generation
Man-in-the-middle attack Assumes ability to intercept, and spoof XA, A2B XE, A2B A B E XE, B2A XB, B2A aXA*XE aXB*XE 11/21/2018 Tutorial on Network Security: Sep 2003

20 Diffie-Hellman key generation
Issues with the algorithm: What is the value of q, a? Make available several sets, and let the parties negotiate Man-in-the-middle attack Use some form of authentication Denial of service attack, arises from address-spoofing Use cookies: Replay attacks Use nonces 11/21/2018 Tutorial on Network Security: Sep 2003

21 Tutorial on Network Security: Sep 2003
Cookies Cookies: A requests B’s attention B responds with a “cookie” (a random number), K A must return K in its subsequent messages Characteristics of cookies: Should depend upon data specific to B Should use some secret information Cookie generation and verification must be fast B should not have to save the cookie Example method used: Hash sender/receiver IP address TCP port nos. and a secret value 11/21/2018 Tutorial on Network Security: Sep 2003

22 Tutorial on Network Security: Sep 2003
Oakley Key exchange 11/21/2018 Tutorial on Network Security: Sep 2003

23 Oakley Key exchange: part 1
A to B ID of A, ID of B Initiator cookie, CK-A Encryption, hash, authentication algorithms Specific Diffie Hellman group (q, a) public key yA = aXA mod q Nonce NA SignedKR(A)[ID of A, ID of B, NA, q, a, yA] 11/21/2018 Tutorial on Network Security: Sep 2003

24 Oakley Key exchange: part 2
B to A ID of B, ID of A Responder cookie, CK-B, Returned initiator cookie, CK-A Encryption, hash, authentication algorithms Specific Diffie Hellman group (q, a) public key yB = aXB mod q Nonce NA, NB SignedKR(B)[ID of B, ID of A, NA, NB, q, a, yB yA] 11/21/2018 Tutorial on Network Security: Sep 2003

25 Oakley Key exchange: part 3
A to B ID of A, ID of B Returned cookie, CK-B, initiator cookie, CK-A Encryption, hash, authentication algorithms Specific Diffie Hellman group (q, a) public key yA = aXA mod q Nonce NA, NB SignedKR(A)[ID of A, ID of B, NA, NB, q, a, yB yA] 11/21/2018 Tutorial on Network Security: Sep 2003

26 Tutorial on Network Security: Sep 2003
Thanks 11/21/2018 Tutorial on Network Security: Sep 2003

Download ppt "Network Security (contd.)"

Similar presentations

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.

1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.

Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.

Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.

Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.
Secure connections.

Secure connections.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.

1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
IP Security: Security Across the Protocol Stack

IP Security: Security Across the Protocol Stack
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
1 Network Security Lecture 8 IP Sec Waleed Ejaz

1 Network Security Lecture 8 IP Sec Waleed Ejaz
CSCE 715: Network Systems Security

CSCE 715: Network Systems Security
TCP/IP Protocols Contains Five Layers

TCP/IP Protocols Contains Five Layers

Similar presentations

Ads by Google