SlideShare a Scribd company logo

WLAN and IP security

Download as PPT, PDF
Chaitanya Tata, PMP
Chaitanya Tata, PMP

Part of training program for datacom freshers.

Technology
1 of 73
WLAN and IP security By Chaitanya T K E-mail: tkchaitanya@tataelxsi.co.in
Objectives:       Why Security is very important in WLAN? 802.1x frame work RADIUS server Different security methods in WLAN Why IPsec? Understanding IPsec.
T here is nobody so ir ritating a Don Herold
Wireless security:     There are 3 major elements in a wireless security Authentication framework E.g.:802.1x Authentication algorithm E.g.:EAP Data encryption algorithm E.g.:TKIP
802.1X:  Port-Based Network Access Control  Supplicant – sits on a client device such as a laptop or PDA, the Supplicant is software that handles authentication from the client's point of view, it is also known as the Port Access Entity (PAE) Authenticator – edge network device such as an access switch, router or WiFi access point. The Authenticator encapsulates the EAP frames within RADIUS. Authentication server – a RADIUS server with EAP capability EAPOL Frame Format  
Port Based Access:
802.1x handshakes:
802.1x Over WLAN:
EAPOL Frame Format:
Remote Authentication Dial In User Service (RADIUS):    AAA management Authentication - A client sends a access request to the network at link layer. This request contains user credentials or a user certificate. The authenticator packages this in RADIUS format as an Access Request message and forwards it on to a RADIUS server. The RADIUS server checks its user database for a match and then consequently decides whether or not to authenticate the user. The messages used are either Access Reject, Access Challenge (ask more information) or Access Accept. Authorization - The RADIUS server stipulates the terms of access for the user i.e. what the user is permitted to do on the network.
 Accounting - If user access statistics and information are required then RADIUS accounting is enabled by the Authenticator issuing an Accounting Start Request to the RADIUS server. Subsequent Interim Accounting Records may also be sent to indicate information such as the duration of the user session. Accounting is halted when an Accounting Stop Record is sent to the server.  The RADIUS protocol uses UDP ports 1812 for Authorization and 1813 for Accounting as standard. Originally these ports were 1645 for Authorization and 1646 for Accounting and are still used today, therefore RADIUS servers look out for both sets of ports
RADIUS datagram:
EAP Cisco Authentication Algorithm:     It is very robust with these features Mutual Authentication User based Authentication Dynamic WEP keys (1key/client,re-authentication with timeouts)
802.1X and EAP message flow
Data privacy with TKIP     It is a modified form of WEP with all its weaknesses addressed,it has 3 important features Message integrity check Per-packet keying Broadcast key rotation (No there is standard)
Comparison of frames using MIC with not using MIC:
Per-packet keying:
Broadcast key rotation:    Employ a static broadcast key configured on the access point Enable broadcast key rotation for dynamic broadcast key generation a static broadcast key will go through the per-packet keying process. This reduces the opportunity for statistical key derivation attacks, but because the base broadcast key remains static, Statistical attacks may take much longer to execute, but they are still possible.
LEAP Authentication process      It is secure enough to implement in a hostile wireless environment,it is a modified version of MS-CHAP. It is a password based algorithm(MD4 hash of an MD4 hash of password (windows NT key) This key is sent over the medium not the password /hash of password so security is enhanced Windows logon is used as LEAP logon using a special software code in windows . Re authentication and WEP key derivation follow a similar process.
Precautions in     LEAP: Usage of strong passwords Using MAC and LEAP authentication on different RADIUS servers Use RADIUS session timeouts to rotate WEP keys Deploy LEAP on a separate VLAN so that it wont effect the other users who require less security
EAP Authentication types: EAP-TLS(DC)  PEAP(password)  EAP-SPEKE(Random no.s)  EAP-TTLS(only server side authentication) EAP-SIM(thru GSM no need of NAI and password)  
TLS Overview:      TLS is designed to provide secure TCP/IP connection previously known as SSL. It has three kinds of protocols Handshake protocol(Negotiation) Record protocol(secure tunnel) Alert protocol(error/session termination)
    TLS has of 2 types authentication schemes Server side authentication Client side authentication both make use PKI certificates for authentication and EAP-TLS uses client side certificates .
TLS Authentication process
EAP-TLS Authentication process:
PEAP:    PEAP employs server-side PKI authentication. For client-side authentication, PEAP can use any other EAP authentication type,Because PEAP establishes a secure tunnel via serverside authentication. It is based on server side EAP-TLS it addresses the manageability and scalability problems of the EAP-TLS No need for digital certificates in PEAP on the clients side (only authentication of server to client) so that protected method needs only to authenticate client
PEAP handshakes:
PEAP Authentication process:
EAP-TTLS Vs PEAP   TTLS and PEAP are similar in concept, but there are important differences: TTLS supports other EAP authentication methods and also PAP, CHAP, MS-CHAP and MS-CHAPv2, whereas PEAP can tunnel only EAP-type protocol. TTLS requires installation of client software, whereas PEAP comes ready to run in XP Service Pack 1 on the client device. TTLS is widely available and implemented, while PEAP is still new. But given PEAP's backing from Cisco, Microsoft and RSA, it's likely to emerge as the de facto authentication mechanism for 802.1x."
EAP-SPEKE:     It uses a random looking messages exchanged between devices To a third party observer SPEKE messages look like random numbers and they cant guess the password There is no need for any other public private keys other than the password It uses Zero knowledge Password Proof(ZKPP) and mutual authentication
Mathematics involved in EAP-SPEKE         B = p2b A = p2a (MD) K = Ba ProofAK mod m (AS) mod m (m-large prime no) mod m (MD)(K-master key) = h (“A” | A | K) (MD) K = Ab mod m (AS) TestAK = h (“A” | A | K) (AS)(MD Authentication) ProofBK = h (“B” | B | K) (AS) TestBK = h (“B” | B | K) (MD)(AS Authentication)
EAP-SPEKE Handshakes:
IP security:
Why IP SEC?     Need for IP sec Initially to compensate for IP sec they used application layer security such as SSL for HTTP and FTP, but it cannot be generalized. The technology that brings secure communications to the Internet Protocol is called IP Security, commonly abbreviated IPSec (The capitalization of this abbreviation is variable, so IPsec and IPSEC are also seen. Though not IpSeC or IPseC, fortunately. J) Basically targeted at IPV6, but works for both IPV4 and IPV6
IP SEC and Application SEC:    Where to put security? Application security: – “really” secure (end-to-end) – applications must be modified ssh,sftp,https Network (IP)-layer security (IPSec): – “general” security – applications remain unchanged – applications must rely on “lower” security
Functionality:      IPSec is not a single protocol, but rather a set of services and protocols that provide a complete security solution for an IP network Functionality: Encryption of user data for privacy. Authentication of the integrity of a message to ensure that it is not changed en route. Protection against certain types of security attacks, such as replay attacks.
    The ability for devices to negotiate the security algorithms and keys required to meet their security needs. Two security modes, Tunnel Transport
IP-SEC Standards:
Framework For IPSEC: 1. 2. 3. 4. They must agree on a set of security protocols to use, so that each one sends data in a format the other can understand. They must decide on a specific encryption algorithm to use in encoding data. They must exchange keys that are used to “unlock” data that has been cryptographically encoded. Once this background work is completed, each device must use the protocols, methods and keys previously agreed upon to encode data and send it across the network.
Architecture of IP SEC:   AH: Origin,Data Integrity and Replay attacks ESP: Encrypts data
Supported  Encryption/Hashing Algorithms: Message Digest 5 (MD5) and Secure Hash Algorithm 1 (SHA-1).  Security Policies and Associations, and Management Methods: security policies and security associations, and by providing ways to exchange security association information  Key Exchange Framework and Mechanism: To exchange security association information. Internet Key Exchange (IKE) provides these capabilities.
