network security contd
Download
Skip this Video
Download Presentation
Network Security (contd.)

Loading in 2 Seconds...

play fullscreen
1 / 26

15 Network Security ..> - PowerPoint PPT Presentation


  • 158 Views
  • Uploaded on

Network Security (contd.). Bijendra Jain ([email protected]). Lecture 5: IPSec. IPSec: IP Security. An IETF standard IPSec architecture and related standards published as refer RFC 1825 thru RFC 1829 Adrresses security issues arising from authentication and confidentiality

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about '15 Network Security ..>' - Angelica


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
network security contd

Network Security (contd.)

Bijendra Jain

([email protected])

Tutorial on Network Security: Sep 2003

lecture 5 ipsec

Lecture 5: IPSec

Tutorial on Network Security: Sep 2003

ipsec ip security
IPSec: IP Security
  • An IETF standard
    • IPSec architecture and related standards published as refer RFC 1825 thru RFC 1829
  • Adrresses security issues arising from
    • authentication and confidentiality
    • connecting a remote host to a server
    • Interconnecting two LANs using a public network
  • Applications:
    • wide-area networking of branch offices using Internet
    • Interconnecting supplier/distributor extranets to enterprise network
    • Telecommuting
    • E-commerce
  • Implemented in clients, servers or in routers

Tutorial on Network Security: Sep 2003

ipsec scenario

Public Network

Enterprise LAN#1

Enterprise LAN#2

PC

PC

PC

Router

Router

Server

IPSec Scenario

Tutorial on Network Security: Sep 2003

security functions covered by ipsec

Authentication header (AH)

Encapsulating security payload (ESP), without AH

Encapsulating security payload, with AH

Access control

Yes

Yes

Yes

Connection-less integrity

Yes

Yes

Data origin authentication

Yes

Yes

Rejection of replayed packets

Yes

Yes

Yes

Confidentiality

Yes

Yes

(Limited) Flow Confidentiality

Yes

Yes

Security functions covered by IPSec

Tutorial on Network Security: Sep 2003

modes in ipsec
Modes in IPSec
  • Transport Mode
    • The payload in an IP packet is secured
      • E.g. TCP, UDP, ICMP headers, data
  • Tunnel Mode
    • The complete IP packet
      • including its header is secured

Tutorial on Network Security: Sep 2003

transport mode ipsec

Public Network

Enterprise LAN#1

Enterprise LAN#2

End-to-end authentication and/or encryption

PC

PC

PC

Router

Router

End-to-end authentication and/or encryption

Server

Transport Mode IPSec

Tutorial on Network Security: Sep 2003

tunnel mode ipsec

Public Network

Enterprise LAN#1

Enterprise LAN#2

End-system to ROUTER authentication and/or encryption

PC

PC

Router

Router

Router-to-router authentication and/or encryption

Server

PC

Tunnel Mode IPSec

Tutorial on Network Security: Sep 2003

transport vs tunnel modes
Transport vs. Tunnel modes
  • ?

Tutorial on Network Security: Sep 2003

ipsec tunnel mode

Public Network

Enterprise LAN

Enterprise LAN

Enterprise LAN

Enterprise LAN

Router

Router

Router

Router

IPSec Tunnel mode
  • Advantages:
    • Only routers need to implement IPSec functions
    • Implement VPN (Virtual private network)

Tutorial on Network Security: Sep 2003

ipsec authentication header

Original IP hdr

TCP header

TCP data

Original IP hdr

TCP header

TCP data

Authen. hdr

Original IP hdr

TCP header

TCP data

Authen. hdr

NEW IP hdr

IPSec: Authentication Header
  • Original IP packet
  • Encoded packet in “transport mode”?
  • Encoded packet in “tunnel mode”?

Tutorial on Network Security: Sep 2003

ipsec packet format for ah

Original/new IP header

Reserved (16 bits)

Payload length

Next header

Identifier (32 bits)

Sequence number (32 bits)

AH (variable length, default 96 bits)

Based on: MD5, or SHA-1

Covers TCP/UDP/ICMP header, data and portions of “non-mutable” IP headers

Payload (IP or TCP packet)

IPSec: packet format for AH

Tutorial on Network Security: Sep 2003

ipsec esp encryption

ESP hdr

TCP data

Original IP hdr

TCP header

TCP data

Original IP hdr

TCP header

ESP trailer

AH (optional)

AH (optional)

Original IP hdr

TCP header

TCP data

ESP hdr

NEW IP hdr

ESP trailer

IPSec: ESP (Encryption)
  • Original IP packet
  • Encoded packet in “transport mode”?
  • Encoded packet in “tunnel mode”?

