Network Security

Based on:
Computer Networking: A Top Down Approach ,
5th edition.
Jim Kurose, Keith Ross
Addison-Wesley, April 2009.
1

Network Security (Chapter 8)

Chapter goals:
understand principles of network security:
cryptography and its many uses beyond
confidentiality
message integrity and Authentication

security in practice:
security in application, transport, network, link
layers
Firewalls (would not be covered)

Roadmap

What is network security?

Principles of cryptography
Message Integrity
Example: Securing e-mail
Securing TCP connections: SSL
Network layer security: IPsec

What is network security?

Confidentiality: only sender, intended receiver
should understand message contents
sender encrypts message
receiver decrypts message
Authentication: sender, receiver want to confirm
identity of each other
Message integrity: sender, receiver want to ensure
message not altered (in transit, or afterwards)
without detection
Access and availability: services must be accessible
and available to users
4

The Basic Setting: Alice, Bob, Trudy

well-known in network security world
Bob, Alice (lovers!) want to communicate securely
Trudy (intruder) may intercept, delete, add messages
In some texts, Trudy aka Eve (eavesdropping).

Alice
channel
data

secure
sender

Bob

data, control
messages

secure
receiver

data

Trudy
5

Who might Alice & Bob be?

well, real-life Bobs and Alices!
Web browser/server for electronic

transactions (e.g., on-line purchases)

on-line banking client/server
DNS servers
routers exchanging routing table updates
other examples?

Who might Trudy be?

Q: What can a bad guy do?
A: A lot!

eavesdrop: intercept messages

actively insert messages into connection
impersonation: can fake (spoof) source address
in packet (or any field in packet)
hijacking: take over ongoing connection by
removing sender or receiver, inserting himself
in place. MIM (Man In The Middle) Attack
denial of service (DOS, DDOS): prevent service
from being used by others (e.g., by overloading
resources)

Roadmap

What is network security?

Principles of cryptography
Message Integrity
Example: Securing e-mail
Securing TCP connections: SSL
Network layer security: IPsec

The language of cryptography

Alices
K encryption
A
key
plaintext

encryption
algorithm

Bobs
K decryption
B key
ciphertext

decryption plaintext
algorithm

m plaintext message
KA(m) ciphertext, encrypted with key K A
m = KB(KA(m))

Monoalphabetic Cipher
substitution cipher: substituting one thing for another

monoalphabetic cipher: substitute one letter for another

plaintext:

abcdefghijklmnopqrstuvwxyz

ciphertext:

mnbvcxzasdfghjklpoiuytrewq

E.g.:

Plaintext: bob. i love you. alice

ciphertext: nkn. s gktc wky. mgsbc

Key: the (reversible) mapping from the set of 26 letters

to the set of 26 letters
10

Monoalphabetic Cipher
Caesar Cipher:

Was used by Julius Caesar to communicate with

his generals during military campaigns.
Each letter in the plaintext is dreplaced by a
letter some fixed number of positions further
down the alphabet.
Classic Ceasar cipher: shift of 3.

Very easy to break! Using empiric statistical

information about the English language.

11

Polyalphabetic encryption
n monoalphabetic cyphers, M1,M2,,Mn
Cycling pattern:
e.g., n=4, M1,M3,M4,M3,M2; M1,M3,M4,M3,M2;
For each new plaintext symbol, use

subsequent monoalphabetic pattern in

cyclic pattern

dog: d from M1, o from M3, g from M4

Examples: Vigenre cipher, The Enigma.