IPSec Implementation Methods:    IPSec Implementation Methods defined in RFC 2401, depends of Version(4/6),application…. End Host Implementation - End to End security - Deployment issues Router Implementation - Secure only outside network - Ease of Installment
IPSec Architectures:    Integrated Architecture -Integrate directly into IP -Preferable for IPV6 but not for IPV4 “Bump In The Stack” (BITS) Architecture -Extra layer after IP -Suitable for IPV4 “Bump In The Wire” (BITW) Architecture -Adding a separate IP sec device for all the traffic -complexity and cost.
BITS architecture:
(BITW) Architecture:
IP Sec Modes:     Transport and Tunnel Modes The choice of mode does not affect the method by which each generates its header, but rather, changes what specific parts of the IP datagram are protected and how the headers are arranged to accomplish this. In essence, the mode really describes, not prescribes how AH or ESP do their thing. It is used as the basis for defining other constructs, such as security associations (SAs).
Transport Mode:
Tunnel Mode:
Simple Overview:     Parameters for encryption and AH field are agreed upon in the SA ESP field indicates the identity of the SA and carried additional information for decoding the payload AH field is created using the payload (and ESP, if present)
Terminology in IP sec:    Security Policies - How to treat a incoming packet - Security Policy Database (SPD). Security Associations -secure connection between one device and another -Security Association Database (SAD). - Unidirectional Selectors - Helps to choose a SA based on certain rules
Selector fields:     Five basic types: Destination IP address (Different from destination IP address of SA identifier tuple) - Single (unicast, anycast, broadcast, multicast), range, address+mask, wildcard - Obtained from inner IP header for tunnel mode SA Source IP address (separate for inbound & outbound) - Single (unicast, anycast, broadcast, multicast), range, address+mask, wildcard Name - User id (fully qualified user name, X.500 distinguished name) - System name (fully qualified DNS name, X.500 distinguished/or general name)
  Transport layer protocol - IPv4: ‘Protocol’ field, IPv6: ‘Next Header’ field - These fields may not contain TP due to the presence of routing header, - AH, ESP, fragmentation header, destination option etc. Source and Destination ports - If the packet is fragmented, discard it
Security associations:     Security associations don't actually have names, however. They are instead defined by a set of three parameters, called a triple: Security Parameter Index (SPI): -32-bit number that is chosen to uniquely identify a particular SA for any connected device IP Destination Address: -The address of the device for whom the SA is established. Security Protocol Identifier: -Specifies whether this association is for AH or ESP. If both are in use with this device they have separate SAs.
IPSec Authentication Header (AH):     Similar to CRC but uses Hashing (using key) algorithm On the source device, AH performs the computation and puts the result (called the Integrity Check Value or ICV) into a special header with other fields for transmission the ICV calculation does not change the original data AH provides authentication but not privacy (that's what ESP is for
IPV4 and IPv6:
IPV6 extension headers and Order in packet:
AH Datagram Placement and Linking (IPV6):
AH Datagram Placement and Linking (IPV4):
AH Format:    The size of the Authentication Data field is variable to support different datagram lengths and hashing algorithms. Its total length must be a multiple of 32 bits. Also, the entire header must be a multiple of either 32 bits (for IPv4) or 64 bits (for IPv6). Padding and No IP addresses appear
AH Fields:
IPSec Encapsulating Security Payload (ESP)    Encapsulating Security Payload Fields: ESP Header: This contains two fields, the SPI and Sequence Number, and comes before the encrypted data ESP Trailer: - Placed after the encrypted data. - Padding that is used to align the encrypted data, through a Padding and Pad Length field. - Interestingly, it also contains the Next Header field for ESP.
   ESP Authentication Data: This field contains an Integrity Check Value (ICV), computed in a manner similar to how the AH protocol works, for when ESP's optional authentication feature is used. Some encryption algorithms require the data to be encrypted to have a certain block size, and so padding must appear after the data hence appears in the ESP Trailer. ESP Authentication Data it is used to authenticate the rest of the encrypted datagram after encryption. This means it cannot appear in the ESP Header or ESP Trailer.
Header Calculation and Placement(IPV6):
Header Calculation and Placement(IPV4):
Trailer Calculation:     ESP trailer is added, then encryption is carried from ESP header(excluding) to ESP trailer (including). ESP Authentication Field Calculation and Placement: If the optional ESP authentication feature is used, the authentication field is computed over the entire ESP datagram (except the Authentication Data field itself, of course). This includes the ESP header, payload and trailer. Padding is also used to make sure that the ESP Trailer ends on a 32-bit boundary. That is, the size of the ESP Header plus Payload plus ESP Trailer must be a multiple of 32 bits. The ESP Authentication Data must also be a multiple of 32 bits
ESP Format:
ESP fields:
IPSec Key Exchange (IKE)    “shared secret”. Anyone who isn't “in” on the secret is able to intercept the information but is prevented either from reading it (if ESP is used to encrypt the payload) or from tampering with it undetected (if AH is used). The primary support protocol used for this purpose in IPSec is called Internet Key Exchange (IKE) (RFC 2049) IKE works by allowing IPSec-capable devices to exchange security associations (SAs), to populate their security association databases (SADs). These are then used for the actual exchange of secured datagrams with the AH and ESP protocols.
ISAKMP:      Internet Security Association and Key Management Protocol Frame work for IKE In IKE, the ISAKMP framework is used as the basis for a specific key exchange method that combines features from two key exchange protocols: OAKLEY: Describes a specific mechanism for exchanging keys through the definition of various key exchange “modes”. Most of the IKE key exchange process is based on OAKLEY. SKEME: Describes a different key exchange mechanism than OAKLEY. IKE uses some features from SKEME, including its method of public key encryption and its fast re-keying feature.
ISAKMP Phase negotiations:   ISAKMP Phase 1: The first phase is a “setup” stage where two devices agree on how to exchange further information securely. This negotiation between the two units creates a security association for ISAKMP itself; an ISAKMP SA. This security association is then used for securely exchanging more detailed information in Phase 2. ISAKMP Phase 2: In this phase the ISAKMP SA established in Phase 1 is used to create SAs for other security protocols. Normally, this is where the parameters for the “real” SAs for the AH and ESP protocols would be negotiated.
Phase-1 Negotiations:      An encryption algorithm to be used, such as the Data Encryption Standard (DES). A hash algorithm (MD5 or SHA, as used by AH or ESP). An authentication method, such as authentication using previously shared keys. A Diffie-Hellman group: In this method, instead of encrypting and decrypting with the same key, data is encrypted using a public key knowable to anyone, and decrypted using a private key that is kept secret. Note that even though security associations in general are unidirectional, the ISAKMP SA is established bi-directionally. Once Phase 1 is complete, then, either device can set up a subsequent SA for AH or ESP using it.
Diffie-Hellman Algorithm:        Peers P and Peer Q have been given the same publicly viewable numbers m and n. Peer P picks a very large secret random number x and calculates mxmod n to give P. Peer Q picks a very large secret random number y and calculates mymod n to give Q. Peer P and Peer Q exchange P and Q publicly, so anyone can see these numbers. The numbers x and y remain known only to the relevant peer and they are not transmitted. Peer P then performs the calculation Qxmod n to give the value K. Peer Q then performs the calculation Pymod n to give the value L. K=Qxmod n = mxymod n =Pymod n =L, so K and L are equal, therefore Peers P and Q have negotiated a shared secret that has not been transmitted.
The things that one most wants to do are the things that are probably most worth doing. Winifred Holtby , O Magazine, September 2002

