introduction to network stcurity l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Introduction to network stcurity PowerPoint Presentation
Download Presentation
Introduction to network stcurity

Loading in 2 Seconds...

play fullscreen
1 / 10

Introduction to network stcurity - PowerPoint PPT Presentation


  • 109 Views
  • Uploaded on

Introduction to network stcurity. Chapter 16 - Stallings. IP security overview. IPSec provides security at the IP layer Varieties AH – Authentication header Transport mode - AH fits after IP header and covers TCP Tunnel mode – New IP header – AH covers original IP and TCP

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Introduction to network stcurity' - oshin


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
introduction to network stcurity

Introduction to network stcurity

Chapter 16 - Stallings

Crypto – chapter 16 - noack

ip security overview
IP security overview
  • IPSec provides security at the IP layer
    • Varieties
      • AH – Authentication header
        • Transport mode - AH fits after IP header and covers TCP
        • Tunnel mode – New IP header – AH covers original IP and TCP
      • ESP – Encapsulating security payload
        • Transport mode – ESP authenticates and encrypts TCP
        • Tunnel mode – New IP header – ESP authenticates and encrypts original IP and TCP
      • Modes
        • Transport – end-to-end services – not processed by routers
        • Tunnel – intermediate services – processed by routers and firewalls

Crypto – chapter 16 - noack

components
Components
  • SA – Security association
    • Carried inside AH and ESP
    • Contents
      • Security parameters index – identifier and specification
      • IP destination address – can be real user or firewall/router
      • Security protocol identifier – is this AH or ESP
  • AH – Authentication header
    • Standard header components
    • Security parameters index (from SA)
    • Sequence number
    • Authentication data
  • ESP – Encapsulation security payload
    • Essentially like AH

Crypto – chapter 16 - noack

esp capabilities
ESP capabilities
  • Encryption algorithms
    • Triple DES
    • RC5
    • IDEA
    • Three-key triple IDEA
    • CAST
    • Blowfish
  • Authentication algorithms
    • 96-bit MAC
    • Must support HMAC-MD5-96 and HMAC-SHA-1-96
  • Padding
    • As needed to support block structure and conceal actual payload length

Crypto – chapter 16 - noack

transport and tunneling
Transport and tunneling
  • Transport
    • Authenticates/protects TCP layer
    • This means packets and IP headers are seen
    • IP headers and addresses are not protected
  • Tunneling
    • This allows IP tunnels – for example between parts of an organization
    • Allows VPN’s
  • Multiple layers are possible (iterated tunneling)
    • Individual SA applies to only one layer (AH or ESP)

Crypto – chapter 16 - noack

key distribution
Key distribution
  • Oakley key distribution protocol
    • Based on Diffie-Hellman
    • Non-specific – does not specify formats, just exchanges
    • Diffie-Hellman weaknesses
      • No identity information
      • Subject to person-in-the-middle attack
      • Computationally intensive – vulnerable to clogging attack
    • Oakley improvements
      • Uses cookies to thwart clogging
      • Allows group negotiation
      • Uses nonces to prevent replays
      • Enables, but authenticates Diffie-Hellman

Crypto – chapter 16 - noack

oakley details
Oakley details
  • Groups
    • Actually five methods
      • Modular exponentiation with lengths 768, 1024, 1536
      • Elliptic curve group over 155 or 185-bit fields with generator specified
  • Nonce usage
    • Used to prevent replay attacks
  • Authentication methods
    • Digital signatures
    • Public key encryption
    • Symmetric-key encryption – requires out-of-band key distribution

Crypto – chapter 16 - noack

more oakley details
More Oakley Details
  • Recommended cookie
    • Hashes (MD5) source IP and port, destination same, UDP same, locally generated secret
    • Reasoning
      • Fast, specific, contains local secret
  • Groups (confusing term)
    • Modular exponentiation (768,1024,1536)
    • Elliptic curve (155,185)
  • Authentication methods
    • Digital signatures
    • Public-key encryption
    • Symmetric-key encryption

Crypto – chapter 16 - noack

isakmp
ISAKMP
  • ISAKMP = ISA key management protocol
    • Manages security associations in general
  • Format
    • Header with cookies and next payload pointer
    • Subsequent payloads with next payload pointer
  • Payload types
    • Security association
    • Proposal
    • Transform
    • Key exchange
    • Identification
    • Certificate
    • Hash
    • Signature
    • Nonce
    • Notification
    • Delete SA’s

Crypto – chapter 16 - noack

isakmp exchange types
ISAKMP exchange types
  • Exchange types
    • Base
      • 4 messages, establishes SA
    • Identity protection
      • Includes identity verification, 6 messages
    • Authentication only
      • Authentication – agrees on basic SA, 3 messages
    • Aggressive
      • 3 messages – no identity protection
    • Informational
      • 1 message – just SA management

Crypto – chapter 16 - noack