Key: the n ciphers and the cyclic pattern
12

Breaking an encryption scheme

Cipher-text only

attack: Trudy has

ciphertext that she
can analyze
Two approaches:

Search through all

keys: must be able to
differentiate resulting
plaintext from
gibberish
Statistical analysis

Known-plaintext attack:

trudy has some plaintext

corresponding to some
ciphertext

eg, in monoalphabetic
cipher, trudy determines
pairings for a,l,i,c,e,b,o,

Chosen-plaintext attack:

trudy can get the

cyphertext for some
chosen plaintext

13

Types of Cryptography
Crypto often uses keys:
Algorithm is known to everyone
Only keys are secret
Symmetric key cryptography (DES, AES)
Involves the use one key
Public key cryptography (RSA)

Involves the use of two keys

Hash functions (would not be covered)

Involves the use of no keys
Nothing secret: How can this be useful?
14

Symmetric key cryptography

KS

KS
plaintext
message, m

encryption ciphertext
algorithm
K (m)
S

decryption plaintext
algorithm
m = KS(KS(m))

symmetric key crypto: Bob and Alice share same

(symmetric) key: K S
e.g., key is knowing substitution pattern in mono
alphabetic substitution cipher

15

Two types of symmetric ciphers

Stream ciphers
encrypt one bit at time
Block ciphers
Break plaintext message in equal-size blocks
Encrypt each block as a unit

16

Stream Ciphers
pseudo random
key

keystream
generator

keystream

Combine each bit of keystream with bit of

plaintext to get bit of ciphertext

m(i) = ith bit of message
ks(i) = ith bit of keystream
c(i) = ith bit of ciphertext
c(i) = ks(i) m(i) ( = exclusive or)
m(i) = ks(i) c(i)

17

RC4 Stream Cipher

RC4 is a popular stream cipher
Extensively analyzed and considered good
Key can be from 1 to 256 bytes
Used in WEP for 802.11
Can be used in SSL

18

Block ciphers
Message to be encrypted is processed in

blocks of k bits (e.g., 64-bit blocks).

1-to-1 mapping is used to map k-bit block of
plaintext to k-bit block of ciphertext
Example with k=3:
input output
000
110
001
111
010
101
011
100

input output
100
011
101
010
110
000
111
001

What is the ciphertext for 010110001111 ?

19

Block ciphers
How many possible mappings are there for

k=3?

How many 3-bit inputs? (23)

How many permutations of the 3-bit inputs? (8!)
Answer: 40,320 ; not very many!

In general, 2k! mappings;

Problem:

huge for k=64

Table approach requires table with 264 entries,

each entry with 64 bits

Table too big: instead use function that

simulates a randomly permuted table

20

From Kaufman
et al

Prototype function
64-bit input
8bits

8bits

8bits

8bits

8bits

8bits

8bits

8bits

S1

S2

S3

S4

S5

S6

S7

S8

8 bits

8 bits

8 bits

8 bits

8 bits

8 bits

8 bits

8 bits

64-bit intermediate

Loop for
n rounds

8-bit to
8-bit
mapping

64-bit output

21

Why rounds in prototpe?

If only a single round, then one bit of input

affects at most 8 bits of output.

In 2nd round, the 8 affected bits get
scattered and inputted into multiple
substitution boxes.
How many rounds?

How many times do you need to shuffle cards

Becomes less efficient as n increases

22

Encrypting a large message

Why not just break message in 64-bit

blocks, encrypt each block separately?

If same block of plaintext appears twice, will

give same cyphertext.

How about:
Generate random 64-bit number r(i) for each
plaintext block m(i)
Calculate c(i) = KS( m(i) r(i) )
Transmit c(i), r(i), i=1,2,
At receiver: m(i) = KS(c(i)) r(i)
Problem: inefficient, need to send c(i) and r(i)
23

Cipher Block Chaining (CBC)

CBC generates its own random numbers
Have encryption of current block depend on result of
previous block
c(i) = KS( m(i) c(i-1) )
m(i) = KS( c(i)) c(i-1)
How do we encrypt first block?
Initialization vector (IV): random block = c(0)
IV does not have to be secret
Change IV for each message (or session)
Guarantees that even if the same message is sent
repeatedly, the ciphertext will be completely different
each time
24

Cipher Block Chaining

cipher block: if input

block repeated, will

produce same cipher
text:

cipher block chaining:

XOR ith input block, m(i),
with previous block of
cipher text, c(i-1)
c(0) transmitted to
receiver in clear
what happens in
HTTP/1.1 scenario
from above?

t=1

t=17

m(1) = HTTP/1.1

block
cipher

c(1)

m(17) = HTTP/1.1

block
cipher

c(17)

= k329aM02

= k329aM02

m(i)
c(i-1)

+
block
cipher
c(i)
25

Symmetric key crypto: DES

DES: Data Encryption Standard
US encryption standard [NIST 1993]
56-bit symmetric key, 64-bit plaintext input
Block cipher with cipher block chaining
How secure is DES?