Tutorial on Network Security: Sep 2003

ipsec packet format for esp

Original/new IP header

Identifier (32 bits)

Sequence number (32 bits)

Payload (TCP, or IP packet with padding, pad length, next header), suitably encrypted using 3DES, RC5 or …

Authentication Header based on MD5, etc.

authenticated

encrypted

Pad length, …

IPSec: packet format for ESP

Tutorial on Network Security: Sep 2003

combining security functions

Public Network

Enterprise LAN

Enterprise LAN

PC

Server

Combining security functions
  • Authentication with confidentiality
    • ESP, with AH
  • An AH inside a ESP (both in transport mode)

Router

Router

Tutorial on Network Security: Sep 2003

combining security functions16

Public Network

Enterprise LAN

Enterprise LAN

PC

Router

Server

Router

Combining security functions
  • An AH inside a ESP (both in transport mode), and all this within a ESP tunnel across the routers

Tutorial on Network Security: Sep 2003

key exchange
Key exchange
  • Key generation and exchange using some “physical means”
  • Automated generation of keys
    • Oakley key determination and exchange
      • Based on Diffie-Hellman key generation algorithm
      • Oakley key exchanged protocol

Tutorial on Network Security: Sep 2003

diffie hellman key generation
Diffie-Hellman key generation
  • A distributed key generation scheme
  • Given q - a large prime number

a – a primitive root of q

(1 <= ak mod q < q, and distinct for all 1 <= k < q)

  • A:
    • picks XA (keeps it secret),
    • computes and sends YA  aXA mod q to B
  • B:
    • picks XB (keeps it secret),
    • computes and sends YB  aXB mod q A
  • A and B compute the secret shared key aXA XB

YBXA orYAXB

Tutorial on Network Security: Sep 2003

diffie hellman key generation19
Diffie-Hellman key generation
  • Man-in-the-middle attack
    • Assumes ability to intercept, and spoof

XA, A2B

XE, A2B

A

B

E

XE, B2A

XB, B2A

aXA*XE

aXB*XE

Tutorial on Network Security: Sep 2003

diffie hellman key generation20
Diffie-Hellman key generation
  • Issues with the algorithm:
    • What is the value of q, a?
      • Make available several sets, and let the parties negotiate
    • Man-in-the-middle attack
      • Use some form of authentication
    • Denial of service attack, arises from address-spoofing
      • Use cookies:
    • Replay attacks
      • Use nonces

Tutorial on Network Security: Sep 2003

cookies
Cookies
  • Cookies:

A requests B’s attention

B responds with a “cookie” (a random number), K

A must return K in its subsequent messages

  • Characteristics of cookies:
    • Should depend upon data specific to B
    • Should use some secret information
    • Cookie generation and verification must be fast
    • B should not have to save the cookie
  • Example method used:
    • Hash sender/receiver IP address TCP port nos. and a secret value

Tutorial on Network Security: Sep 2003

oakley key exchange
Oakley Key exchange

Tutorial on Network Security: Sep 2003

oakley key exchange part 1
Oakley Key exchange: part 1
  • A to B

ID of A, ID of B

Initiator cookie, CK-A

Encryption, hash, authentication algorithms

Specific Diffie Hellman group (q, a)

public key yA = aXA mod q

Nonce NA

SignedKR(A)[ID of A, ID of B, NA, q, a, yA]

Tutorial on Network Security: Sep 2003

oakley key exchange part 2
Oakley Key exchange: part 2
  • B to A

ID of B, ID of A

Responder cookie, CK-B, Returned initiator cookie, CK-A

Encryption, hash, authentication algorithms

Specific Diffie Hellman group (q, a)

public key yB = aXB mod q

Nonce NA, NB

SignedKR(B)[ID of B, ID of A, NA, NB, q, a, yB yA]

Tutorial on Network Security: Sep 2003

oakley key exchange part 3
Oakley Key exchange: part 3
  • A to B

ID of A, ID of B

Returned cookie, CK-B, initiator cookie, CK-A

Encryption, hash, authentication algorithms

Specific Diffie Hellman group (q, a)

public key yA = aXA mod q

Nonce NA, NB

SignedKR(A)[ID of A, ID of B, NA, NB, q, a, yB yA]

Tutorial on Network Security: Sep 2003

thanks
Thanks

Tutorial on Network Security: Sep 2003

ad