SlideShare a Scribd company logo

CRYPTO_REPORT on SECURITY POLICY.pdf

S
Spammer7

CRYPTO_REPORT on SECURITY POLICY

Technology
1 of 18
Download to read offline
CRYPTOGRAPHY AND NETWORK SECURITY 20EC733 Report submitted as a part of Event 2 On “Security Policy: Internet Key Exchange” Bachelor of Engineering In Electronics and Communication Engineering Submitted by Name Section USN Marks PRATHAM M A 01JST20EC072 PRABHUSWAMY A 01JST20EC068 MV SANKALP REDDY A 01JST20EC054 SUDEEP G A 01JST20EC099 Submitted to Prof. Anupama S Assistant professor Dept of ECE SJCE, JSSSTU Department of Electronics and Communication Engineering JSS Science and Technology University, Mysuru 2023-2024
1 ABSTRACT: The Internet Key Exchange (IKE) plays a pivotal role in the establishment of secure communication channels within a network, facilitating the exchange of cryptographic keys and negotiation of security parameters. As an integral component of security policies, IKE ensures the confidentiality, integrity, and authenticity of data transmissions over the Internet. This abstract delves into the fundamental principles of IKE, exploring its role in the creation of secure connections and its adaptability to diverse security policies. The study emphasizes the importance of IKE in mitigating potential threats, fostering secure data exchange, and contributing to the overall resilience of networked systems. Through a comprehensive examination of the Internet Key Exchange, this abstract provides insights into its significance within the broader context of cybersecurity and network protection.
2 Table of Content SI NO TOPIC PG NO 1. INTRODUCTION 3 2. IPSEC 3 3 IKE PHASE 1 5 4. MODES OF PHASE 1 7 5. IKE PHASE 2 11 6. CASE STUDY 12 7. ADVANTAGE 15 8. DISADVANTAGE 16
3 Introduction: Internet Key Exchange (IKE) is a protocol used in the IPsec (Internet Protocol Security) suite to establish a secure and authenticated communication channel between two devices. Overview of IPsec: IPsec, or Internet Protocol Security, is a comprehensive suite of protocols and standards designed to secure Internet Protocol (IP) communications.  The IP protocol itself doesn't have any security features at all.  IPSec is a framework that helps us to protect IP traffic on the network layer. FIG 1 : IKE BLOCK FIG2 : IPSEC BLOCK
4 Key Aspects of IPsec are as follows 1. Security Services:  Confidentiality: IPsec can encrypt the data payload of IP packets, ensuring that the information is not readable by unauthorized entities.  Integrity: IPsec uses cryptographic mechanisms to ensure the integrity of the transmitted data, detecting and preventing tampering.  Authentication: IPsec provides methods for authenticating the identities of communicating parties, ensuring that the data is exchanged between trusted entities.  Replay Protection: IPsec guards against replay attacks by incorporating mechanisms to detect and discard duplicated or delayed packets. 2. Security Protocols:  Authentication Header (AH): AH provides authentication and integrity protection for the entire IP packet, including both the header and the payload.  Encapsulating Security Payload (ESP): ESP primarily provides confidentiality for the payload of the IP packet, but it can also include optional authentication and integrity protection. 3. Key Management:  IPsec relies on cryptographic keys for securing communications. Key management protocols, such as the Internet Key Exchange (IKE), are used to negotiate and exchange these keys securely. 4. Modes of Operation:  Transport Mode: In transport mode, only the payload (data) of the IP packet is encrypted and/or authenticated. The original IP header remains intact.  Tunnel Mode: In tunnel mode, the entire original IP packet (including the header) is encapsulated within a new IP packet. This is often used in VPNs to protect entire communication streams between networks.
5 Internet Key Exchange  Before we can protect any IP packets, we need two IPSec entity that build the IPSec tunnel  To establish an IPSec tunnel, we use a protocol called IKE (Internet Key Exchange). There are two phases IKE phase 1: Mutual authentication and session keys IKE phase 2: Use results of phase 1 to create multiple associations between the same entities IKE PHASE-1: Internet Key Exchange (IKE) Phase 1 is the initial stage of the IKE protocol used in the IPsec (Internet Protocol Security) suite to establish a secure and authenticated communication channel between two devices During Phase 1, the devices negotiate and establish a secure preliminary connection, including the exchange of keying material and the establishment of a secure channel for further negotiations in Phase 2. The key components and steps involved in IKE Phase 1: 1. Initiation of IKE Session:  The IKE Phase 1 process begins with the initiation of an IKE session by one of the communicating devices. This device is typically referred to as the initiator. 2. Proposal and Selection of Security Parameters:  The initiator proposes a set of security parameters, including encryption algorithms, integrity algorithms, and a method for authentication (such as pre- shared keys or digital certificates). FIG 3 :IKE PHASE-