DES Challenge: 56-bit-key-encrypted phrase

decrypted (brute force) in less than a day
No known good analytic attack
making DES more secure:
3DES: encrypt 3 times with 3 different keys
(actually encrypt, decrypt, encrypt)

26

Symmetric key
crypto: DES
DES operation
initial permutation
16 identical rounds of
function application,
each using different
48 bits of key
final permutation

27

AES: Advanced Encryption Standard

new (Nov. 2001) symmetric-key NIST

standard, replacing DES

processes data in 128 bit blocks
128, 192, or 256 bit keys
brute force decryption (try each key)
taking 1 sec on DES, takes 149 trillion
years for AES

28

Public Key Cryptography

symmetric key crypto
requires sender,
receiver know shared
secret key
Q: how to agree on key
in first place
(particularly if never
met)?

public key cryptography

radically different
approach [DiffieHellman76, RSA78]
sender, receiver do
not share secret key
public encryption key
known to all
private decryption
key known only to
receiver
29

Public key cryptography

+ Bobs public
B key

plaintext
message, m

encryption ciphertext
algorithm
+
K (m)
B

- Bobs private
B key

decryption plaintext
algorithm message
+
m = K B(K (m))
B

30

Public key encryption algorithms

Requirements:
+

1 need K B( ) and K - ( ) such that

B
- +
K (K (m)) = m
B

+
given public key KB , it should be

impossible to compute private

key K
B

RSA: Rivest, Shamir, Adelson algorithm

31

Prerequisite: modular arithmetic

x mod n = remainder of x when divide by n
Facts:

[(a mod n) + (b mod n)] mod n = (a+b) mod n

[(a mod n) - (b mod n)] mod n = (a-b) mod n
[(a mod n) * (b mod n)] mod n = (a*b) mod n

Thus
(a mod n)d mod n = ad mod n
Example: x=14, n=10, d=2:
(x mod n)d mod n = 42 mod 10 = 6
xd = 142 = 196 xd mod 10 = 6

32

RSA: getting ready

A message is a bit pattern.
A bit pattern can be uniquely represented by an

integer number.
Thus encrypting a message is equivalent to
encrypting a number.
Example
m= 10010001 . This message is uniquely
represented by the decimal number 145.
To encrypt m, we encrypt the corresponding
number, which gives a new number (the
cyphertext).

33

RSA: Creating public/private key

pair
1. Choose two large prime numbers p, q.
(e.g., 1024 bits each)
2. Compute n = pq, z = (p-1)(q-1)
3. Choose e (with e<n) that has no common factors
with z. (e, z are relatively prime).
4. Choose d such that ed-1 is exactly divisible by z.
(in other words: ed mod z = 1 ).
5. Public key is (n,e). Private key is (n,d).
+

KB

KB
34

RSA: Encryption, decryption

0. Given (n,e) and (n,d) as computed above
1. To encrypt message m (<n), compute
c = m e mod n
2. To decrypt received bit pattern, c, compute
m = c d mod n
Magic
d
m = (m e mod n) mod n
happens!
c
35

RSA example:
Bob chooses p=5, q=7. Then n=35, z=24.
e=5 (so e, z relatively prime).
d=29 (so ed-1 exactly divisible by z).
Encrypting 8-bit messages.
encrypt:

decrypt:

bit pattern

me

0000lI00

12

248832

c
17

d
c
481968572106750915091411825223071697

c = me mod n
17
m = cd mod n
12

36

Why does RSA work?

