Introduction to network stcurity - PowerPoint PPT Presentation

oshin
introduction to network stcurity l.
Skip this Video
Loading SlideShow in 5 Seconds..
Introduction to network stcurity PowerPoint Presentation
Download Presentation
Introduction to network stcurity

play fullscreen
1 / 10
Download Presentation
Introduction to network stcurity
123 Views
Download Presentation

Introduction to network stcurity

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Introduction to network stcurity Chapter 16 - Stallings Crypto – chapter 16 - noack

  2. IP security overview • IPSec provides security at the IP layer • Varieties • AH – Authentication header • Transport mode - AH fits after IP header and covers TCP • Tunnel mode – New IP header – AH covers original IP and TCP • ESP – Encapsulating security payload • Transport mode – ESP authenticates and encrypts TCP • Tunnel mode – New IP header – ESP authenticates and encrypts original IP and TCP • Modes • Transport – end-to-end services – not processed by routers • Tunnel – intermediate services – processed by routers and firewalls Crypto – chapter 16 - noack

  3. Components • SA – Security association • Carried inside AH and ESP • Contents • Security parameters index – identifier and specification • IP destination address – can be real user or firewall/router • Security protocol identifier – is this AH or ESP • AH – Authentication header • Standard header components • Security parameters index (from SA) • Sequence number • Authentication data • ESP – Encapsulation security payload • Essentially like AH Crypto – chapter 16 - noack

  4. ESP capabilities • Encryption algorithms • Triple DES • RC5 • IDEA • Three-key triple IDEA • CAST • Blowfish • Authentication algorithms • 96-bit MAC • Must support HMAC-MD5-96 and HMAC-SHA-1-96 • Padding • As needed to support block structure and conceal actual payload length Crypto – chapter 16 - noack

  5. Transport and tunneling • Transport • Authenticates/protects TCP layer • This means packets and IP headers are seen • IP headers and addresses are not protected • Tunneling • This allows IP tunnels – for example between parts of an organization • Allows VPN’s • Multiple layers are possible (iterated tunneling) • Individual SA applies to only one layer (AH or ESP) Crypto – chapter 16 - noack

  6. Key distribution • Oakley key distribution protocol • Based on Diffie-Hellman • Non-specific – does not specify formats, just exchanges • Diffie-Hellman weaknesses • No identity information • Subject to person-in-the-middle attack • Computationally intensive – vulnerable to clogging attack • Oakley improvements • Uses cookies to thwart clogging • Allows group negotiation • Uses nonces to prevent replays • Enables, but authenticates Diffie-Hellman Crypto – chapter 16 - noack

  7. Oakley details • Groups • Actually five methods • Modular exponentiation with lengths 768, 1024, 1536 • Elliptic curve group over 155 or 185-bit fields with generator specified • Nonce usage • Used to prevent replay attacks • Authentication methods • Digital signatures • Public key encryption • Symmetric-key encryption – requires out-of-band key distribution Crypto – chapter 16 - noack

  8. More Oakley Details • Recommended cookie • Hashes (MD5) source IP and port, destination same, UDP same, locally generated secret • Reasoning • Fast, specific, contains local secret • Groups (confusing term) • Modular exponentiation (768,1024,1536) • Elliptic curve (155,185) • Authentication methods • Digital signatures • Public-key encryption • Symmetric-key encryption Crypto – chapter 16 - noack

  9. ISAKMP • ISAKMP = ISA key management protocol • Manages security associations in general • Format • Header with cookies and next payload pointer • Subsequent payloads with next payload pointer • Payload types • Security association • Proposal • Transform • Key exchange • Identification • Certificate • Hash • Signature • Nonce • Notification • Delete SA’s Crypto – chapter 16 - noack

  10. ISAKMP exchange types • Exchange types • Base • 4 messages, establishes SA • Identity protection • Includes identity verification, 6 messages • Authentication only • Authentication – agrees on basic SA, 3 messages • Aggressive • 3 messages – no identity protection • Informational • 1 message – just SA management Crypto – chapter 16 - noack