CMPT 471 Networking II

Similar documents
Protocol Security Where?

Securing IP Networks with Implementation of IPv6

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

CSCI 454/554 Computer and Network Security. Topic 8.1 IPsec

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

Introduction to Security and PIX Firewall

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

IPsec Details 1 / 43. IPsec Details

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

Security Engineering Part III Network Security. Security Protocols (II): IPsec

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Chapter 10. Network Security

IT Networks & Security CERT Luncheon Series: Cryptography

Authentication applications Kerberos X.509 Authentication services E mail security IP security Web security

IP Security. Ola Flygt Växjö University, Sweden

Internetwork Security

Network Security. Lecture 3

Chapter 5: Network Layer Security

MPLS VPN in Cellular Mobile IPv6 Architectures(04##017)

Security vulnerabilities in the Internet and possible solutions

IP SECURITY (IPSEC) PROTOCOLS

Network Security. Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT)

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

Outline. INF3510 Information Security. Lecture 10: Communications Security. Communication Security Analogy. Network Security Concepts

Lecture 10: Communications Security

Implementing and Managing Security for Network Communications

CS 348: Computer Networks. - Security; 30 th - 31 st Oct Instructor: Sridhar Iyer IIT Bombay

Security Considerations for Intrinsic Monitoring within IPv6 Networks: Work in Progress

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Using IKEv2 on Juniper Networks Junos Pulse Secure Access Appliance

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Internet Protocol Security IPSec

Chapter 4 Virtual Private Networking

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode

Network Security Part II: Standards

Objectives. Remote Connection Options. Teleworking. Connecting Teleworkers to the Corporate WAN. Providing Teleworker Services

Overview. Protocols. VPN and Firewalls

Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku

How To Establish IPSec VPN connection between Cyberoam and Mikrotik router

Cryptography and network security CNET4523

Lecture 17 - Network Security

VPN VPN requirements Encryption VPN-Types Protocols VPN and Firewalls

Understanding the Cisco VPN Client

Message Authentication Codes

MINI-FAQ: OpenBSD 2.4 IPSEC VPN Configuration

IPsec VPN Application Guide REV:

Internet Security Architecture

21.4 Network Address Translation (NAT) NAT concept

CSE/EE 461 Lecture 23

Authentication requirement Authentication function MAC Hash function Security of

Overview. SSL Cryptography Overview CHAPTER 1

Report to WIPO SCIT Plenary Trilateral Secure Virtual Private Network Primer. February 3, 1999

How encryption works to provide confidentiality. How hashing works to provide integrity. How digital signatures work to provide authenticity and

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

Secure Sockets Layer

VPN. VPN For BIPAC 741/743GE

Virtual Private Networks

Packet Tracer Configuring VPNs (Optional)

An Introduction to Cryptography as Applied to the Smart Grid

Configuring a Site-to-Site VPN Tunnel Between Cisco RV320 Gigabit Dual WAN VPN Router and Cisco (1900/2900/3900) Series Integrated Services Router

Building scalable IPSec infrastructure with MikroTik. IPSec, L2TP/IPSec, OSPF

Chapter 49 IP Security (IPsec)

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

Chapter 37. Secure Networks

VPN SECURITY. February The Government of the Hong Kong Special Administrative Region

Chapter 2 Virtual Private Networking Basics

Chapter 8. Network Security

Internet Security. Internet Security Voice over IP. Introduction. ETSF10 Internet Protocols ETSF10 Internet Protocols 2011

Chapter 8 Security. IC322 Fall Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

Chapter 8. Cryptography Symmetric-Key Algorithms. Digital Signatures Management of Public Keys Communication Security Authentication Protocols

Information Security

Branch Office VPN Tunnels and Mobile VPN

Internet Programming. Security

Chapter 6 Electronic Mail Security

Cryptography and Network Security Chapter 15

Abstract. SZ; Reviewed: WCH 6/18/2003. Solution & Interoperability Test Lab Application Notes 2003 Avaya Inc. All Rights Reserved.

Network Security Protocols

Computer and Network Security

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Virtual Private Network VPN IPSec Testing: Functionality Interoperability and Performance

Configuring Internet Key Exchange Security Protocol

IPsec VPN Security between Aruba Remote Access Points and Mobility Controllers

Internet Protocol Security (IPSec)

Chapter 8 Network Security. Slides adapted from the book and Tomas Olovsson

Application Note: Onsight Device VPN Configuration V1.1

Internet. SonicWALL IP SEV IP IP IP Network Mask

SSL A discussion of the Secure Socket Layer

WEB Security & SET. Outline. Web Security Considerations. Web Security Considerations. Secure Socket Layer (SSL) and Transport Layer Security (TLS)

Chapter 32 Internet Security

Cryptosystems. Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K.