Must show that cd mod n = m

where c = me mod n
Fact: for any x and y: xy mod n = x(y mod z) mod n

where n= pq and z = (p-1)(q-1)

Thus,

cd mod n = (me mod n)d mod n

= med mod n
= m(ed mod z) mod n
= m1 mod n
=m
37

RSA: another important property

The following property will be very useful for
digital fingerprint (Authentication):
-

K (K (m))

+ = m = K (K (m))
B B

use public key

first, followed
by private key

use private key

first, followed
by public key

Result is the same!

38

Why

K (K (m))

+ = m = K (K (m))
B B

Follows directly from modular arithmetic:

(me mod n)d mod n = med mod n
= mde mod n
= (md mod n)e mod n

39

Why is RSA Secure?

Suppose you know Bobs public key (n,e).

How hard is it to determine d?

Essentially need to find factors of n
without knowing the two factors p and q.
Fact: factoring a big number is hard.

Generating RSA keys

Have to find big primes p and q
Approach: make good guess then apply

testing rules (see Kaufman)

40

Session keys
Exponentiation is computationally intensive
DES is at least 100 times faster than RSA

Session key, KS
Bob and Alice use RSA to exchange a

symmetric key KS

Once both have KS, they use symmetric key

cryptography

41

Roadmap

What is network security?

Principles of cryptography
Message Integrity
Example: Securing e-mail
Securing TCP connections: SSL
Network layer security: IPsec

42

Message Integrity
Allows communicating parties to verify that

received messages are authentic.

Content of message has not been altered

Source of message is who/what you think it is
Message has not been replayed
Sequence of messages is maintained

Lets first talk about message digests

43

Message Digests
Function H( ) that takes as

input an arbitrary length

message and outputs a
fixed-length string:
message signature
Note that H( ) is a manyto-1 function
H( ) is often called a hash
function

large
message
m

H: Hash
Function

H(m)
Desirable properties:

Easy to calculate
Irreversibility: Cant
determine m from H(m)
Collision resistance:
Computationally difficult
to produce m and m such
that H(m) = H(m)
Seemingly random output
44

Internet checksum: poor message

digest
Internet checksum has some properties of hash function:
produces fixed length digest (16-bit sum) of input
is many-to-one
But given message with given hash value, it is easy to find another

message with same hash value.

45

Hash Function Algorithms

MD5 hash function widely used (RFC 1321)

computes 128-bit message digest in 4-step

process.
SHA-1 is also used.
US standard [NIST, FIPS PUB 180-1]
160-bit message digest

46

Message Authentication Code (MAC)

s = shared secret
message

s
message

message

H( )

H( )
compare

Authenticates sender
Verifies message integrity
No encryption !
Also called keyed hash
Notation: MDm = H(s||m) ; send m||MDm
47

HMAC
Popular MAC standard
Addresses some subtle security flaws

Concatenates secret to front of message.

2. Hashes concatenated message
3. Concatenates the secret to front of
digest
4. Hashes the combination again.
1.

48

End-point authentication
Want to be sure of the originator of the

message end-point authentication.

Assuming Alice and Bob have a shared
secret, will MAC provide end-point
authentication.

We do know that Alice created the message.

But did she send it?

49

Playback attack
MAC =
f(msg,s)

Transfer $1M
from Bill to Trudy MAC

Transfer $1M from

MAC
Bill to Trudy

50

Defending against playback

attack: nonce
I am Alice
R
MAC =
f(msg,s,R)

Transfer $1M
from Bill to Susan

MAC

51

Roadmap

What is network security?

