IP Security (IPSec) is a collection of protocols to provide security for a packet at the network level ( also referred as Internet Protocol

or IP layer). The idea to encrypt and seal the transport and application layer data during transmission also offer integrity protection is called IP Security.
Application Layer
Second Level of Security

Transport Layer Internet Layer Data Link Layer Physical Layer

1

First Level of Security

IPSec encompasses three functional areas: Authentication, Confidentiality & key management
Application Layer Transport Layer Internet Layer Data Link Layer Physical Layer IPSec is designed to provide security at the network layer

Applications of IPSec

Secure remote Internet access Secure branch office connectivity Setup communication with other organization Enhancing electronic commerce security
2

Advantages of IPSec

IPSec is transparent to the end user IPSec provides security for individual users
IPSec works at network layer, hence no changes are needed to the upper layers When IPSec is implemented in a firewall, all the outgoing & incoming traffic gets protected IPSec allow traveling staff to have access to the corporate network IPSec allows interconnectivity between branches/ offices in a very inexpensive manner

IP IPSec Header Header

Secure IP Payload

Public or private network

User system with IPSec

Networking device with IPSec

IP Header

IP Payload

IP Header

IP Payload 4

IPSec Protocols

Authentication Header (AH)

Encapsulating Security Payload (ESP)

Authentication Header (AH) Provides authentication, integrity of IP packets The IPSec AH is a header in an IP packet which contains a cryptographic checksum for the contents of the packet AH inserted between the subsequent packet contents IP header & any
5

This prevents IP spoofing attack

Authentication Header (AH) format

IP header

AH

Rest of the original packet

IP header

8 bits

8 bits

16 bits

Next header Payload length

Reserved

Security parameter index Sequence number Authentication data (variable length)

Payload length - Size of AH packet. Next header - The Next Header is an 8-bit field that identifies the type of the next payload after the Authentication Header. RESERVED -Reserved for future use (all zero until then). Security parameters index (SPI) - Identifies the security parameters, which, in combination with the IP address, then identify the security association implemented with this packet. Sequence number - A monotonically increasing number, used to prevent replay attacks. 6
Authentication data - Contains the integrity check value (ICV) necessary to authenticate the packet; it may contain padding.

Encapsulating Security Payload (ESP) Provides data confidentiality. The ESP protocol also defines a new header to be inserted into the IP packet. ESP processing also includes the transformation of the protected data into an unreadable, encrypted format.

Encapsulating Security Payload (ESP)

IP header

ESP header
32 bits

Rest of the Payload

ESP Trailer
32 bits

Authentication data

Security parameter index Sequence number

Padding

Pad length

Pad length

Sequence number - A monotonically increasing number, used to prevent replay attacks. Security parameters index (SPI) - Identifies the security parameters in combination with IP address. Payload data - The data to be transferred. Authenticatio data - Contains the data used to authenticate the packet. Padding -Used with some block ciphers to pad the data to the full length of a block.
8

Modes of operation

Tunnel Mode

Transport mode

P1
Proxy Tunnel

P2
Proxy

Network1

Network2

In the tunnel mode, IPSec protects the entire IP packet. It takes an IP packet, adds the IPSec header and trailer and encrypts the whole thing. It then adds new IP header to this encrypted datagram
Transport Layer

Transport Layer Payload

Network Layer IP H IP payload

IPSec H

IPSec payload

IPSec T

New IPH

New IP payload

10

In contrast, the transport mode does not hide the actual source and destination addresses. They are visible in plain text, while in transit. In the transport mode, IPSec takes the transport layer payload, adds IPSec header and trailer, encrypts the whole thing and then adds the IP header. Thus the IP header is not encrypted.
Transport Layer

Transport Layer Payload

Network Layer IPSec H IPSec payload IPSec T

IPH

New IP payload

11

Application Layer Transport Layer IPSec layer Network layer

Application Layer Transport Layer Network layer IPSec layer

New Network layer

12

A Virtual Private Network (VPN) is a private network connection that occurs through a public network. VPNs can be used to connect LANs together across the Internet or other public networks.

VPN tunnel

Internet Firewall 1 Firewall 2

Network 1

Network 2

13

Secure VPN protocols include the following: PPTP The Point to Point Tunneling Protocol : used on Windows NT, mainly supports the VPN connectivity between single user and a LAN Layer 2 Tunneling Protocol L2TP : It works for both combinations, userto-LAN and LAN-to-LAN, including IPSec functionality as well IPSec can be used in isolation.

14

15

SMTP Simple Mail Transfer Protocol

SMTP is used for email communications. The email software at the senders end gives the email message to the local SMTP server. The SMTP servers main job is to carry the email message between the sender and the receiver. At the senders end an SMTP server takes the message sent by a users computer The SMTP server at the senders end transfers the message to the SMTP server of the receiver The receivers computer then pulls the email from the SMTP server at the receivers end

Internet Email Sender Senders SMTP sever Email Receivers SMTP sever Pull
16

Email Receiver

Security Protocols
1. Privacy Enhanced Mail (PEM)
PEM is an email security standard adopted by the Internet Architecture Board (IAB) to provide secure electronic mail communication over the Internet PEM supports the three main cryptographic functions of encryption, non-repudiation, and message integrity

PEM Operation
1. Canonical Conversion

PEM starts with a canonical conversion, followed by digital signature, then by encryption and finally Base-64 Encoding PEM allows for three security options when sending an email message. 1. Signature only ( Steps 1 and 2) 2. Signature and Base-64 encoding (Steps 1, 2 and 4)

2. Digital Signature

3. Encryption

4. Base-64 Encoding

3. Signature, Encryption and Base-64 encoding (Steps 1 and 4) 17

2. Pretty Good Privacy (PGP)

The most significant aspects of PGP are that it supports the basic requirements of cryptography, is quite simple to use and is completely free, including its source code and documentation. The mail cryptographic support offered by PGP are encryption, non-repudiation, and message integrity

PGP Operation
1. Digital Signature

PGP starts with a digital signature, followed by compression, then by encryption, then by digital enveloping and finally Base-64 Encoding

2. Compression

PGP allows for four security options when sending an email message. 1. Signature only ( Steps 1 and 2) 2. Signature and Base-64 encoding (Steps 1, 2 and 5) 3. Signature, Encryption and Base-64 encoding (Steps 1 and 5)

3. Encryption

4. Enveloping

5. Base-64 Encoding

18