Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.



A short introduction in IPSec

alex m

on 16 September 2010

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of IPSec

IPsec "IPsec provides the functionality to secure communications across a LAN, across private and public WANs, and across the Internet."

By using IPsec it is possible to secure all distributed applications like Remote logon, client/server, e-mail, file transfer, Web access and lots more Pros:
Strong security that can be applied to all traffic crossing the perimeter. Transparent to applications.No need to change software on a user or server system Cons:
Hard to implement
Often not available at destination
Compatible algorithms Key management
No explicit session setup/teardown
Lose packets till key set, keep connection after done Pros & Cons Modes of Operation encapsulates an entire IP packet
ensure that no part of the original packet is changed as it is moved through a network
Entire original packet travels through a tunnel from one point of an IP network to another Defined by machine or administrator

Security Association (SA) (linked to SA-Database)
Rules that define what to do with each incoming packet Security Policy Database 2. Packet Filtering Traffic Selector
IP Adress
by range or specific Action
Bypass IPsec
Apply IP-sec with a specific Security Association (SA)
Apply IP-sec by running IKE and setting up new SA (with given cryptographic algorithms) Implementation Native:
As part of IP implementation in Operating System E.g. in Windows 2000, XP

BITS (Bump In The Stack)
intercept IP traffic to/from network driver Implementations on host
without changing OS E.g. Checkpoint’s firewall implementation

BITW (Bump In The Wire)
intercept IP traffic by tunneling via security gateway
Single gateway can protect multiple hosts. Only `tunnel mode` of IP-Sec Sources IPsec was a great disappointment to us. Given the quality of the people that worked on it and the time that was spent on it, we expected a much better result. (Bruce Schneier) Authentication-only function Authentication Header Encapsulating Security Payload combined authentication/ encryption function Key Management Each SA is uniquely identified by three parameters:
Security Parameters Index (SPI) (session id)
IP destination address (no multicast)
Security protocol identifier (AH or ESP) 3. Security Associations (SA) Connectionless integrity and data origin authentication

Optional feature: Protect against replay attack
sliding window technique
discarding old packets.

Uses the following elements to guarantee data integrity
Payload length
Security Parameter Index
Sequence number
Integrity Check Value (ICV) or Message Authentication Code (MAC) Uses algorithm HMAC
HMAC takes input of message and a secret key
produces a MAC as output
calculation takes place over entire enclosed TCP segment + the authentication header

When this IP packet is received at the destination, the same calculation is performed using the same key
If the calculated MAC equals the value of the received MAC, then the packet is assumed to be authentic. Message Authentication Code Backup 1. General end to end
Change protocol field to AH (51) or ESP (50)
encapsulation by source host, decapsulation by destination host (receiver) 1 Transport Mode 2 Tunnel Mode Encrypt Payload Data, Padding, Pad Length, and Next Header fields
Optional feature: authentication services (like AH)

Algorithms used for encryption: Security Prameters Index (32bits): Identifies a security association Sequence Number (32 bits): A monotonically increasing counter value.
Payload Data (variable): A transport-level segment (transport mode) or IP packet (tunnel mode) that is protected by encryption.
Padding (0–255 bytes): Extra bytes that may be required if the encryption algorithm requires the plaintext to be a multiple of some number of octets
Pad Length (8 bits): Indicates the number of pad bytes immediately preceding this field
Next Header (8 bits): Identifies the type of data contained in the payload data field by identifying the first header in that payload (for example, an upper-layer protocol such as TCP)
Authentication Data (variable): A variable-length field (must be an integral number of 32-bit words) that contains the integrity check value computed over the ESP packet minus the Authentication Data field ESP Header What is 17. June 2009
Alexander Meirowski
Data Communications

http://prezi.com/101474 Introduction Three-key Triple
International Data Encryption Algorithm (IDEA)
Three-key Triple IDEACAST
Blowfish Overview Collection of techniques and protocols
Collection of RFCs (architecture, services, specific protocols)

2401 Security Architecture for the Internet Protocol
2402 IP Authentication Header2403 The Use of HMAC-MD5-96 within ESP and AH
2404 The Use of HMAC-SHA-1-96 within ESP and AH
2406 IP Encapsulating Security Payload (ESP)
2408 Internet Security Association and Key Management Protocol (ISAKMP)
2409 The Internet Key Exchange (IKE)
2412 The OAKLEY Key Determination Protocol Message Handling 1 Introduction 2 Message Handling 3 Modes of Operation 4 Security Policy Database 5 Key Management Index That's IPSec Thanks for listening!
Any questions?

http://prezi.com/101474 [1] S. Kent (BBN Corp) and R. Atkinson (@Home Network). "RFC 2402 IP Authentication Header". Internet Engineering Task Force (IETF).

[2] http://en.wikipedia.org/wiki/IPsec

[3] RFC 4835

[4] Business Data Communications, William Stallings Resources [1] [2] [2] [3] "IPsec was a great disappointment to us. Given the quality of the people that worked on it and the time that was spent on it, we expected a much better result." (Bruce Schneier) Configures each system with its own keys
+ keys of communicating systems

For small, relatively static environments. Internet Key Exchange Creates key-pair (public, private)
Prepares unsigned certificate (user ID, user's public key)
Sends the unsigned certificate to a CA in a secure manner Creates a signature (calculating hash of unsigned certificate)
Encrypting the hash with owns private key -> signature
Attaches the signature to the unsigned certificate
Returns (now) signed certificate to client May send its signed certificate to any other user
User may verify certificate
Decrypting the signature using the CA's public key
Comparing the hash code to the decrypted signature. On-demand key creation for SAs
For large distributed system (evolving configuration)
Automated system is the most flexible
More effort to configure
Automated Default automated key management
Actual version: v2

Internet Key Exchange (IKE)
authenticating IPsec peers
negotiating security services
generating shared keys

ISAKMP (Key Management)
Oakley (Key Distribution) Manual: Step 1 (Client) Step 2 (CA) Step 3 (Client -> Other User) Certificates ISAKMP [4] Framework for Internet key management
Not dictating key exchange algorithm
variety of key exchange algorithms message SPD Drop message SA exists IKE creating new SA IKE SAD use SA for transmitting Not sent sent with IPsec sent w/o IPsec bypass message Connection establishment
Full transcript