1 / 14

IPSec Overview

IPSec Overview. Version B.00 H7076S Module 3 Slides. IPSec Functionality. Confidentiality Eavesdroppers on the network cannot view users’ data. Authentication The claimed sender is in fact the actual sender. Integrity Data has not been altered during transit in the network.

oriana
Download Presentation

IPSec Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IPSec Overview Version B.00 H7076S Module 3 Slides

  2. IPSec Functionality • ConfidentialityEavesdroppers on the network cannot view users’ data. • Authentication The claimed sender is in fact the actual sender. • Integrity Data has not been altered during transit in the network. • Non-repudiation Senders of data cannot claim that they did not send the data. • Transparent Network Applications do not need modification to take advantage Security of network security.

  3. K-CLASS Capturing Packets Off the Internet Bad Guy Server in Chicago Users in San Francisco • It is trivial to snoop on Internet traffic, including passwords sent over the network. • Malicious people exist who actually do these things.

  4. K-CLASS Data Key Encryption Algorithm Encrypted Data Symmetric Cryptography: Encryption and Decryption Data Decryption Algorithm Encrypted Data Key

  5. IP Hdr TCP Hdr Data (aka Payload) How ESP Encryption Works ESP = Encapsulating Security Payload Original IP Packet The same packet after encryption and addition of the ESP Header IP Hdr ESP Hdr TCP Hdr Data (aka Payload) Encrypted The functionality provided by ESP and encryption is confidential.

  6. A Closer Look at ESP • An ESP header contain two fields: • An ESP header identifier • A security parameter index (SPI) value • The SPI value is an index into the security association table in memory. The entry in the security association table defines how the packet is encrypted. IP Hdr ESP Hdr TCP Hdr Data (aka Payload) Encrypted ESP 2 Security Association Table in Memory SPI Algorithm Key Lifetime 1 MD5 12505812097 1 day 2 DES 34209482543 1 hour

  7. K-CLASS Message Digest Algorithm Message Digest Algorithm Authentication: Method Digest Value Message Digest Value Data Key Equal? Message Digest Value Data Key Data Message Digest Value

  8. IP Hdr TCP Hdr Data IP Hdr AH Hdr TCP Hdr Data How Authentication Headers Work AH = Authentication Header Original IP Packet The same packet after the addition of the AH header: Authenticated with a Message Digest Value The functionality provided by AH and the message digest is authentication and data integrity.

  9. A Closer Look at AH Headers • An AH header contain three fields: • An AH header identifier • A security parameter index (SPI) value • A message digest value • The SPI value is an index into the security association table in memory. The entry in the security association table defines how the packet is authenticated. IP Hdr AH Hdr TCP Hdr Data Authenticated AH 1 39475 Security Association Table in Memory SPI Algorithm Key Lifetime 1 MD5 12505812097 1 day 2 DES 34209482543 1 hour

  10. IP Hdr TCP Hdr Data IP Hdr AH Hdr ESP Hdr TCP Hdr Data Encrypted Combined AH and ESP Original IP Packet The same packet after the addition of the AH header: Authenticated with a Message Digest Value AH 1 39475 ESP 2 Security Association Table in Memory SPI Algorithm Key Lifetime 2 DES 34209482543 1 hour 1 MD5 12505812097 1 day

  11. K-CLASS K-CLASS SPI Algorithm Key Lifetime 1 ??? ???????????? ???? 2 DES 34209482543 1 hour Symmetric Key Bootstrap Problem ServerB ServerA Security Association Table in ServerB Memory Security Association Table in ServerA Memory SPI Algorithm Key Lifetime 1 MD5 12505812097 1 day 2 ??? ???????????? ???? • How do systems agree on an initial key? Initial encryption algorithm? Lifetime? • How do systems exchange initial key information without the data being stolen by a hacker with a sniffer?

  12. SPI Algorithm Key Lifetime SPI Algorithm Key Lifetime 1 MD5 12505812097 1 day 1 ??? ???????????? ???? iked process iked process 2 ??? ???????????? ???? 2 DES 34209482543 1 hour Internet Key Exchange (IKE) Overview Security Association Table Security Association Table • The iked daemon is responsible for : • Initially establishing security association table entries with other iked daemons. • Agreeing on security algorithms, key values, and key lifetimes with other iked daemons. • Maintaining the security association table and agreeing upon new keys when the lifetime for a key expires.

  13. Security Association Table Security Association Table SPI Algorithm Key Lifetime SPI Algorithm Key Lifetime 1 ??? ????????? ???? 1 ??? ????????? ???? 2 DES 34209483 1 hour 2 DES 34209483 1 hour iked process iked process Protecting against an IKED Bluff iked process Security Association Table SPI Algorithm Key Lifetime 1 ??? ????????? ???? 2 DES 34209483 1 hour I will install IPSec on my system and maybe those customer systems will establish a secure connection with my computer. Conclusion: Need a Primary Authentication Mechanism

  14. Overcoming Security Obstacles Problem: Data packets travel across the network in clear text! Solution: Use IPSec to authenticate (AH) or encrypt (ESP) packets. Problem: How to securely establish IPSec keys Solution: Use Internet Key Exchange (IKE) protocol. Problem: How to securely establish a IKE keys. Solution: Use Diffie-Hellman algorithm. Problem: Diffie-Hellman is prone to “Man-in-the-Middle” attacks. Solution: Use Pre-Shared key authentication or public-key authentication. Problem: Pre-shared keys are not practical; public-keys require authentication. Solution: Use Security Certificates and manage them through a Public Key Infrastructure (PKI)

More Related