Presentation is loading. Please wait.

Presentation is loading. Please wait.

IPSec  general IP Security mechanisms  provides  authentication  confidentiality  key management  Applications include Secure connectivity over.

Similar presentations


Presentation on theme: "IPSec  general IP Security mechanisms  provides  authentication  confidentiality  key management  Applications include Secure connectivity over."— Presentation transcript:

1

2 IPSec  general IP Security mechanisms  provides  authentication  confidentiality  key management  Applications include Secure connectivity over internet, office VPN’s, across organizations e-commerce

3 IP Security Scenario

4 Benefits of IPSec  in a firewall/router provides strong security to all traffic crossing the perimeter  is resistant to bypass  is below transport layer, hence transparent to applications  can be transparent to end users  can provide security for individual users if desired

5 IP Security Architecture It involves various aspects such as….  IPSec Document  IPSec Services  Security Association(SA)

6 IPSec Documents-7groups  Architecture  ESP  AH  Encryption Algorithm  Authentication Algorithm  Key Management  Doman of Interpretation(DoI)

7 IPSec Services  Access control  Connectionless integrity  Data origin authentication  Rejection of replayed packets  a form of partial sequence integrity  Confidentiality (encryption)  Limited traffic flow confidentiality

8 Security Associations  a one-way relationship between sender & receiver that affords security for traffic flow  defined by 3 parameters:  Security Parameters Index (SPI)  IP Destination Address  Security Protocol Identifier  has a number of other parameters  seq no, AH & EH info, lifetime etc

9 SA selectors  Security policy database(SPD) contains entries each of which defines a subset of IP traffic and points to an SA  Each SPD entry is defined by a set of IP and upper protocol field values called selectors  The following selectors determine an SPD entry: Destination IP address, Source IP address, UserID, Datasensitivity level, Transport Layer protocol etc

10 Transport and tunnel modes  AH and ESP support two modes tunnel and transport mode  Transport mode provides security for mainly upper layer protocols. Example :TCP,UDP,ICMP packet  Tunnel mode provides protection for the entire packet. The entire packet travels through a tunnel from one IP to another, no routers are able to examine the inner IP.

11 Authentication Header (AH)  provides support for data integrity & authentication of IP packets  end system/router can authenticate user/app  prevents address spoofing attacks by tracking sequence numbers  based on use of a MAC  HMAC-MD5-96 or HMAC-SHA-1-96  parties must share a secret key

12 Authentication Header

13 IPSec Authentication Header (AH) in Transport Mode Data TCP Hdr Orig IP Hdr Data TCP Hdr AH Hdr Orig IP Hdr Next Hdr Payload Len RsrvSecParamIndex Keyed Hash Integrity hash coverage (except for mutable fields in IP hdr) Seq# 24 bytes total AH is IP protocol 51 Insert © 2000 Microsoft Corporation

14 IPSec AH Tunnel ModeData TCP Hdr Orig IP Hdr Integrity hash coverage (except for mutable new IP hdr fields) IP Hdr AH Hdr AH HdrData TCP Hdr Orig IP Hdr New IP header with source & destination IP address © 2000 Microsoft Corporation

15 Encapsulating Security Payload (ESP)  provides message content confidentiality & limited traffic flow confidentiality  can optionally provide the same authentication services as AH  supports range of ciphers, modes, padding  incl. DES, Triple-DES, RC5, IDEA, CAST etc  CBC most common  pad to meet blocksize, for traffic flow

16 Encapsulating Security Payload

17 Transport vs Tunnel Mode ESP  transport mode is used to encrypt & optionally authenticate IP data  data protected but header left in clear  can do traffic analysis but is efficient  good for ESP host to host traffic  tunnel mode encrypts entire IP packet  add new header for next hop  good for VPNs, gateway to gateway security

18 IPSec Encapsulating Security Payload (ESP) in Transport Mode Data TCP Hdr Orig IP Hdr Data TCP Hdr ESP Hdr Orig IP Hdr ESP Trailer ESP Auth Usually encrypted integrity hash coverage SecParamIndex Padding PaddingPadLengthNextHdr Seq# Keyed Hash 22-36 bytes total InitVector ESP is IP protocol 50 Insert Append © 2000 Microsoft Corporation

19 IPSec ESP Tunnel ModeData TCP Hdr Orig IP Hdr ESP Auth Usually encrypted integrity hash coverage Data TCP Hdr ESP Hdr IP Hdr IP HdrIPHdr New IP header with source & destination IP address © 2000 Microsoft Corporation ESP Trailer

20 Combining Security Associations  SA’s can implement either AH or ESP  to implement both need to combine SA’s  form a security bundle  Security associations can be bundled in two ways : transport adjacency and iterated tunneling

21 Authentication + confidentiality  ESP with authentication option  Transport mode ESP  Tunnel mode ESP  There are 4 basic combinations of SA’s(next slide)

22 Combining Security Associations

23 Oakley  a key exchange protocol  based on Diffie-Hellman key exchange  adds features to address weaknesses  cookies, groups (global params), nonces, DH key exchange with authentication

24 ISAKMP  Internet Security Association and Key Management Protocol  provides framework for key management  defines procedures and packet formats to establish, negotiate, modify, & delete SAs  independent of key exchange protocol, encryption alg, & authentication method

25 ISAKMP

26 ISAKMP Payload Types  Hash-{Hash Data}  Proposal-{Proposal#,Protocol ID,SPI size,# of transform}  Transform-{Transform #, Transform ID,SA attribute}  Key Exchange-{Key Exchange Data}  Identification-{ID Type,ID Data}  Signature(SIG)-{Signature Data}  etc……….

27 ISAKMP Exchanges-5 default exchanges  Base Exchange min imizes no: of exchanges –no ID protection use nounce-replay attack  Identity Protection Exchange session keys-encrypted message containing authentication information. ie,DS and certificates validating public keys  Authentication only Exchange Mutual authentication without key exchange

28  Aggressive Exchange min imizes no: of exchanges –no ID protection Informational Exchange-Error/status notification/deletion

29 Summary  have considered:  IPSec security framework  AH  ESP  key management & Oakley/ISAKMP


Download ppt "IPSec  general IP Security mechanisms  provides  authentication  confidentiality  key management  Applications include Secure connectivity over."

Similar presentations


Ads by Google