Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 CMPT 471 Networking II Authentication and Encryption © Janice Regan, 2006-2013.

Similar presentations


Presentation on theme: "1 CMPT 471 Networking II Authentication and Encryption © Janice Regan, 2006-2013."— Presentation transcript:

1 1 CMPT 471 Networking II Authentication and Encryption © Janice Regan, 2006-2013

2 2

3 3 IPsec usage  Host to host  May use transport mode  May use tunnel mode  Security Gateway to Security Gateway  Must use tunneling  Host to/from security gateway  For traffic destined to security gateway (for example SNMP message) the gateway is operating as a host and transport mode may be used  Otherwise, if the gateway is operating as a gateway tunneling mode must be used

4 © Janice Regan, 2006-2013 4  IPv4 packet: Transport mode Authentication  IPv4 packet: Tunnel mode Authentication IPv4 AH Authentication authenticated Partially authenticated IPv4 header TCP header TCP data Authentication header IPv4 tunnel header authenticated Partially authenticated IPv4 header TCP header TCP data Authentication header

5 © Janice Regan, 2006-2013 5 AH authentication algorithms HMAC with MD5RFC 2403 HMAC with SHA-1RFC 2404

6 © Janice Regan, 2006-2013 6 Transport Mode Tunnel Mode IPsec: ESP New IP header TCP header TCP data IP header ESP header ESP trailer ESP auth encrypted authenticated Not encrypted or authenticated TCP header TCP data IP header ESP header ESP trailer ESP auth

7 © Janice Regan, 2006-2013 7 ESP authentication algorithms HMAC with MD5RFC 2403 HMAC with SHA-1RFC 2404 Null Authentication

8 © Janice Regan, 2006-2013 8 ESP encryption algorithms DES in CBC modeRFC 2405 Null Encryption

9 © Janice Regan, 2006-2013 9 Security Associations (1)  An SA describes one simplex connection.  If you are using both AH and ESP you need one SA for each.  For two way communication you need one SA for each direction  Three parameters used to uniquely define a security association (SA).  destination address  security protocol (AH or ESP)  Security parameters index (SPI)

10 © Janice Regan, 2006-2013 10 Security Association (2)  SAs are stored in a database The SAD (Security Associations Database) also includes the following information:  Mode of communication (transport or tunnel)  Sequence Number Counter  Anti-Replay Window: to determine whether an inbound AH or ESP packet is a replay.  AH Authentication algorithm type, keys, etc. OR ESP Encryption algorithm and / or authentication, algorithm types, keys etc.  Lifetime of this Security Association

11 © Janice Regan, 2006-2013 11 Encryption  Source uses an encryption key and a particular encryption algorithm to encrypt the data  The data is inserted into a packet and sent to the receiver  The receiver uses a decryption key to decrypt the data. If the keys match the decrypted data is readable otherwise it is not.  The keys may be secret or private keys, or public keys  Private key encryption is often used for long messages public key encryption for short messages. Short messages may include sending private keys in preparation for transmission of longer messages.

12 © Janice Regan, 2006-2013 12 Secret or private keys  Private or secret keys are known only by the sender and receiver. The decryption key is the same as or derivable from the encryption key.  Secret key encryption may also be called symmetric encryption because the same key can be used in both directions  High security, difficult to decrypt without the key.

13 © Janice Regan, 2006-2013 13 Secret or private keys  Requires many keys (one for each pair of users)  Uses an efficient encryption algorithm  Popular example DES, data encryption standard  How do you distribute keys?  Use public key encryption  A central distribution centre

14 © Janice Regan, 2006-2013 14 Public keys (1)  Each user has a public key and a private key  Fewer keys needed (pair for each user, not each pairing of users).  Public key is used to encrypt the message, private key is used to decrypt the message. Private key is not easily derivable from the public key  Sender encrypts using the receiver’s public key  Only receiver can decrypt using its own private key  RSA is an example of this approach.

15 © Janice Regan, 2006-2013 15 Public keys (2)  Encryption/Decryption process is more computationally intensive than private key encryption  Must verify (authenticate) announced public key of a user  Verification may be done by a central authority (pairs users and keys and issues certificates)

16 © Janice Regan, 2006-2013 16 Digital Signature  Used for authentication, integrity and non repudiation (anti replay)  Use private key encryption to sign (encrypt the document or digest) the packet.  Use public key to verify signature (decrypt the document). Since only the sender knows its private key this provides authentication

17 © Janice Regan, 2006-2013 17 Digital Signature  A message signed using a senders private key (known only by that user) indicates that the message comes from that user  Changes to the message between the sender and the receiver require knowledge of the private key, or they will in all likelihood render the message unreadable at the destination  Signature alone does not provide confidentiality, anyone can decrypt using the senders public key

18 © Janice Regan, 2006-2013 18 Digital Signature  Used for authentication, integrity and non repudiation  Can sign entire document or digest of the document.  Algorithms such as SHA1 and MD5 are used to make digests of the document  Can sign the digest rather than the whole document

19 © Janice Regan, 2006-2013 19 Digital Signature  To sign the digest rather than the whole document  The sender uses a hash function to produce a digest of the document with a fixed size  Usually use MD5 (message digest 5) or SHA-1 (secure hash algorithm 1)  The sender encrypts the digest with her private key  The sender sends the document including the encrypted digest

20 © Janice Regan, 2006-2013 20 Digital Signature  To sign the digest rather than the whole document  The receiver creates a digest of the document using the same algorithm as the sender  The receiver decrypts the digest appended to the document using the senders public key  The receiver compares the calculated digest to the decrypted digest from the received message. They must match for the signature to be valid

21 © Janice Regan, 2006-2013 21 With VPN  New encapsulation  Shared keys (all users behind VPN use same key)  Dangerous (one user can hijack traffic, can have man in the middle attack)


Download ppt "1 CMPT 471 Networking II Authentication and Encryption © Janice Regan, 2006-2013."

Similar presentations


Ads by Google