Professional Documents
Culture Documents
Ms.N.A.Deshmukh
PRMIT&R
Contents
• IP Security:
IP Security Overview,
IP Security Architecture,
Authentication Header,
Encapsulating Security Payload,
Combining Security Associations,
Key Management,
• Web Security:
Web Security Considerations,
Secure Socket Layer
(SSL) and Transport Layer Security (TLS),
Secure Electronic Transaction (SET).
IP Security
Applications of IPSec
Applications of IPSec
Secure branch office connectivity over the Internet :
End user with IP Security protocols with help of ISP can gain
access to a company network. Reduces the cost of travelling
employees and other communication charges.
Establishing extranet and intranet connectivity with partners :
• If peer relationship needed, then two SA is required and SA is used either for
AH or for ESP but never for both
Security Associations
• An SA is uniquely identified by three parameters
– Security Parameters Index (SPI)
• a bit string assigned to the SA
• carried in AH and ESP headers to allow the receiving party to
select the SA which must be used to process the packet
– IP destination address
• currently only uni-cast address is allowed.
• i.e. address of an destination end point of SA i.e end-system
or a network element (e.g., router).
– Security protocol identifier
• indicates whether the SA is an AH or an ESP SA
• Tunnel mode
– provides protection to the entire IP packet
– the entire IP packet is considered as payload and encapsulated
in another IP packet (with potentially different source and
destination addresses)
• ESP in tunnel mode encrypts and optionally authenticates
the entire inner IP packet
• AH in tunnel mode authenticates the entire inner IP packet
and selected fields of the outer IP header
– usually used between security gateways (routers, firewalls)
Tunnel mode in action
*
Authentication Header
• Authentication header provides support for data integrity
and authentication of IP packets.
• Data integrity ensures protection against undetected
modification.
• Authentication enables end system or network device to
authenticate the user or application and filter the traffic
accordingly.
• Prevents the address spoofing attacks .
• Next header
type of header immediately following
this header (e.g., TCP, IP, etc.)
Anti-replay service
Explain Anti-replay Service ?
In Replay attack, attacker obtains a copy of an authenticated
header and then transmits to an intended destination.
The receipt of duplicate authenticated IP packet disrupt
service or may have undesired consequence.
Sequence number field is designed to such attacks.
Sequence number generation : When a new SA is
established, the sender initializes a sequence number counter
to 0.
Anti-replay service
• Each time the packet is sent, sender increments the counter by 1
and places value in sequence number field.
• Thus first value to be used is 1.
• If anti-replay is enabled then the sender must not allow the
sequence number to cycle past 232 – 1 back to 0.
• Or it will create multiple packets with same sequence number.
• If limit of 232 – 1 is reached, sender should terminate SA and
negotiate a new SA with a new key.
Anti-replay service
• This protocol does not guarantee the in order packet delivery, and
• With tunnel mode, the entire inner packet, including the entire
inner IP header is protected by AH.
• For this ESP header is prefixed to packet and then the packet + ESP trailer is encrypted.
data field.
1. Transport mode ESP : Authentication and encryption apply to the IP payload delivered
2. Tunnel mode ESP : Authentication applies to the entire IP packet delivered to the outer
a) AH in transport mode.
Encrypted
Authenticated
(optionally)