Principles of cryptography
Message Integrity
Example: Securing e-mail
Securing TCP connections: SSL
Network layer security: IPsec

52

SSL: Secure Sockets Layer

Widely deployed security

protocol

Supported by almost all

browsers and web servers
https
Tens of billions $ spent
per year over SSL

Originally designed by

Netscape in 1993
Number of variations:

TLS: transport layer

security, RFC 2246

Provides

Confidentiality
Integrity
Authentication

Original goals:

Had Web e-commerce

transactions in mind
Encryption (especially
credit-card numbers)
Web-server
authentication
Optional client
authentication
Minimum hassle in doing
business with new
merchant

Available to all TCP

applications

Secure socket interface

53

SSL and TCP/IP

Application
TCP

Application
SSL
TCP

IP

IP

Normal Application

Application
with SSL

SSL provides application programming interface (API)

to applications
C and Java SSL libraries/classes readily available
54

Toy SSL: a simple secure channel

Handshake: Alice and Bob use their

certificates and private keys to

authenticate each other and exchange
shared secret
Key Derivation: Alice and Bob use shared
secret to derive set of keys
Data Transfer: Data to be transferred is
broken up into a series of records
Connection Closure: Special messages to
securely close connection
55

Toy: A simple handshake

hello

certificate
KB +(MS) = EMS

MS = master secret
EMS = encrypted master secret

56

Toy: Key derivation

Considered bad to use same key for more than one

cryptographic operation

Use different keys for message authentication code

(MAC) and encryption

Four keys:
Kc = encryption key for data sent from client to server
Mc = MAC key for data sent from client to server
Ks = encryption key for data sent from server to client
Ms = MAC key for data sent from server to client
Keys derived from key derivation function (KDF)
Takes master secret and (possibly) some additional
random data and creates the keys
57

Toy: Data Records

Why not encrypt data in constant stream as we

write it to TCP?

Where would we put the MAC? If at end, no message

integrity until all data processed.
For example, with instant messaging, how can we do
integrity check over all bytes sent before displaying?

Instead, break stream in series of records

Each record carries a MAC
Receiver can act on each record as it arrives
Issue: in record, receiver needs to distinguish

MAC from data

Want to use variable-length records

length

data

MAC
58

Toy: Sequence Numbers

Attacker can capture and replay record or

re-order records
Solution: put sequence number into MAC:

MAC = MAC(Mx, sequence||data)

Note: no sequence number field

Attacker could still replay all of the

records

Use random nonce

59

Toy: Control information

Truncation attack:
attacker forges TCP connection close segment
One or both sides thinks there is less data than
there actually is.
Solution: record types, with one type for

closure

type 0 for data; type 1 for closure

MAC = MAC(Mx, sequence||type||data)

length type

data

MAC
60

Toy SSL: summary

hello
certificate, nonce
KB +(MS) = EMS

encrypted

type 0, seq 1, data

type 0, seq 2, data

bob.com

, data
1
q
e
s
,
0
e
typ

type 0, seq 3, data

type 1, seq 4, close
close
type 1, seq 2,
61

Toy SSL isnt complete

How long are the fields?
What encryption protocols?
No negotiation

Allow client and server to support different

encryption algorithms
Allow client and server to choose together
specific algorithm before data transfer

62

Most common symmetric ciphers in

SSL
DES Data Encryption Standard: block
3DES Triple strength: block
RC2 Rivest Cipher 2: block
RC4 Rivest Cipher 4: stream

Public key encryption

RSA

63

Real
Connection

handshake: ClientHel
lo
ServerHello
:
e
k
a
h
s
d
n
a
h
tificate
r
e
C
:
e
k
a
h
s
hand
lloDone
e
H
r
e
v
r
e
S
:
handshake
handshake: ClientK
eyExchange
ChangeCipherS
pec
handshake: Finish
ed

Everything
henceforth
is encrypted

pec
ChangeCipherS
: Fin
handshake

ished

application_dat
a
ata
application_d

TCP Fin follow

Alert: warning, clos

e_notify
64

Key derivation
Client nonce, server nonce, and pre-master secret

input into pseudo random-number generator.

Produces master secret

Master secret and new nonces inputed into

another random-number generator: key block

Because of resumption: TBD

Key block sliced and diced:

client MAC key
server MAC key
client encryption key
server encryption key
client initialization vector (IV)
server initialization vector (IV)
65

Roadmap

What is network security?

