Beruflich Dokumente
Kultur Dokumente
or IP layer). The idea to encrypt and seal the transport and application layer data during transmission also offer integrity protection is called IP Security.
Application Layer
Second Level of Security
IPSec encompasses three functional areas: Authentication, Confidentiality & key management
Application Layer Transport Layer Internet Layer Data Link Layer Physical Layer IPSec is designed to provide security at the network layer
Applications of IPSec
Secure remote Internet access Secure branch office connectivity Setup communication with other organization Enhancing electronic commerce security
2
Advantages of IPSec
IPSec is transparent to the end user IPSec provides security for individual users
IPSec works at network layer, hence no changes are needed to the upper layers When IPSec is implemented in a firewall, all the outgoing & incoming traffic gets protected IPSec allow traveling staff to have access to the corporate network IPSec allows interconnectivity between branches/ offices in a very inexpensive manner
Secure IP Payload
IP Header
IP Payload
IP Header
IP Payload 4
IPSec Protocols
Authentication Header (AH) Provides authentication, integrity of IP packets The IPSec AH is a header in an IP packet which contains a cryptographic checksum for the contents of the packet AH inserted between the subsequent packet contents IP header & any
5
AH
IP header
8 bits
8 bits
16 bits
Reserved
Encapsulating Security Payload (ESP) Provides data confidentiality. The ESP protocol also defines a new header to be inserted into the IP packet. ESP processing also includes the transformation of the protected data into an unreadable, encrypted format.
ESP header
32 bits
ESP Trailer
32 bits
Authentication data
Padding
Pad length
Pad length
Sequence number - A monotonically increasing number, used to prevent replay attacks. Security parameters index (SPI) - Identifies the security parameters in combination with IP address. Payload data - The data to be transferred. Authenticatio data - Contains the data used to authenticate the packet. Padding -Used with some block ciphers to pad the data to the full length of a block.
8
Modes of operation
Tunnel Mode
Transport mode
P1
Proxy Tunnel
P2
Proxy
Network1
Network2
In the tunnel mode, IPSec protects the entire IP packet. It takes an IP packet, adds the IPSec header and trailer and encrypts the whole thing. It then adds new IP header to this encrypted datagram
Transport Layer
IPSec H
IPSec payload
IPSec T
New IPH
New IP payload
10
In contrast, the transport mode does not hide the actual source and destination addresses. They are visible in plain text, while in transit. In the transport mode, IPSec takes the transport layer payload, adds IPSec header and trailer, encrypts the whole thing and then adds the IP header. Thus the IP header is not encrypted.
Transport Layer
IPH
New IP payload
11
12
A Virtual Private Network (VPN) is a private network connection that occurs through a public network. VPNs can be used to connect LANs together across the Internet or other public networks.
VPN tunnel
Network 1
Network 2
13
Secure VPN protocols include the following: PPTP The Point to Point Tunneling Protocol : used on Windows NT, mainly supports the VPN connectivity between single user and a LAN Layer 2 Tunneling Protocol L2TP : It works for both combinations, userto-LAN and LAN-to-LAN, including IPSec functionality as well IPSec can be used in isolation.
14
15
Internet Email Sender Senders SMTP sever Email Receivers SMTP sever Pull
16
Email Receiver
Security Protocols
1. Privacy Enhanced Mail (PEM)
PEM is an email security standard adopted by the Internet Architecture Board (IAB) to provide secure electronic mail communication over the Internet PEM supports the three main cryptographic functions of encryption, non-repudiation, and message integrity
PEM Operation
1. Canonical Conversion
PEM starts with a canonical conversion, followed by digital signature, then by encryption and finally Base-64 Encoding PEM allows for three security options when sending an email message. 1. Signature only ( Steps 1 and 2) 2. Signature and Base-64 encoding (Steps 1, 2 and 4)
2. Digital Signature
3. Encryption
4. Base-64 Encoding
PGP Operation
1. Digital Signature
PGP starts with a digital signature, followed by compression, then by encryption, then by digital enveloping and finally Base-64 Encoding
2. Compression
PGP allows for four security options when sending an email message. 1. Signature only ( Steps 1 and 2) 2. Signature and Base-64 encoding (Steps 1, 2 and 5) 3. Signature, Encryption and Base-64 encoding (Steps 1 and 5)
3. Encryption
4. Enveloping
5. Base-64 Encoding
18