Network Authentication X Secure the Edge of the Network - Technical White Paper

Virtual Private Networks

Configuring an IPsec VPN to provide ios devices with secure, remote access to the network

FortiOS Handbook IPsec VPN for FortiOS 5.0

The BANDIT Products in Virtual Private Networks

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

This section provides a summary of using network location profiles to identify network connection types. Details include:

Part III-b. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

Security issues with Mobile IP

Communication Security for Applications

Transcription:

CMPT 471 Networking II Authentication and Encryption Janice Regan, 2006-2013 1 Janice Regan, 2006-2013 2 IPsec usage Host to host May use transport mode May use tunnel mode Security Gateway to Security Gateway Must use tunneling Host to/from security gateway For traffic destined to security gateway (for example SNMP message) the gateway is operating as a host and transport mode may be used Otherwise, if the gateway is operating as a gateway tunneling mode must be used Janice Regan, 2006-2013 3 1

IPv4 AH Authentication IPv4 packet: Transport mode Authentication Partially authenticated authenticated IPv4 Authentication data IPv4 packet: Tunnel mode Authentication IPv4 tunnel Partially authenticated Authentication IPv4 authenticated data Janice Regan, 2006-2013 4 AH authentication algorithms HMAC with MD5 RFC 2403 HMAC with SHA-1 RFC 2404 Janice Regan, 2006-2013 5 IPsec: Transport Mode IP data trailer auth Not encrypted or authenticated encrypted authenticated New IP IP data trailer auth Tunnel Mode Janice Regan, 2006-2013 6 2

authentication algorithms HMAC with MD5 RFC 2403 HMAC with SHA-1 RFC 2404 Null Authentication Janice Regan, 2006-2013 7 encryption algorithms DES in CBC mode RFC 2405 Null Encryption Janice Regan, 2006-2013 8 Security Associations (1) An SA describes one simplex connection. If you are using both AH and you need one SA for each. For two way communication you need one SA for each direction Three parameters used to uniquely define a security association (SA). destination address security protocol (AH or ) Security parameters index (SPI) Janice Regan, 2006-2013 9 3

Security Association (2) SAs are stored in a database The SAD (Security Associations Database) also includes the following information: Mode of communication (transport or tunnel) Sequence Number Counter Anti-Replay Window: to determine whether an inbound AH or packet is a replay. AH Authentication algorithm type, keys, etc. OR Encryption algorithm and / or authentication, algorithm types, keys etc. Lifetime of this Security Association Janice Regan, 2006-2013 10 Encryption Source uses an encryption key and a particular encryption algorithm to encrypt the data The data is inserted into a packet and sent to the receiver The receiver uses a decryption key to decrypt the data. If the keys match the decrypted data is readable otherwise it is not. The keys may be secret or private keys, or public keys Private key encryption is often used for long messages public key encryption for short messages. Short messages may include sending private keys in preparation for transmission of longer messages. Janice Regan, 2006-2013 11 Secret or private keys Private or secret keys are known only by the sender and receiver. The decryption key is the same as or derivable from the encryption key. Secret key encryption may also be called symmetric encryption because the same key can be used in both directions High security, difficult to decrypt without the key. Janice Regan, 2006-2013 12 4

Secret or private keys Requires many keys (one for each pair of users) Uses an efficient encryption algorithm Popular example DES, data encryption standard How do you distribute keys? Use public key encryption A central distribution centre Janice Regan, 2006-2013 13 Public keys (1) Each user has a public key and a private key Fewer keys needed (pair for each user, not each pairing of users). Public key is used to encrypt the message, private key is used to decrypt the message. Private key is not easily derivable from the public key Sender encrypts using the receiver s public key Only receiver can decrypt using its own private key RSA is an example of this approach. Janice Regan, 2006-2013 14 Public keys (2) Encryption/Decryption process is more computationally intensive than private key encryption Must verify (authenticate) announced public key of a user Verification may be done by a central authority (pairs users and keys and issues certificates) Janice Regan, 2006-2013 15 5

Digital Signature Used for authentication, integrity and non repudiation (anti replay) Use private key encryption to sign (encrypt the document or digest) the packet. Use public key to verify signature (decrypt the document). Since only the sender knows its private key this provides authentication Janice Regan, 2006-2013 16 Digital Signature A message signed using a senders private key (known only by that user) indicates that the message comes from that user Changes to the message between the sender and the receiver require knowledge of the private key, or they will in all likelihood render the message unreadable at the destination Signature alone does not provide confidentiality, anyone can decrypt using the senders public key Janice Regan, 2006-2013 17 Digital Signature Used for authentication, integrity and non repudiation Can sign entire document or digest of the document. Algorithms such as SHA1 and MD5 are used to make digests of the document Can sign the digest rather than the whole document Janice Regan, 2006-2013 18 6

Digital Signature To sign the digest rather than the whole document The sender uses a hash function to produce a digest of the document with a fixed size Usually use MD5 (message digest 5) or SHA-1 (secure hash algorithm 1) The sender encrypts the digest with her private key The sender sends the document including the encrypted digest Janice Regan, 2006-2013 19 Digital Signature To sign the digest rather than the whole document The receiver creates a digest of the document using the same algorithm as the sender The receiver decrypts the digest appended to the document using the senders public key The receiver compares the calculated digest to the decrypted digest from the received message. They must match for the signature to be valid Janice Regan, 2006-2013 20 With VPN New encapsulation Shared keys (all users behind VPN use same key) Dangerous (one user can hijack traffic, can have man in the middle attack) Janice Regan, 2006-2013 21 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information