Recommended

802.11 mgt-opern
802.11 mgt-opern802.11 mgt-opern
802.11 mgt-opernakruthi k
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols NetProtocol Xpert
 
IP Sec - Basic Concepts
IP Sec - Basic ConceptsIP Sec - Basic Concepts
IP Sec - Basic ConceptsAvadhesh Agrawal
 
Ip sec talk
Ip sec talkIp sec talk
Ip sec talkanoean
 
IP security Part 1
IP security Part 1IP security Part 1
IP security Part 1CAS
 
Ipsec 2
Ipsec 2Ipsec 2
Ipsec 2Sourabh Badve
 
I ptable
I ptableI ptable
I ptableSandeep Gupta
 
Ip security
Ip security Ip security
Ip security Dr.K.Sreenivas Rao
 

Recommended

802.11 mgt-opern
802.11 mgt-opern802.11 mgt-opern
802.11 mgt-opernakruthi k
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols NetProtocol Xpert
 
IP Sec - Basic Concepts
IP Sec - Basic ConceptsIP Sec - Basic Concepts
IP Sec - Basic ConceptsAvadhesh Agrawal
 
Ip sec talk
Ip sec talkIp sec talk
Ip sec talkanoean
 
IP security Part 1
IP security Part 1IP security Part 1
IP security Part 1CAS
 
Ipsec 2
Ipsec 2Ipsec 2
Ipsec 2Sourabh Badve
 
I ptable
I ptableI ptable
I ptableSandeep Gupta
 
Ip security
Ip security Ip security
Ip security Dr.K.Sreenivas Rao
 
IP security
IP securityIP security
IP securityshraddha mane
 
Ip security
Ip securityIp security
Ip securityJithuK6
 
Ipsecurity
IpsecurityIpsecurity
IpsecurityChinmay Patel
 
Internet protocol security
Internet protocol securityInternet protocol security
Internet protocol securityfarhan516
 
IP Sec by Amin Pathan
IP Sec by Amin PathanIP Sec by Amin Pathan
IP Sec by Amin Pathanaminpathan11
 
