Presentation is loading. Please wait.

Presentation is loading. Please wait.

IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.

Published byCori Cameron Modified over 9 years ago

Similar presentations

Presentation on theme: "IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS."— Presentation transcript:

1 IP Security: Security Across the Protocol Stack

2 IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that cut across protocol layers would like security implemented by the network for all applications

3 What is IPSec? A collection of tools and algorithms (protocols) for securing network connections The protocol is designed so as to provide network level security for IPv4 and IPv6 datagrams General IP security mechanisms applicable to use over LANs, across public & private WANs, & for the Internet It provides - authentication –confidentiality –key management

4 Services Provided by IPsec Authentication – ensure the identity of an entity Confidentiality – protection of data from unauthorized disclosure Key Management – generation, exchange, storage, safeguarding, etc. of keys in a public key cryptosystem

5 IPSec Scenario

6 Where can IPSec be used These protocols can operate in –networking devices, such as a router or firewall –or they may operate directly on the workstation or server.

7 How can IPSec be used Secure Communications between devices –Workstation to Workstation –Protection against data changes Accidental or Intentional –Contents can be hidden Secure communicatoins through IPSec tunnels

8 IPSec IPSec provides security services at IP layer by three main facilities –An authentication-only function, Referred to as Authentication Header (AH) –A combined authentication/ encryption function Called Encapsulating Security Payload (ESP) –A key exchange function. Internet key exchange IKE (ISAKMP / Oakley)

9 IPSec Services Access control Connectionless integrity Data origin authentication Rejection of replayed packets –a form of partial sequence integrity Confidentiality (encryption) Limited traffic flow confidentiality

10 Security Associations a one-way relationship between sender & receiver that affords security services to the traffic carried on it A SA is an agreement between two communicating hosts on the IPSEC protocol used (i.e. AH/ESP), cryptographic algorithm used, mode of operation of protocols, cryptographic keys and lifetime of the keys Uniquely identified by 3 parameters: –Security Parameters Index (SPI) –IP Destination Address –Security Protocol Identifier

11 have a database of Security Associations – Security Associations Database (SAD) has a number of other parameters –seq no, AH & EH info, lifetime etc. If a peer relationship is needed, for two-way secure exchange, then two security associations are required The SA is negotiated between peers using a Key Management Protocol namely Internet Key Exchange Protocol (IKE). The peers maintain a SA database (SAD) with a list of all active SA entries. Security Associations

12 Security Associations (SA) Security Parameters Index (SPI) –The SPI is a bit string assigned to the SA that has local significance only. –The SPI is carried in AH and ESP headers to enable the receiving system to select the SA under which a received packet will be processed.

13 Security Associations (SA) IP destination address –The IP address of the destination endpoint of the SA May be an end-user system Or, a network system such as a firewall or router. – Currently, only unicast addresses are allowed

14 Security Associations (SA) Security Protocol Identifier –Indicates which IPSec protocol is in use on the SA AH (Authentication only) ESP (complete encryption and possibly Authentication)

15 Transport vs. Tunnel Mode The transport mode is the default mode for IPSEC. In transport mode only the IP payload is encrypted or authenticated ( Protection for upper layers-TCP,UDP,ICMP) whereas in tunnel mode IPSEC encrypts(or hashes) the IP header with the payload. Transport mode can be used to encrypt traffic between end-to-end clients (client-server,2 workstations) whereas tunnel mode would be used to encrypt traffic between gateways connecting different networks

16 Authentication Header (AH) provides support for data integrity & authentication of IP packets –end system/router can authenticate user/app –prevents address spoofing attacks by tracking sequence numbers based on use of a MAC –HMAC-MD5- 96 or HMAC-SHA 1- 96 parties must share a secret key

17 Authentication Header

18

19 IPSec Authentication Header (AH) in Transport Mode Data TCP Hdr Orig IP Hdr Data TCP Hdr AH Hdr Orig IP Hdr Next Hdr Payload Len RsrvSecParamIndex Keyed Hash Integrity hash coverage (except for mutable fields in IP hdr) Seq# 24 bytes total AH is IP protocol 51 Insert © 2000 Microsoft Corporation

20

21 IPSec AH Tunnel ModeData TCP Hdr Orig IP Hdr ) Integrity hash coverage (except for mutable new IP hdr fields) IP Hdr AH Hdr AH HdrData TCP Hdr Orig IP Hdr New IP header with source & destination IP address © 2000 Microsoft Corporation

22

23

24 Encapsulating Security Payload (ESP) Must encrypt and/or authenticate in each packet ESP a bit more complicated because the encapsulation surrounds the payload rather than precedes it as with AH: ESP includes header and trailer fields to support the encryption and optional authentication Encryption occurs before authentication Authentication is applied to data in the IPSec header as well as the data contained as payload

25 Encapsulating Security Payload (ESP) provides message content confidentiality & limited traffic flow confidentiality can optionally provide the same authentication services as AH supports range of ciphers –incl. DES, Triple-DES, RC5, IDEA, CAST etc

26 Encapsulating Security Payload

27 IPSec Encapsulating Security Payload (ESP) in Transport Mode Data TCP Hdr Orig IP Hdr Data TCP Hdr ESP Hdr Orig IP Hdr ESP Trailer ESP Auth Usually encrypted integrity hash coverage SecParamIndex Padding PaddingPadLengthNextHdr Seq# Keyed Hash 22-36 bytes total InitVector ESP is IP protocol 50 Insert Append © 2000 Microsoft Corporation

28

29 IPSec ESP Tunnel ModeData TCP Hdr Orig IP Hdr ESP Auth Usually encrypted integrity hash coverage Data TCP Hdr ESP Hdr Org IP Hdr Org IP HdrIPHdr New IP header with source & destination IP address © 2000 Microsoft Corporation ESP Trailer

30

Download ppt "IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS."

Similar presentations

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Internet Security CSCE 813 IPsec

Internet Security CSCE 813 IPsec
IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.

IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.

IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.
Network Layer Security: IPSec

Network Layer Security: IPSec
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
IP SECURITY – Chapter 16 IP SECURITY – Chapter 16 Security Mechanisms: email – S/MIME, PGP client/server - Kerberos web access - Secure Sockets Layer network.

IP SECURITY – Chapter 16 IP SECURITY – Chapter 16 Security Mechanisms: – S/MIME, PGP client/server - Kerberos web access - Secure Sockets Layer network.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.

1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.

Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.

IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.
Cryptography and Network Security

Cryptography and Network Security
1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

Similar presentations

Ads by Google