Download presentation
Presentation is loading. Please wait.
Published byArron Arnold Modified over 9 years ago
1
PGP & IP Security Pretty Good Privacy – PGP Pretty Good Privacy IP Security. IP Security
2
Pretty Good Privacy Introduction - BenefitsIntroduction Services of PGPServices of PGP Format of PGPFormat of PGP
3
IP Security IP Security Overview IP Security Architecture Authentication Header Security Associations
4
Electronic Mail Security PRETTY GOOD PRIVACY PGP provides a confidentiality & authentication service that can be used for electronic mail & file storage applications. Reasons for the explosively growth of PGP. 1.It is available free worldwide in versions that run on a variety of platforms, including DOS/Windows, UNIX, Macintosh. 2.It is based on algorithms that have survived extensive public review & are considered extremely secure. Specifically, the package includes RSA,DSS, & Diffie- Hellman for public-key encryption.
5
3. It has a wide range of applicability, from Encrypting files & Messages. 4.It was not developed by, nor is it controlled by, any governmental or standards organization.
6
Services of PGP 1.Authentication. 2.Confidentiality. 3.Compression. 4.E-mail Compatibility. 5.Segmentation.
7
Notations Used K = Session Key KRa = private key of user A. KUb = Public Key of User A. EP = Public Key Encryption. DP = Decryption of Public Key. EC = Conventional Encryption. DC = Conventional Decryption. H = Hash Function. || = Concatenation. Z = Compression using ZIP algorithm. R64 = Conversion to radix 64 ASCII format.
8
Services – Authentication & Confidentiality 1. Authentication & 2.Confidentiality
9
Authentication The Sequence is as follows: 1.The sender creates a message. 2.SHA-1 is used to generate a 160- bit hash code of the message. 3.The hash code is encrypted with RSA using the sender’s private key, & result is prepended to the message. 4.The receiver uses RSA with the sender’s public key to decrypt & recover the hash code. 5.The receiver generates a new hash code for the message & compares it with the decrypted hash code. If the two match, the message is accepted as authentic.
10
Confidentiality The Sequence is as follows : 1.The sender generates a message & a random 128-bit number to be used as a session key for this message only. 2.The message is encrypted, using 3DES (CAST-128) with the session key. 3.The session key is encrypted with RSA, using the recipient’s public key, & is prepended to the message. 4.The receiver uses RSA with its private key to decrypt & recover the session key. 5.The session key is used to decrypt the message.
11
Authentication & Confidentiality
12
Compression PGP Compresses the message after applying the signature but before encryption. Benefit of saving space both for E-mail transmission & for file storage. 1.The Signature is generated before compression because so that one can store only the uncompressed message together with the signature for future verification. 2.Message encryption is applied after compression to strengthen cryptographic security. Because the compressed message has less redundancy than the original plaintext, cryptanalysis is more difficult.
13
E-mail Compatibility Many Electronic Mail Systems only permit the use of blocks consisting of ASCII text. The scheme used for this purpose is radix-64 conversion. Each group of three octets of binary data is mapped into four ASCII characters. The use of radix 64 expands a message by 33%.
14
Transmission & Reception of PGP Messages.
15
Segmentation & Reassembly -Maximum Length Exceeds.
16
General Format of PGP Message
17
Message Component Data. Time Stamp. File name. Signature Component Timestamp. Key ID of Sender’s public key(KUa). Leading two octets of Message Digest. Message Digest.
18
Session Key Component Key ID of recipient’s public key (KUb) Session key (Ks)
19
IP Security 1.Authentication 2.Confidentiality 3.Key Management The principal feature of IPSec that enables it to support the various applications is that it can encrypt &/or authenticate all traffic at the IP level.
20
IP Security Overview
21
Benefits of IPSec When IPSec is implemented in a firewall or router, it provides strong security & also workstation does not incur the overhead of security- related processing. IPSec in a firewall is resistant to bypass if all traffic from the outside must use IP & the firewall is the only means of entrance from the Internet into the organization. IPSec is below the transport layer (TCP,UDP) & so is transparent to applications. There is no need to change software on a user or server system when IPSec is implemented in the firewall or router.
22
IP Security Architecture IPSec Documents The documents are divided into seven groups, as shown 1.Architecture Covers the security requirements, definitions, & Mechanisms defining IPSec technology. 2. Encapsulating Security Payload(ESP) Covers the packet format & packet encryption algorithm & optionally Authentication.
23
3.Authentication Header (AH) : Covers the packet format & packet authentication algorithm. 4. Encryption Algorithm : A set of documents that describe how various encryption algorithms are used for ESP. 5.Authentication Algorithm : A set of documents that describe how various Authentication algorithms are used for ESP. 6. Key Management : Documents that describe key management schemes. 7. Domain of Interpretation (DOI) : It includes the identifiers for approved encryption & authentication algorithms & also key life time.
24
IPSec Services Access Control. Connectionless Integrity. Data Origin authentication. Rejection of replayed packets. Confidentiality (Encryption). Limited traffic flow confidentiality.
25
Authentication Header The Authentication Header provides support for data integrity & authentication of IP packets. The Authentication Header consists of the following fields (figure below)
26
The Authentication Header Consists of the following fields : 1.Next Header(8 bits) : Identifies the type of header immediately following this header. 2.Payload Length (8 bits) : Length of Authentication Header. 3.Reserved (16bits ) : For future use. 4.Security Parameters Index(32 bits) : Identifies a security association. 5.Authentication Data (variable) : Integrity Check value.
27
Transport & Tunnel Modes Two ways of IPSec Authentication Service
28
Transport Mode (a) Before Applying AH (b) Transport Mode For transport mode, Authentication covers the entire packet.
29
Tunnel Mode For Tunnel mode AH, the entire original IP packet is authenticated, & the AH is inserted between the original IP header. The inner IP header carries the ultimate source & destination addresses, while an outer IP header may contain different IP addresses (gateways).
30
Security Associations Case 1: All security is provided between the end systems that implement IPSec.( Using Secret keys)
31
Case 2: Security is provided only between gateways (Routers) & no hosts implement IPSec.
32
Case 3 : End to End + Gateways (Case 1 + Case 2)
33
Case 4 : provides support for a remote host that uses the Internet to reach an organization's firewall & then to gain access to some server or workstation behind the firewall.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.