Internet security protocol
Internet security protocolInternet security protocol
Internet security protocolMousmi Pawar
 
ip security
ip securityip security
ip securityChirag Patel
 
Cracking wpa2 psk in the cloud
Cracking wpa2 psk in the cloudCracking wpa2 psk in the cloud
Cracking wpa2 psk in the cloudFotios Lindiakos
 
Palo alto outline course | Mostafa El Lathy
Palo alto outline course | Mostafa El LathyPalo alto outline course | Mostafa El Lathy
Palo alto outline course | Mostafa El LathyMostafa El Lathy
 
IPSec Overview
IPSec OverviewIPSec Overview
IPSec Overviewdavisli
 
Overview of ip_security by JetArvind kumar Madhukar
Overview of ip_security by JetArvind kumar Madhukar Overview of ip_security by JetArvind kumar Madhukar
Overview of ip_security by JetArvind kumar Madhukar ALLCAD Services Pvt Limited
 
Ip security
Ip security Ip security
Ip security Naveen Dubey
 
Ip security in i psec
Ip security in i psecIp security in i psec
Ip security in i psecMohd Arif
 
Ipsec
IpsecIpsec
IpsecRupesh Mishra
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and sslMohd Arif
 
BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6limsh
 
Keymanagement of ipsec
Keymanagement of ipsecKeymanagement of ipsec
Keymanagement of ipsecPACHIYAPPAN PACHIYAPPAS
 
Ip Sec
Ip SecIp Sec
Ip SecRam Dutt Shukla
 
Unit 6
Unit 6Unit 6
Unit 6KRAMANJANEYULU1
 
Programas para Elaborar Mapas Mentales. Diagramas de Flujo e Historietas
Programas para Elaborar Mapas Mentales. Diagramas de Flujo e Historietas Programas para Elaborar Mapas Mentales. Diagramas de Flujo e Historietas
Programas para Elaborar Mapas Mentales. Diagramas de Flujo e Historietas daanyclau
 
Netgear phone number tech support
Netgear phone number tech supportNetgear phone number tech support
Netgear phone number tech supportAndor Alifs
 
Rami awadallah Port
Rami awadallah PortRami awadallah Port
Rami awadallah Portramiawadallah
 

More Related Content

What's hot

Ip security
Ip securityIp security
Ip securityJithuK6
 
Internet protocol security
Internet protocol securityInternet protocol security
Internet protocol securityfarhan516
 
IP Sec by Amin Pathan
IP Sec by Amin PathanIP Sec by Amin Pathan
IP Sec by Amin Pathanaminpathan11
 
Internet security protocol
Internet security protocolInternet security protocol
Internet security protocolMousmi Pawar
 
Cracking wpa2 psk in the cloud
Cracking wpa2 psk in the cloudCracking wpa2 psk in the cloud
Cracking wpa2 psk in the cloudFotios Lindiakos
 
Palo alto outline course | Mostafa El Lathy
Palo alto outline course | Mostafa El LathyPalo alto outline course | Mostafa El Lathy
Palo alto outline course | Mostafa El LathyMostafa El Lathy
 
IPSec Overview
IPSec OverviewIPSec Overview
IPSec Overviewdavisli
 
Overview of ip_security by JetArvind kumar Madhukar
Overview of ip_security by JetArvind kumar Madhukar Overview of ip_security by JetArvind kumar Madhukar
Overview of ip_security by JetArvind kumar Madhukar ALLCAD Services Pvt Limited
 
Ip security in i psec
Ip security in i psecIp security in i psec
Ip security in i psecMohd Arif
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and sslMohd Arif
 
BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6limsh
 

What's hot (19)

IP security
IP securityIP security
IP security
 
Ip security
Ip securityIp security
Ip security
 
Ipsecurity
IpsecurityIpsecurity
Ipsecurity
 
Internet protocol security
Internet protocol securityInternet protocol security
Internet protocol security
 
IP Sec by Amin Pathan
IP Sec by Amin PathanIP Sec by Amin Pathan
IP Sec by Amin Pathan
 
Internet security protocol
Internet security protocolInternet security protocol
Internet security protocol
 
ip security
ip securityip security
ip security
 
Cracking wpa2 psk in the cloud
Cracking wpa2 psk in the cloudCracking wpa2 psk in the cloud
Cracking wpa2 psk in the cloud
 
Palo alto outline course | Mostafa El Lathy
Palo alto outline course | Mostafa El LathyPalo alto outline course | Mostafa El Lathy
Palo alto outline course | Mostafa El Lathy
 
IPSec Overview
IPSec OverviewIPSec Overview
IPSec Overview
 
Overview of ip_security by JetArvind kumar Madhukar
Overview of ip_security by JetArvind kumar Madhukar Overview of ip_security by JetArvind kumar Madhukar
Overview of ip_security by JetArvind kumar Madhukar
 
Ip security
Ip security Ip security
Ip security
 
Ip security in i psec
Ip security in i psecIp security in i psec
Ip security in i psec
 
Ipsec
IpsecIpsec
Ipsec
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and ssl
 
BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6
 
Keymanagement of ipsec
Keymanagement of ipsecKeymanagement of ipsec
Keymanagement of ipsec
 
Ip Sec
Ip SecIp Sec
Ip Sec
 
Unit 6
Unit 6Unit 6
Unit 6
 

Viewers also liked

Programas para Elaborar Mapas Mentales. Diagramas de Flujo e Historietas
Programas para Elaborar Mapas Mentales. Diagramas de Flujo e Historietas Programas para Elaborar Mapas Mentales. Diagramas de Flujo e Historietas
Programas para Elaborar Mapas Mentales. Diagramas de Flujo e Historietas daanyclau
 
Netgear phone number tech support
Netgear phone number tech supportNetgear phone number tech support
Netgear phone number tech supportAndor Alifs
 