Principles of cryptography
Message Integrity
Example: Securing e-mail
Securing TCP connections: SSL
Network layer security: IPsec

66

What is confidentiality at the

network-layer?
Between two network entities:
Sending entity encrypts the payloads of
datagrams. Payload could be:

TCP segment, UDP segment, ICMP message,

OSPF message, and so on.

All data sent from one entity to the other

would be hidden:

Web pages, e-mail, P2P file transfers, TCP SYN

packets, and so on.

That is, blanket coverage.

67

Virtual Private Networks (VPNs)

Institutions often want private networks

for security.

Costly! Separate routers, links, DNS

infrastructure.

With a VPN, institutions inter-office

traffic is sent over public Internet

instead.

But inter-office traffic is encrypted before

entering public Internet

68

Virtual Private Network (VPN)

IP
header

IPsec
header

Secure
payload

IPsec
heade
r

laptop
w/ IPsec

salesperson
in hotel

ec
IPs der
a
he
I P er
ad
he

Secur
e
paylo
ad

Public
Internet

IP
heade
r

re
cu
Se load
y
pa

Router w/
IPv4 and IPsec
IP er
ad
he

pay
loa
d

Router w/
IPv4 and IPsec

IP
hea
der

ad
ylo
pa

headquarters

branch office
69

IPsec services
Data integrity
Origin authentication
Replay attack prevention
Confidentiality
Two protocols providing different service

models:
AH
ESP

70

IPsec Transport Mode

IPsec

IPsec

IPsec datagram emitted and received by

end-system.
Protects upper level protocols

71

IPsec tunneling mode (1)

IPsec

IPsec

End routers are IPsec aware. Hosts need

not be.

72

IPsec tunneling mode (2)

IPsec

IPsec

Also tunneling mode.

73

Two protocols
Authentication Header (AH) protocol
provides source authentication & data integrity
but not confidentiality
Encapsulation Security Protocol (ESP)
provides source authentication,data integrity,
and confidentiality
more widely used than AH

74

Four combinations are possible!

Host mode
with AH

Host mode
with ESP

Tunnel mode
with AH

Tunnel mode
with ESP

Most common and

most important
75

Security associations (SAs)

Before sending data, a virtual connection is

established from sending entity to receiving entity.

Called security association (SA)

SAs are simplex: for only one direction

Both sending and receiving entities maintain

information about the SA

state

Recall that TCP endpoints also maintain state information.

IP is connectionless; IPsec is connection-oriented!

How many SAs in VPN w/ headquarters, branch

office, and n traveling salesperson?

76

Example SA from R1 to R2
Internet

Headquarters
200.168.1.100

R1
172.16.1/24

SA

Branch Office
193.68.2.23

R2
172.16.2/24

R1 stores for SA
32-bit identifier for SA: Security Parameter Index (SPI)
the origin interface of the SA (200.168.1.100)
destination interface of the SA (193.68.2.23)
type of encryption to be used (for example, 3DES with CBC)
encryption key
type of integrity check
authentication key
77

Security Association Database (SAD)

Endpoint holds state of its SAs in a SAD, where it

can locate them during processing.

With n salespersons, 2 + 2n SAs in R1s SAD

When sending IPsec datagram, R1 accesses SAD

to determine how to process datagram.

When IPsec datagram arrives to R2, R2 examines

SPI in IPsec datagram, indexes SAD with SPI, and

processes datagram accordingly.
78

IPsec datagram
Focus for now on tunnel mode with ESP
enchilada authenticated
encrypted
new IP
header

ESP
hdr

SPI

original
IP hdr

Seq
#

Original IP
datagram payload

padding

ESP
trl

ESP
auth

pad
next
length header

79

What happens?
Internet

Headquarters
200.168.1.100

SA

Branch Office
193.68.2.23

R1

R2

172.16.1/24

172.16.2/24

enchilada authenticated
encrypted
new IP
header

ESP
hdr

SPI

original
IP hdr

Seq
#

Original IP
datagram payload

padding

ESP
trl

ESP
auth

pad
next
length header
80

R1 converts original datagram

into IPsec datagram
Appends to back of original datagram (which includes

original header fields!) an ESP trailer field.

