CONTENT BEYOND SYLLABUS

Course Code : CB3491

Course Name : Cryptography and Cyber Security

Year /Semester : III/V

Department : CSE
Faculty Name : Mrs.T.Kavitha

Topics : IP Security

Regulations : 2021
Academic year : 2023-2024 ODD
 IP Security
• general IP Security mechanisms
• provides
– authentication
– confidentiality
– key management
• applicable to use over LANs, across public &
private WANs, & for the Internet
IPSec Uses
 Benefits of IPSec
• In a firewall/router provides strong security to
all traffic crossing the perimeter
• In a firewall/router is resistant to bypass
• Is below transport layer, hence transparent to
applications
• can be transparent to end users
• can provide security for individual users
• secures routing architecture
 IP Security Architecture
• specification is quite complex
• defined in numerous RFC’s
– incl. RFC 2401/2402/2406/2408
– many others, grouped by category
• mandatory in IPv6, optional in IPv4
• have two security header extensions:
– Authentication Header (AH)
– Encapsulating Security Payload (ESP)
• ● Architecture: Covers the general concepts, security requirements,
definitions, and mechanisms defining IPSec technology.
• ● Encapsulating Security Payload (ESP): Covers the packet format
and general issues related to the use of the ESP for packet
encryption and, optionally, authentication.
• ● Authentication Header (AH): Covers the packet format and
general issues related to the use of AH for packet authentication.
• ● Encryption Algorithm: A set of documents that describe how
various encryption algorithms are used for ESP.
• ● Authentication Algorithm: A set of documents that describe how
various authentication algorithms are used for AH and for the
authentication option of ESP.
• ● Key Management: Documents that describe key management
schemes.
• ● Domain of Interpretation (DOI): Contains values needed for the
other documents to relate to each other. These include identifiers
for approved encryption and authentication algorithms, as well as
operational parameters such as key lifetime.
 IPSec Services
• Access control
• Connectionless integrity
• Data origin authentication
• Rejection of replayed packets
– a form of partial sequence integrity
• Confidentiality (encryption)
• Limited traffic flow confidentiality
 Security Associations
• a one-way relationship between sender &
receiver that affords security for traffic flow
• defined by 3 parameters:
– Security Parameters Index (SPI)
– IP Destination Address
– Security Protocol Identifier
• has a number of other parameters
– seq no, AH & EH info, lifetime etc
• have a database of Security Associations
 Authentication Header (AH)
• provides support for data integrity &
authentication of IP packets
– end system/router can authenticate user/app
– prevents address spoofing attacks by tracking
sequence numbers
• based on use of a MAC
– HMAC-MD5-96 or HMAC-SHA-1-96
• parties must share a secret key
Authentication Header
Transport & Tunnel Modes
 Encapsulating Security Payload (ESP)
• provides message content confidentiality & limited
traffic flow confidentiality
• can optionally provide the same authentication
services as AH
• supports range of ciphers, modes, padding
Encapsulating Security Payload
 Transport vs Tunnel Mode ESP
• transport mode is used to encrypt &
optionally authenticate IP data
– data protected but header left in clear
– can do traffic analysis but is efficient
– good for ESP host to host traffic
• tunnel mode encrypts entire IP packet
– add new header for next hop
– good for VPNs, gateway to gateway security
 Combining Security Associations
• SA’s can implement either AH or ESP
• to implement both need to combine SA’s
– form a security association bundle
– may terminate at different or same endpoints
– combined by
• transport adjacency
• iterated tunneling
• issue of authentication & encryption order
Combining Security Associations
 Key Management
• handles key generation & distribution
• typically need 2 pairs of keys
– 2 per direction for AH & ESP
• manual key management
– sysadmin manually configures every system
• automated key management
– automated system for on demand creation of keys
for SA’s in large systems
– has Oakley & ISAKMP elements
 Oakley
• a key exchange protocol
• based on Diffie-Hellman key exchange
• adds features to address weaknesses
– cookies, groups (global params), nonces, DH key
exchange with authentication
• can use arithmetic in prime fields or elliptic
curve fields
 ISAKMP
• Internet Security Association and Key
Management Protocol
• provides framework for key management
• defines procedures and packet formats to
establish, negotiate, modify, & delete SAs
• independent of key exchange protocol,
encryption alg, & authentication method
ISAKMP
 ISAKMP Payloads & Exchanges
• have a number of ISAKMP payload types:
– Security, Proposal, Transform, Key, Identification,
Certificate, Certificate, Hash, Signature, Nonce,
Notification, Delete
• ISAKMP has framework for 5 types of
message exchanges:
– base, identity protection, authentication only,
aggressive, informational
User education: Told the importance of hard –to-guess passwords.
Provided guidelines to select strong passwords. Many users ignore
guidelines.
Computer-generated passwords: If the passwords are quite random
in nature, and will be hard to memorize.
Disadvantages: difficulty remember.
A reactive password checking :Strategy is one in which the system
periodically runs its own password cracker to find guessable
passwords. User given a deadline to change the password.
proactive password checker: In this scheme, a user is allowed to
select his or her own password. at the time of selection, the system
checks to see if the password is allowable and, if not, rejects it.
For example, the following rules could be enforced:
● All passwords must be at least eight characters long.
● In the first eight characters, the passwords must include at least
one each of uppercase, lowercase, numeric digits, and punctuation
marks.