Grupos Sociales
Grupos SocialesGrupos Sociales
Grupos Socialessofiateran
 
Holiday Retail Email Marketing 2010
Holiday Retail Email Marketing 2010Holiday Retail Email Marketing 2010
Holiday Retail Email Marketing 2010Silverpop
 
First Time Directors Presentation 2015
First Time Directors Presentation 2015First Time Directors Presentation 2015
First Time Directors Presentation 2015CompaniesHouse
 
кесарю - кесарево - аутсорсинг. Архив семинара PraxisCom для МСП
кесарю - кесарево - аутсорсинг. Архив семинара PraxisCom для МСПкесарю - кесарево - аутсорсинг. Архив семинара PraxisCom для МСП
кесарю - кесарево - аутсорсинг. Архив семинара PraxisCom для МСПPraxisCom LLC
 
Riaz Adam CV
Riaz Adam CVRiaz Adam CV
Riaz Adam CVRiaz Adam
 
State of the Benton Church of Christ 2014
State of the Benton Church of Christ 2014State of the Benton Church of Christ 2014
State of the Benton Church of Christ 2014Mark Ray
 
Mediadaten VariFast_Online-Advertising
Mediadaten VariFast_Online-AdvertisingMediadaten VariFast_Online-Advertising
Mediadaten VariFast_Online-AdvertisingVariFast
 
Beneficios de la spirulina y astaxanthin
Beneficios de la spirulina y astaxanthinBeneficios de la spirulina y astaxanthin
Beneficios de la spirulina y astaxanthinJhomson Bio
 

Viewers also liked (20)

Programas para Elaborar Mapas Mentales. Diagramas de Flujo e Historietas
Programas para Elaborar Mapas Mentales. Diagramas de Flujo e Historietas Programas para Elaborar Mapas Mentales. Diagramas de Flujo e Historietas
Programas para Elaborar Mapas Mentales. Diagramas de Flujo e Historietas
 
Netgear phone number tech support
Netgear phone number tech supportNetgear phone number tech support
Netgear phone number tech support
 
Rami awadallah Port
Rami awadallah PortRami awadallah Port
Rami awadallah Port
 
Plan Lara es +
Plan Lara es +Plan Lara es +
Plan Lara es +
 
Grupos Sociales
Grupos SocialesGrupos Sociales
Grupos Sociales
 
Joan gamper
Joan gamperJoan gamper
Joan gamper
 
Estructura curricular exposicion oral
Estructura curricular exposicion oralEstructura curricular exposicion oral
Estructura curricular exposicion oral
 
Master thesis
Master thesis Master thesis
Master thesis
 
Joomla
JoomlaJoomla
Joomla
 
Holiday Retail Email Marketing 2010
Holiday Retail Email Marketing 2010Holiday Retail Email Marketing 2010
Holiday Retail Email Marketing 2010
 
Coosa Panel Physical Properties
Coosa Panel Physical PropertiesCoosa Panel Physical Properties
Coosa Panel Physical Properties
 
First Time Directors Presentation 2015
First Time Directors Presentation 2015First Time Directors Presentation 2015
First Time Directors Presentation 2015
 
Tp n°3 informatica. seguridad informatica
Tp n°3 informatica. seguridad informaticaTp n°3 informatica. seguridad informatica
Tp n°3 informatica. seguridad informatica
 
кесарю - кесарево - аутсорсинг. Архив семинара PraxisCom для МСП
кесарю - кесарево - аутсорсинг. Архив семинара PraxisCom для МСПкесарю - кесарево - аутсорсинг. Архив семинара PraxisCom для МСП
кесарю - кесарево - аутсорсинг. Архив семинара PraxisCom для МСП
 
Riaz Adam CV
Riaz Adam CVRiaz Adam CV
Riaz Adam CV
 
Zooterapia
Zooterapia Zooterapia
Zooterapia
 
State of the Benton Church of Christ 2014
State of the Benton Church of Christ 2014State of the Benton Church of Christ 2014
State of the Benton Church of Christ 2014
 
Mediadaten VariFast_Online-Advertising
Mediadaten VariFast_Online-AdvertisingMediadaten VariFast_Online-Advertising
Mediadaten VariFast_Online-Advertising
 
Beneficios de la spirulina y astaxanthin
Beneficios de la spirulina y astaxanthinBeneficios de la spirulina y astaxanthin
Beneficios de la spirulina y astaxanthin
 
Getech Corporate Overview
Getech Corporate OverviewGetech Corporate Overview
Getech Corporate Overview
 

Similar to WLAN and IP security

8.X Sec & I Pv6
8.X Sec & I Pv68.X Sec & I Pv6
8.X Sec & I Pv6phanleson
 
Implementing 802.1x Authentication
Implementing 802.1x AuthenticationImplementing 802.1x Authentication
Implementing 802.1x Authenticationdkaya
 
Computer network (4)
Computer network (4)Computer network (4)
Computer network (4)NYversity
 
The new rocket science stuff in microsoft pki
The new rocket science stuff in microsoft pkiThe new rocket science stuff in microsoft pki
The new rocket science stuff in microsoft pkiNathan Winters
 
WLAN SECURITY BY SAIKIRAN PANJALA
WLAN SECURITY BY SAIKIRAN PANJALAWLAN SECURITY BY SAIKIRAN PANJALA
WLAN SECURITY BY SAIKIRAN PANJALASaikiran Panjala
 
Wi fi-security-the-details-matter
Wi fi-security-the-details-matterWi fi-security-the-details-matter
Wi fi-security-the-details-matterDESMOND YUEN
 
ICS PPT Unit 4.ppt
ICS PPT Unit 4.pptICS PPT Unit 4.ppt
ICS PPT Unit 4.pptDEEPAK948083
 

Similar to WLAN and IP security (20)

