1 / 42

CSCE 815 Network Security Lecture 13

CSCE 815 Network Security Lecture 13. IP Security (IPSec). March 4, 2003. PGP Homework. 5.4 page 159 Find PGP on SUNs (whereis, which, whatis, man-k) Construct a RSA based signing key Construct an encryption key Pick a partner from the class.

bendek
Download Presentation

CSCE 815 Network Security Lecture 13

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSCE 815 Network Security Lecture 13 IP Security (IPSec) March 4, 2003

  2. PGP Homework • 5.4 page 159 • Find PGP on SUNs (whereis, which, whatis, man-k) • Construct a RSA based signing key • Construct an encryption key • Pick a partner from the class. • Send a signed but cleartext message to your partner. • Validate the signature of the received message. • Send the key and an encrypted message to the partner. • Decrypt the message.

  3. Chapter 6 – IP Security • If a secret piece of news is divulged by a spy before the time is ripe, he must be put to death, together with the man to whom the secret was told. • —The Art of War, Sun Tzu

  4. Outline • Internetworking and Internet Protocols (Appendix 6A) • IP Security Overview • IP Security Architecture • Authentication Header • Encapsulating Security Payload • Combinations of Security Associations • Key Management

  5. TCP/IP Example (fig 6.13)

  6. IP Security • have considered some application specific security mechanisms • eg. S/MIME, PGP, Kerberos, SSL/HTTPS • however there are security concerns that cut across protocol layers • would like security implemented by the network for all applications

  7. IPSec • general IP Security mechanisms • provides • authentication • confidentiality • key management • applicable to use over LANs, across public & private WANs, & for the Internet • Internet Engineering Task Force (IETF) develops protocol standards for the internet

  8. IPv4 Header

  9. IP version 4 Fields • Version (4 bits) the value is 0100 = 4 • Internet Hedaer Length (IHL)(4) length of header in 32bit words. The minimum value is 5. • Type of Service(8) • Total Length (16) Total IP packet length in octets • Identification (16) sequence number • Flags(3) “more”, and “don’t fragment” • Fragment offset (13) where is belongs in 64bit units • Time to Live (TTL) (8) number of “seconds” for packet to live • Checksum • Addresses 32 bit source and destination addresses • Options

  10. IPv6 Header

  11. IP version 6 Fields • Version (4 bits) the value is 0110 (6) • Traffic class (8) priority of this packet for routers • Flow Label(20) label packets for special processing by routers • Payload Length(16) • Next Header(8) – usually TCP or UDP or an IPv6 extension • Hop limit (8) • Source Address(128=16 octets=4 words) • Destination address (128=16octets=4 words)

  12. IP Security Overview • IPSec is not a single protocol. Instead, IPSec provides a set of security algorithms plus a general framework that allows a pair of communicating entities to use whichever algorithms provide security appropriate for the communication.

  13. IP Security Overview • Applications of IPSec • Secure branch office connectivity over the Internet • Secure remote access over the Internet • Establshing extranet and intranet connectivity with partners • Enhancing electronic commerce security • Virtual Private Networks • http://www.howstuffworks.com/vpn.htm • Two protocols • Authentication Header (AH) authentication protocol • Encapsulating Security Protocol (ESP) combined encryption/authentication protocol

  14. IP Security Scenario

  15. IP Security Architecture • specification is quite complex • defined in numerous RFC’s • RFC 2401 – overview of security architecture • RFC 2402 – packet authentication extension • RFC 2406 – packet encryption • RFC 2408 – key management • many others, grouped by category • mandatory in IPv6, optional in IPv4 • Figure 6.2 summarizes additional documents

  16. IPSec Document Overview

  17. Benefits of IPSec • in a firewall/router provides strong security to all traffic crossing the perimeter • is resistant to bypass • is below transport layer, hence transparent to applications • can be transparent to end users • can provide security for individual users if desired

  18. Routing Applications support • IPsec can play a vital role in routing architecture • Routing protocols such as OSPF run on top of IPSec • Benefits provided by IPSec for routing application • Router advertisement is valid • Neighbor advertisement is avlid • Verify redirect message come from the same router the initial packet was sent from • Validate routing update messages

  19. IPSec Services • Access control • Connectionless integrity • Data origin authentication • Rejection of replayed packets • a form of partial sequence integrity • Confidentiality (encryption) • Limited traffic flow confidentiality • Table 6.1 summarizes the services provided by AH and ESP

  20. Security Associations • a one-way relationship between sender & receiver that affords security for traffic flow • For two-way it requires two separate SAs • Uniquely defined by 3 parameters: • Security Parameters Index (SPI) this is carried in AH and ESP headers • IP Destination Address • Security Protocol Identifier • has a number of other parameters • Sequence number, AH & EH info, lifetime etc • have a database of Security Associations

  21. SA Parameters • Sequence number counter • Sequence counter overflow flag • Anti-replay window • AH info: authentication algorithm, keys, key lifetimes • ESP info: encryption and authentication algorithm, keys, key lifetimes • Lifetime of this Security Association (SA) • IPSec protocol mode: tunnel or transport • Path MTU maximum transmission unit

  22. SA Selectors • IPSec offers flexibility in selecting and applying SAs to IP traffic • Security Policy database (SPD) • SPD entries define a subset of the IP traffic and the SA that should be applied to this traffic

  23. Authentication Header (AH) • provides support for data integrity & authentication of IP packets • end system/router can authenticate user/app • prevents address spoofing attacks by tracking sequence numbers • based on use of a MAC • HMAC-MD5-96 or HMAC-SHA-1-96 • parties must share a secret key

  24. IPSec Services • Access Control • Connectionless integrity • Data origin authentication • Rejection of replayed packets • Confidentiality (encryption) • Limited traffic flow confidentiallity

  25. Before applying AH

  26. Transport Mode (AH Authentication)

  27. Tunnel Mode (AH Authentication)

  28. Authentication Header • Provides support for data integrity and authentication (MAC code) of IP packets. • Guards against replay attacks.

  29. End-to-end versus End-to-Intermediate Authentication

  30. Encapsulating Security Payload • ESP provides confidentiality services

  31. Encryption and Authentication Algorithms • Encryption: • Three-key triple DES • RC5 • IDEA • Three-key triple IDEA • CAST • Blowfish • Authentication: • HMAC-MD5-96 • HMAC-SHA-1-96

  32. ESP Encryption and Authentication

  33. ESP Encryption and Authentication

  34. Combinations of Security Associations

  35. Combinations of Security Associations

  36. Combinations of Security Associations

  37. Combinations of Security Associations

  38. Key Management • Two types: • Manual • Automated • Oakley Key Determination Protocol • Internet Security Association and Key Management Protocol (ISAKMP)

  39. Oakley • Three authentication methods: • Digital signatures • Public-key encryption • Symmetric-key encryption

  40. ISAKMP

  41. Recommended Reading • Comer, D. Internetworking with TCP/IP, Volume I: Principles, Protocols and Architecture. Prentic Hall, 1995 • Stevens, W. TCP/IP Illustrated, Volume 1: The Protocols. Addison-Wesley, 1994

More Related