Professional Documents
Culture Documents
Contents
Security requirements
Public key cryptography
• Key agreement/transport schemes
• Man-in-the-middle attack vulnerability
Encryption. digital signature, hash, certification
”Complete” security solutions
• SSL/TLS
• IPSec
Security requirements
Confidentiality
Encryption Decryption
Integrity protection
Data
Data MAC
MAC Data
Data MAC
MAC
Authentication
Encryption Decryption
Prime number p
Private Base or generator g
Private key
key aa Private
Private key
key b
b
Public
Publickeys
keys
Public
Public key
key xx can
canbebesent
sent Public
Public key
key yy
unencrypted
unencrypted
over
overthe
the
Alice network Bob
network
Prime number p
Private Base or generator g
Private key
key aa Private
Private key
key b
b
Public
Public key
key xx Public
Public key
key yy
x = gamodp y = gbmodp
Alice Bob
Private
Private key
key aa Private
Private key
key b
b
Kakey a
= yxx modp
Public
Public key Public
Public key
key yy
= (gbmodp)amodp
y = gbmodp
Alice Bob
Private
Private key
key aa Private
Private key
key b
b
Public
Public key
key xx Kb = xbmodp
Public
Public key
key yy
= (gamodp)bmodp
x= gamodp
Alice Bob
Private
Private key
key aa Private
Private key
key b
b
Kakey a
= yxx modp Kb = xbmodp
Public
Public key Public
Public key
key yy
= (gbmodp)amodp = (gamodp)bmodp
Alice Bob
K K
Encryption Decryption
Man-in-
Man-in-
Alice Bob
the-middle
the-middle
Ka = Kn Km = Kb
Ka Kn Km Kb
Man-in-
Man-in-
Alice Bob
the-middle
the-middle
Certificates
Key length
SSL (TLS)
Client Server
Supported security algorithms
Chosen security algorithms
Encrypted pre-master secret
Secure communication
IP header IP payload
Original IP packet
Secure communication
Confidentiality
Content of IP packet (or payload) is encrypted.
Authentication
It is not possible to establish an IPSec connection if
authentication fails. In the case of IPSec,
authentication also ensures data integrity.
Anti-replay protection
It is not possible to send the same IP packet twice.
SA 2
User terminal Public network Corporate
in WLAN (Internet) network
SA 2
Exchange of public keys and other security
information using Internet Key Exchange (IKE),
as described in RFC 2401