Ipsec vpn v0.1
Ipsec vpn v0.1Ipsec vpn v0.1
Ipsec vpn v0.1
 
Web Security
Web SecurityWeb Security
Web Security
 
Ip Sec Rev1
Ip Sec Rev1Ip Sec Rev1
Ip Sec Rev1
 
Ip Sec
Ip SecIp Sec
Ip Sec
 
VPN presentation - moeshesh
VPN presentation - moesheshVPN presentation - moeshesh
VPN presentation - moeshesh
 
Websecurity
Websecurity Websecurity
Websecurity
 
IS - SSL
IS - SSLIS - SSL
IS - SSL
 
Ch16
Ch16Ch16
Ch16
 
8.X Sec & I Pv6
8.X Sec & I Pv68.X Sec & I Pv6
8.X Sec & I Pv6
 
Lecture14..pdf
Lecture14..pdfLecture14..pdf
Lecture14..pdf
 
IP Security
IP SecurityIP Security
IP Security
 
Implementing 802.1x Authentication
Implementing 802.1x AuthenticationImplementing 802.1x Authentication
Implementing 802.1x Authentication
 
Computer network (4)
Computer network (4)Computer network (4)
Computer network (4)
 
Unit 5
Unit 5Unit 5
Unit 5
 
Iuwne10 S04 L05
Iuwne10 S04 L05Iuwne10 S04 L05
Iuwne10 S04 L05
 
Unit 6
Unit 6Unit 6
Unit 6
 
The new rocket science stuff in microsoft pki
The new rocket science stuff in microsoft pkiThe new rocket science stuff in microsoft pki
The new rocket science stuff in microsoft pki
 
WLAN SECURITY BY SAIKIRAN PANJALA
WLAN SECURITY BY SAIKIRAN PANJALAWLAN SECURITY BY SAIKIRAN PANJALA
WLAN SECURITY BY SAIKIRAN PANJALA
 
Wi fi-security-the-details-matter
Wi fi-security-the-details-matterWi fi-security-the-details-matter
Wi fi-security-the-details-matter
 