Encrypts result using algorithm & key specified by SA.
Appends to front of this encrypted quantity the ESP
header, creating enchilada.
Creates authentication MAC over the whole enchilada,
using algorithm and key specified in SA;
Appends MAC to back of enchilada, forming payload;
Creates brand new IP header, with all the classic IPv4
header fields, which it appends before payload.
81

Inside the enchilada:

enchilada authenticated
encrypted
new IP
header

ESP
hdr

SPI

original
IP hdr

Seq
#

Original IP
datagram payload

padding

ESP
trl

ESP
auth

pad
next
length header

ESP trailer: Padding for block ciphers

ESP header:
SPI, so receiving entity knows what to do
Sequence number, to thwart replay attacks
MAC in ESP auth field is created with shared

secret key

82

IPsec sequence numbers

For new SA, sender initializes seq. # to 0
Each time datagram is sent on SA:
Sender increments seq # counter
Places value in seq # field
Goal:
Prevent attacker from sniffing and replaying a packet
Receipt of duplicate, authenticated IP packets may disrupt
service

Method:
Destination checks for duplicates
But doesnt keep track of ALL received packets; instead
uses a window
83

Security Policy Database (SPD)

Policy: For a given datagram, sending entity

needs to know if it should use IPsec.

Needs also to know which SA to use

May use: source and destination IP address;

protocol number.

Info in SPD indicates what to do with

arriving datagram;
Info in the SAD indicates how to do it.

84

Summary: IPsec services

Suppose Trudy sits somewhere between R1

and R2. She doesnt know the keys.

Will Trudy be able to see contents of original

datagram? How about source, dest IP address,
transport protocol, application port?
Flip bits without detection?
Masquerade as R1 using R1s IP address?
Replay a datagram?

85

Internet Key Exchange

In previous examples, we manually established

IPsec SAs in IPsec endpoints:

Example SA
SPI: 12345
Source IP: 200.168.1.100
Dest IP: 193.68.2.23
Protocol: ESP
Encryption algorithm: 3DES-cbc
HMAC algorithm: MD5
Encryption key: 0x7aeaca
HMAC key:0xc0291f

Such manually keying is impractical for large VPN

with, say, hundreds of sales people.

Instead use IPsec IKE (Internet Key Exchange)

86

IKE: PSK and PKI

Authentication (proof who you are) with either
pre-shared secret (PSK) or
with PKI (pubic/private keys and certificates).
With PSK, both sides start with secret:

then run IKE to authenticate each other and to

generate IPsec SAs (one in each direction),
including encryption and authentication keys

With PKI, both sides start with public/private

key pair and certificate.

run IKE to authenticate each other and obtain

IPsec SAs (one in each direction).
Similar with handshake in SSL.

87

IKE Phases
IKE has two phases
Phase 1: Establish bi-directional IKE SA
Note: IKE SA different from IPsec SA
Also called ISAKMP security association

Phase 2: ISAKMP is used to securely negotiate

the IPsec pair of SAs

Phase 1 has two modes: aggressive mode

and main mode

Aggressive mode uses fewer messages

Main mode provides identity protection and is
more flexible

88

Summary of IPsec
IKE message exchange for algorithms, secret

keys, SPI numbers

Either the AH or the ESP protocol (or both)
The AH protocol provides integrity and source
authentication
The ESP protocol (with AH) additionally provides
encryption
IPsec peers can be two end systems, two
routers/firewalls, or a router/firewall and an end
system

89

Network Security (summary)

Basic techniques...
cryptography (symmetric and public)
message integrity
end-point authentication

. used in many different security scenarios

secure email
secure transport (SSL)
IPsec

90