CryptographySecurity - PowerPoint PPT Presentation

1 / 28
About This Presentation
Title:

CryptographySecurity

Description:

Chapter 16 IP Security ... S/MIME, PGP, Kerberos, SSL/HTTPS ... For both IPv4 and IPv6, the entire packet (except some mutable fields) is authenticated. ... – PowerPoint PPT presentation

Number of Views:23
Avg rating:3.0/5.0
Slides: 29
Provided by: DrLawri1
Category:

less

Transcript and Presenter's Notes

Title: CryptographySecurity


1
Chapter 16 IP Security
  • If a secret piece of news is divulged by a spy
    before the time is ripe, he must be put to death,
    together with the man to whom the secret was
    told.
  • The Art of War, Sun Tzu

2
IP Security
  • have considered some application specific
    security mechanisms
  • eg. S/MIME, PGP, Kerberos, SSL/HTTPS
  • however there are security concerns that cut
    across protocol layers
  • would like security implemented by the network
    for all applications
  • construct VPN (Virtual private network)

3
TCP/IP protocol
  • Layers of TCP/IP protocol
  • IP packet

4
Data in TCP/IP
Application data
abcdefghi
abc
def
ghi
TCP
IP
5
Network level protocol
Application data
abcdefghi
abc
def
ghi
TCP
IP
IPSec
6
IP-level security (IPSec)
  • Encrypt and authenticate all traffic at the IP
    level.
  • It is transparent to application programs
  • Three security functions
  • Authentication
  • Confidentiality
  • Key management
  • Applications
  • Secure branch office connectivity over the
    Internet
  • Secure remote access over the Internet
  • Enhancing electronic commerce security
  • ...

7
IPSec (cont.)
  • In LAN, data are is still in plaintext
  • In WAN (Internet), data are encrypted
  • An IPSec gateway is installed in between LAN and
    WAN

8
(No Transcript)
9
Benefits of IPSec
  • IPSec is implemented in a firewall/router so that
    all traffics are controlled by the gateway
  • IPSec is transparent to applications and users
  • Since data are not encrypted in LAN so that IPSec
    does not incur encryption load within LAN
  • Note Wireless LAN will damage the IPSec
  • Demo Wireless Security movie

10
IPSec overview
  • SA (security association) it specifies
    parameters from the sender to the receiver
    (one-way)
  • SPI Security parameters index
  • IP the receivers IP address, which is the
    address of a user/firewall/router/gateway
  • Security protocol identifier
  • AH authentication header for authentication
    service only
  • ESP encapsulating security payload for
    encryption service
  • ESP with authentication as ESP, but with
    authentication ability

11
IPSec overview (cont.)
  • Each AH and ESP has two modes
  • Transport
  • Tunnel
  • Transport mode
  • Protection for the data payload of an IP packet
    only
  • end-to-end encryption between two hosts
    (client/server)
  • Tunnel mode
  • Protection for the entire IP packet (including IP
    address)
  • firewall/secure router?firewall/secure router

12
IPv4 and IPv6 (Recall Computer network)
  • IPv6 is an enhancement from IPv4 such that
  • IPv6 provides security headers
  • IPv6 uses 128-bit IP addresses, while IPv4 uses
    32-bit IP address
  • News Republic of Peoples China
  • Network bandwidth 10G bps 40G bsp

13
Authentication header (AH)
  • Format of AH
  • Next header (8 bits)
  • Payload length (8 bits)
  • Security parameters index (32 bits)
  • Sequence number (32 bits)
  • Authentication data it contains integrity check
    value of this IP packet

14
(No Transcript)
15
AH (cont.)
  • Next header the type of the next header
  • Payload length length (minus 2) of AH in 32-bit
    words, eg. If authentication data is 96 bits,
    then Payload length is 4.
  • SPI identifies a security association
  • Sequence number a increased counter for
    anti-replay.
  • Authentication data contains Integrity check
    value (ICV) or MAC

16
AH Transport mode processing
  • The original IP header is not changed so that the
    receiver is the same as that sent by the sender
  • The AH header is added to the IP packet so that
    the receiver can perform authentication checking
  • For both IPv4 and IPv6, the entire packet (except
    some mutable fields) is authenticated.

17
(No Transcript)
18
AH Tunnel mode processing
  • The entire original IP packet is treated as data
    payload in this mode
  • A new destination IP (firewall/secure router) is
    used.
  • Therefore, the entire IP packet is authenticated

19
(No Transcript)
20
(No Transcript)
21
ESP transport mode processing
ESP Trailer
22
ESP tunnel mode processing
23
ESP transport mode vs. tunnel mode
24
4 combinations
Security Associations
25
(No Transcript)
26
(No Transcript)
27
(No Transcript)
28
IPSec key management
  • Manual
  • Automatic
  • Oakley a key exchange protocol based on the
    DH-key exchange algorithm, but with added
    security
  • ISAKMP (internet security association and key
    management protocol) provides the specific
    protocol support, including format, for
    negotiation of security attributes, such as,
    X.509 certificate service
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "CryptographySecurity" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!