ICS PPT Unit 4.ppt
ICS PPT Unit 4.pptICS PPT Unit 4.ppt
ICS PPT Unit 4.ppt
 

Recently uploaded

Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 

WLAN and IP security

  • 1. WLAN and IP security By Chaitanya T K E-mail: tkchaitanya@tataelxsi.co.in
  • 2. Objectives:       Why Security is very important in WLAN? 802.1x frame work RADIUS server Different security methods in WLAN Why IPsec? Understanding IPsec.
  • 3. T here is nobody so ir ritating a Don Herold
  • 4. Wireless security:     There are 3 major elements in a wireless security Authentication framework E.g.:802.1x Authentication algorithm E.g.:EAP Data encryption algorithm E.g.:TKIP
  • 5. 802.1X:  Port-Based Network Access Control  Supplicant – sits on a client device such as a laptop or PDA, the Supplicant is software that handles authentication from the client's point of view, it is also known as the Port Access Entity (PAE) Authenticator – edge network device such as an access switch, router or WiFi access point. The Authenticator encapsulates the EAP frames within RADIUS. Authentication server – a RADIUS server with EAP capability EAPOL Frame Format  
  • 10. Remote Authentication Dial In User Service (RADIUS):    AAA management Authentication - A client sends a access request to the network at link layer. This request contains user credentials or a user certificate. The authenticator packages this in RADIUS format as an Access Request message and forwards it on to a RADIUS server. The RADIUS server checks its user database for a match and then consequently decides whether or not to authenticate the user. The messages used are either Access Reject, Access Challenge (ask more information) or Access Accept. Authorization - The RADIUS server stipulates the terms of access for the user i.e. what the user is permitted to do on the network.
  • 11.  Accounting - If user access statistics and information are required then RADIUS accounting is enabled by the Authenticator issuing an Accounting Start Request to the RADIUS server. Subsequent Interim Accounting Records may also be sent to indicate information such as the duration of the user session. Accounting is halted when an Accounting Stop Record is sent to the server.  The RADIUS protocol uses UDP ports 1812 for Authorization and 1813 for Accounting as standard. Originally these ports were 1645 for Authorization and 1646 for Accounting and are still used today, therefore RADIUS servers look out for both sets of ports
  • 13. EAP Cisco Authentication Algorithm:     It is very robust with these features Mutual Authentication User based Authentication Dynamic WEP keys (1key/client,re-authentication with timeouts)
  • 14. 802.1X and EAP message flow
  • 15. Data privacy with TKIP     It is a modified form of WEP with all its weaknesses addressed,it has 3 important features Message integrity check Per-packet keying Broadcast key rotation (No there is standard)
  • 16. Comparison of frames using MIC with not using MIC:
  • 18. Broadcast key rotation:    Employ a static broadcast key configured on the access point Enable broadcast key rotation for dynamic broadcast key generation a static broadcast key will go through the per-packet keying process. This reduces the opportunity for statistical key derivation attacks, but because the base broadcast key remains static, Statistical attacks may take much longer to execute, but they are still possible.
  • 19. LEAP Authentication process      It is secure enough to implement in a hostile wireless environment,it is a modified version of MS-CHAP. It is a password based algorithm(MD4 hash of an MD4 hash of password (windows NT key) This key is sent over the medium not the password /hash of password so security is enhanced Windows logon is used as LEAP logon using a special software code in windows . Re authentication and WEP key derivation follow a similar process.
  • 20. Precautions in     LEAP: Usage of strong passwords Using MAC and LEAP authentication on different RADIUS servers Use RADIUS session timeouts to rotate WEP keys Deploy LEAP on a separate VLAN so that it wont effect the other users who require less security
  • 21. EAP Authentication types: EAP-TLS(DC)  PEAP(password)  EAP-SPEKE(Random no.s)  EAP-TTLS(only server side authentication) EAP-SIM(thru GSM no need of NAI and password)  
  • 22. TLS Overview:      TLS is designed to provide secure TCP/IP connection previously known as SSL. It has three kinds of protocols Handshake protocol(Negotiation) Record protocol(secure tunnel) Alert protocol(error/session termination)
  • 23.     TLS has of 2 types authentication schemes Server side authentication Client side authentication both make use PKI certificates for authentication and EAP-TLS uses client side certificates .
  • 26. PEAP:    PEAP employs server-side PKI authentication. For client-side authentication, PEAP can use any other EAP authentication type,Because PEAP establishes a secure tunnel via serverside authentication. It is based on server side EAP-TLS it addresses the manageability and scalability problems of the EAP-TLS No need for digital certificates in PEAP on the clients side (only authentication of server to client) so that protected method needs only to authenticate client
  • 29. EAP-TTLS Vs PEAP   TTLS and PEAP are similar in concept, but there are important differences: TTLS supports other EAP authentication methods and also PAP, CHAP, MS-CHAP and MS-CHAPv2, whereas PEAP can tunnel only EAP-type protocol. TTLS requires installation of client software, whereas PEAP comes ready to run in XP Service Pack 1 on the client device. TTLS is widely available and implemented, while PEAP is still new. But given PEAP's backing from Cisco, Microsoft and RSA, it's likely to emerge as the de facto authentication mechanism for 802.1x."
  • 30. EAP-SPEKE:     It uses a random looking messages exchanged between devices To a third party observer SPEKE messages look like random numbers and they cant guess the password There is no need for any other public private keys other than the password It uses Zero knowledge Password Proof(ZKPP) and mutual authentication
  • 31. Mathematics involved in EAP-SPEKE         B = p2b A = p2a (MD) K = Ba ProofAK mod m (AS) mod m (m-large prime no) mod m (MD)(K-master key) = h (“A” | A | K) (MD) K = Ab mod m (AS) TestAK = h (“A” | A | K) (AS)(MD Authentication) ProofBK = h (“B” | B | K) (AS) TestBK = h (“B” | B | K) (MD)(AS Authentication)
  • 34. Why IP SEC?     Need for IP sec Initially to compensate for IP sec they used application layer security such as SSL for HTTP and FTP, but it cannot be generalized. The technology that brings secure communications to the Internet Protocol is called IP Security, commonly abbreviated IPSec (The capitalization of this abbreviation is variable, so IPsec and IPSEC are also seen. Though not IpSeC or IPseC, fortunately. J) Basically targeted at IPV6, but works for both IPV4 and IPV6
  • 35. IP SEC and Application SEC:    Where to put security? Application security: – “really” secure (end-to-end) – applications must be modified ssh,sftp,https Network (IP)-layer security (IPSec): – “general” security – applications remain unchanged – applications must rely on “lower” security
  • 36. Functionality:      IPSec is not a single protocol, but rather a set of services and protocols that provide a complete security solution for an IP network Functionality: Encryption of user data for privacy. Authentication of the integrity of a message to ensure that it is not changed en route. Protection against certain types of security attacks, such as replay attacks.
  • 37.     The ability for devices to negotiate the security algorithms and keys required to meet their security needs. Two security modes, Tunnel Transport
  • 39. Framework For IPSEC: 1. 2. 3. 4. They must agree on a set of security protocols to use, so that each one sends data in a format the other can understand. They must decide on a specific encryption algorithm to use in encoding data. They must exchange keys that are used to “unlock” data that has been cryptographically encoded. Once this background work is completed, each device must use the protocols, methods and keys previously agreed upon to encode data and send it across the network.
  • 40. Architecture of IP SEC:   AH: Origin,Data Integrity and Replay attacks ESP: Encrypts data
  • 41. Supported  Encryption/Hashing Algorithms: Message Digest 5 (MD5) and Secure Hash Algorithm 1 (SHA-1).  Security Policies and Associations, and Management Methods: security policies and security associations, and by providing ways to exchange security association information  Key Exchange Framework and Mechanism: To exchange security association information. Internet Key Exchange (IKE) provides these capabilities.
