1 / 10

Introduction to network stcurity

Introduction to network stcurity. Chapter 16 - Stallings. IP security overview. IPSec provides security at the IP layer Varieties AH – Authentication header Transport mode - AH fits after IP header and covers TCP Tunnel mode – New IP header – AH covers original IP and TCP

oshin
Download Presentation

Introduction to network stcurity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction to network stcurity Chapter 16 - Stallings Crypto – chapter 16 - noack

  2. IP security overview • IPSec provides security at the IP layer • Varieties • AH – Authentication header • Transport mode - AH fits after IP header and covers TCP • Tunnel mode – New IP header – AH covers original IP and TCP • ESP – Encapsulating security payload • Transport mode – ESP authenticates and encrypts TCP • Tunnel mode – New IP header – ESP authenticates and encrypts original IP and TCP • Modes • Transport – end-to-end services – not processed by routers • Tunnel – intermediate services – processed by routers and firewalls Crypto – chapter 16 - noack

  3. Components • SA – Security association • Carried inside AH and ESP • Contents • Security parameters index – identifier and specification • IP destination address – can be real user or firewall/router • Security protocol identifier – is this AH or ESP • AH – Authentication header • Standard header components • Security parameters index (from SA) • Sequence number • Authentication data • ESP – Encapsulation security payload • Essentially like AH Crypto – chapter 16 - noack

  4. ESP capabilities • Encryption algorithms • Triple DES • RC5 • IDEA • Three-key triple IDEA • CAST • Blowfish • Authentication algorithms • 96-bit MAC • Must support HMAC-MD5-96 and HMAC-SHA-1-96 • Padding • As needed to support block structure and conceal actual payload length Crypto – chapter 16 - noack

  5. Transport and tunneling • Transport • Authenticates/protects TCP layer • This means packets and IP headers are seen • IP headers and addresses are not protected • Tunneling • This allows IP tunnels – for example between parts of an organization • Allows VPN’s • Multiple layers are possible (iterated tunneling) • Individual SA applies to only one layer (AH or ESP) Crypto – chapter 16 - noack

  6. Key distribution • Oakley key distribution protocol • Based on Diffie-Hellman • Non-specific – does not specify formats, just exchanges • Diffie-Hellman weaknesses • No identity information • Subject to person-in-the-middle attack • Computationally intensive – vulnerable to clogging attack • Oakley improvements • Uses cookies to thwart clogging • Allows group negotiation • Uses nonces to prevent replays • Enables, but authenticates Diffie-Hellman Crypto – chapter 16 - noack

  7. Oakley details • Groups • Actually five methods • Modular exponentiation with lengths 768, 1024, 1536 • Elliptic curve group over 155 or 185-bit fields with generator specified • Nonce usage • Used to prevent replay attacks • Authentication methods • Digital signatures • Public key encryption • Symmetric-key encryption – requires out-of-band key distribution Crypto – chapter 16 - noack

  8. More Oakley Details • Recommended cookie • Hashes (MD5) source IP and port, destination same, UDP same, locally generated secret • Reasoning • Fast, specific, contains local secret • Groups (confusing term) • Modular exponentiation (768,1024,1536) • Elliptic curve (155,185) • Authentication methods • Digital signatures • Public-key encryption • Symmetric-key encryption Crypto – chapter 16 - noack

  9. ISAKMP • ISAKMP = ISA key management protocol • Manages security associations in general • Format • Header with cookies and next payload pointer • Subsequent payloads with next payload pointer • Payload types • Security association • Proposal • Transform • Key exchange • Identification • Certificate • Hash • Signature • Nonce • Notification • Delete SA’s Crypto – chapter 16 - noack

  10. ISAKMP exchange types • Exchange types • Base • 4 messages, establishes SA • Identity protection • Includes identity verification, 6 messages • Authentication only • Authentication – agrees on basic SA, 3 messages • Aggressive • 3 messages – no identity protection • Informational • 1 message – just SA management Crypto – chapter 16 - noack

More Related