  • 42. IPSec Implementation Methods:    IPSec Implementation Methods defined in RFC 2401, depends of Version(4/6),application…. End Host Implementation - End to End security - Deployment issues Router Implementation - Secure only outside network - Ease of Installment
  • 43. IPSec Architectures:    Integrated Architecture -Integrate directly into IP -Preferable for IPV6 but not for IPV4 “Bump In The Stack” (BITS) Architecture -Extra layer after IP -Suitable for IPV4 “Bump In The Wire” (BITW) Architecture -Adding a separate IP sec device for all the traffic -complexity and cost.
  • 46. IP Sec Modes:     Transport and Tunnel Modes The choice of mode does not affect the method by which each generates its header, but rather, changes what specific parts of the IP datagram are protected and how the headers are arranged to accomplish this. In essence, the mode really describes, not prescribes how AH or ESP do their thing. It is used as the basis for defining other constructs, such as security associations (SAs).
  • 49. Simple Overview:     Parameters for encryption and AH field are agreed upon in the SA ESP field indicates the identity of the SA and carried additional information for decoding the payload AH field is created using the payload (and ESP, if present)
  • 50. Terminology in IP sec:    Security Policies - How to treat a incoming packet - Security Policy Database (SPD). Security Associations -secure connection between one device and another -Security Association Database (SAD). - Unidirectional Selectors - Helps to choose a SA based on certain rules
  • 51. Selector fields:     Five basic types: Destination IP address (Different from destination IP address of SA identifier tuple) - Single (unicast, anycast, broadcast, multicast), range, address+mask, wildcard - Obtained from inner IP header for tunnel mode SA Source IP address (separate for inbound & outbound) - Single (unicast, anycast, broadcast, multicast), range, address+mask, wildcard Name - User id (fully qualified user name, X.500 distinguished name) - System name (fully qualified DNS name, X.500 distinguished/or general name)
  • 52.   Transport layer protocol - IPv4: ‘Protocol’ field, IPv6: ‘Next Header’ field - These fields may not contain TP due to the presence of routing header, - AH, ESP, fragmentation header, destination option etc. Source and Destination ports - If the packet is fragmented, discard it
  • 53. Security associations:     Security associations don't actually have names, however. They are instead defined by a set of three parameters, called a triple: Security Parameter Index (SPI): -32-bit number that is chosen to uniquely identify a particular SA for any connected device IP Destination Address: -The address of the device for whom the SA is established. Security Protocol Identifier: -Specifies whether this association is for AH or ESP. If both are in use with this device they have separate SAs.
  • 54. IPSec Authentication Header (AH):     Similar to CRC but uses Hashing (using key) algorithm On the source device, AH performs the computation and puts the result (called the Integrity Check Value or ICV) into a special header with other fields for transmission the ICV calculation does not change the original data AH provides authentication but not privacy (that's what ESP is for
  • 56. IPV6 extension headers and Order in packet:
  • 57. AH Datagram Placement and Linking (IPV6):
  • 58. AH Datagram Placement and Linking (IPV4):
  • 59. AH Format:    The size of the Authentication Data field is variable to support different datagram lengths and hashing algorithms. Its total length must be a multiple of 32 bits. Also, the entire header must be a multiple of either 32 bits (for IPv4) or 64 bits (for IPv6). Padding and No IP addresses appear
  • 61. IPSec Encapsulating Security Payload (ESP)    Encapsulating Security Payload Fields: ESP Header: This contains two fields, the SPI and Sequence Number, and comes before the encrypted data ESP Trailer: - Placed after the encrypted data. - Padding that is used to align the encrypted data, through a Padding and Pad Length field. - Interestingly, it also contains the Next Header field for ESP.
  • 62.    ESP Authentication Data: This field contains an Integrity Check Value (ICV), computed in a manner similar to how the AH protocol works, for when ESP's optional authentication feature is used. Some encryption algorithms require the data to be encrypted to have a certain block size, and so padding must appear after the data hence appears in the ESP Trailer. ESP Authentication Data it is used to authenticate the rest of the encrypted datagram after encryption. This means it cannot appear in the ESP Header or ESP Trailer.
  • 65. Trailer Calculation:     ESP trailer is added, then encryption is carried from ESP header(excluding) to ESP trailer (including). ESP Authentication Field Calculation and Placement: If the optional ESP authentication feature is used, the authentication field is computed over the entire ESP datagram (except the Authentication Data field itself, of course). This includes the ESP header, payload and trailer. Padding is also used to make sure that the ESP Trailer ends on a 32-bit boundary. That is, the size of the ESP Header plus Payload plus ESP Trailer must be a multiple of 32 bits. The ESP Authentication Data must also be a multiple of 32 bits
  • 68. IPSec Key Exchange (IKE)    “shared secret”. Anyone who isn't “in” on the secret is able to intercept the information but is prevented either from reading it (if ESP is used to encrypt the payload) or from tampering with it undetected (if AH is used). The primary support protocol used for this purpose in IPSec is called Internet Key Exchange (IKE) (RFC 2049) IKE works by allowing IPSec-capable devices to exchange security associations (SAs), to populate their security association databases (SADs). These are then used for the actual exchange of secured datagrams with the AH and ESP protocols.
  • 69. ISAKMP:      Internet Security Association and Key Management Protocol Frame work for IKE In IKE, the ISAKMP framework is used as the basis for a specific key exchange method that combines features from two key exchange protocols: OAKLEY: Describes a specific mechanism for exchanging keys through the definition of various key exchange “modes”. Most of the IKE key exchange process is based on OAKLEY. SKEME: Describes a different key exchange mechanism than OAKLEY. IKE uses some features from SKEME, including its method of public key encryption and its fast re-keying feature.
  • 70. ISAKMP Phase negotiations:   ISAKMP Phase 1: The first phase is a “setup” stage where two devices agree on how to exchange further information securely. This negotiation between the two units creates a security association for ISAKMP itself; an ISAKMP SA. This security association is then used for securely exchanging more detailed information in Phase 2. ISAKMP Phase 2: In this phase the ISAKMP SA established in Phase 1 is used to create SAs for other security protocols. Normally, this is where the parameters for the “real” SAs for the AH and ESP protocols would be negotiated.
  • 71. Phase-1 Negotiations:      An encryption algorithm to be used, such as the Data Encryption Standard (DES). A hash algorithm (MD5 or SHA, as used by AH or ESP). An authentication method, such as authentication using previously shared keys. A Diffie-Hellman group: In this method, instead of encrypting and decrypting with the same key, data is encrypted using a public key knowable to anyone, and decrypted using a private key that is kept secret. Note that even though security associations in general are unidirectional, the ISAKMP SA is established bi-directionally. Once Phase 1 is complete, then, either device can set up a subsequent SA for AH or ESP using it.
  • 72. Diffie-Hellman Algorithm:        Peers P and Peer Q have been given the same publicly viewable numbers m and n. Peer P picks a very large secret random number x and calculates mxmod n to give P. Peer Q picks a very large secret random number y and calculates mymod n to give Q. Peer P and Peer Q exchange P and Q publicly, so anyone can see these numbers. The numbers x and y remain known only to the relevant peer and they are not transmitted. Peer P then performs the calculation Qxmod n to give the value K. Peer Q then performs the calculation Pymod n to give the value L. K=Qxmod n = mxymod n =Pymod n =L, so K and L are equal, therefore Peers P and Q have negotiated a shared secret that has not been transmitted.
  • 73. The things that one most wants to do are the things that are probably most worth doing. Winifred Holtby , O Magazine, September 2002