6 3. Responder's Response:  The responder, which is the other device in the communication, evaluates the proposals received from the initiator and selects the appropriate security parameters based on its own policies and capabilities. 4. Diffie-Hellman Key Exchange:  The devices perform a Diffie-Hellman key exchange to establish a shared secret. This shared secret is used to derive the symmetric keys that will be used for securing further communications. 5. Authentication:  The devices authenticate each other using the agreed-upon authentication method. This can involve the exchange of digital certificates, pre-shared keys, or other methods, depending on the chosen authentication mechanism. 6. Creation of IKE Phase 1 SA (Security Association):  Once the Diffie-Hellman exchange and authentication are successful, the devices create an IKE Phase 1 SA. This SA contains the negotiated security parameters, the shared secret, and other relevant information needed for secure communication. 7. Establishment of Secure Channel:  With the IKE Phase 1 SA established, the devices have a secure channel through which they can conduct further negotiations, including the establishment of additional SAs for data encryption and integrity protection in IKE Phase 2. IKE Phase 1 lays the groundwork for a secure and authenticated communication session. Once Phase 1 is completed, the devices proceed to IKE Phase 2 to further refine the security parameters and establish the specific parameters for data encryption and protection. Two peers negotiate about the oncryption, authentication, hashing and other protocols that they want to use and some other parameters that are required.  In this phase, an ISAKMP (Internet Security Association and Key Management Protocol) session is established.  This is also called the ISAKMP tunnel or IKE phase 1 tunnel.  The collection of parameters that the two devices will use is called a SA (Security Association). Steps in Phase 1 The main purpose of IKE phase 1 is to establish a secure tunnel that we can use for IKE phase 2.
7 We can break down phase 1 in three simple steps: Step 1: Negotiation : The two peers will negotiate about the following items:  Hashing (MD5, SHA)  Authentication (Pre-shared keys, DSS, etc)  DH (Diffie Hellman) parameters  Lifetim  Encryption (DES, 3DES, IDEA) Step 2: DH Key Exchange: Both entities use the DH group that they negotiated to exchange keying material. The end result will be that both peers will have a shared key. Step 3: Authentication: The two peers will authenticate each other using the authentication method that they agreed upon on in the negotiation. The end result is a IKE phase 1 tunnel (ISAKMP tunnel) which is bidirectional. Modes of Phase 1 The three steps above can be completed using two different modes:  Main mode  Aggressive mode Main Mode: IKE Phase 1 Main Mode is one of the two modes used for negotiating the initial connection and establishing the first set of Security Associations (SAs) in the Internet Key Exchange (IKE) protocol within the context of IPsec (Internet Protocol Security). Main Mode is characterized by a more robust and secure negotiation process, making it suitable for scenarios where a higher level of security is required. Main Mode is considered more secure than the alternative IKE Phase 1 Aggressive Mode because it provides additional protection for the identities of the communicating peers. This is achieved by encrypting and authenticating the identities within the negotiation process, enhancing the overall security of the initial connection.
8 the key features of IKE Phase 1 Main Mode: 1. Six-Message Exchange:  Main Mode consists of a six-message exchange between the initiator and responder. These messages are used for negotiating keying material and establishing the initial Security Association. 2. Identity Protection:  Main Mode provides protection for the identities of the communicating peers during the negotiation process. This is achieved through the use of encryption and integrity protection for certain parts of the IKE messages. 3. Key Exchange and Authentication:  Main Mode includes the exchange of Diffie-Hellman public keys for secure key exchange. It also incorporates authentication methods, such as digital FIG 4:MAIN MODE
9 signatures or shared secret keys, to ensure the identities of the communicating parties. 4. Protection Against Eavesdropping:  Main Mode is designed to resist eavesdropping attacks by protecting the exchanged information, including the identities and keying material, with encryption and integrity checks. 5. Negotiation of Security Parameters:  During Main Mode, the negotiating parties propose and agree upon security parameters, such as encryption algorithms, integrity algorithms, and authentication methods. The negotiation process aims to establish a common set of parameters that both parties can use for secure communication. 6. Creation of IKE Phase 1 SA:  Upon successful completion of the Main Mode negotiation, an IKE Phase 1 Security Association (SA) is established. This SA contains the agreed-upon security parameters, the Diffie-Hellman shared secret, and other information necessary for secure communication. Aggressive mode: IKE Phase 1 Aggressive Mode is another method used for negotiating the initial connection and establishing the first set of Security Associations (SAs) in the Internet Key Exchange (IKE) protocol within the context of IPsec (Internet Protocol Security).
10 The key features of IKE Phase 1 Aggressive Mode: 1. Three-Message Exchange:  Aggressive Mode uses a three-message exchange between the initiator and responder. This streamlined process allows for a faster setup compared to the six-message exchange of Main Mode. 2. Simplified and Faster Negotiation:  Aggressive Mode simplifies the negotiation process by combining the first two messages of Main Mode into a single message, reducing the number of round- trip communications required to establish the initial connection. This leads to quicker setup times. 3. Less Identity Protection:  Unlike Main Mode, Aggressive Mode provides less protection for the identities of the communicating peers during the negotiation process. The identities are exchanged in the clear, making them potentially vulnerable to eavesdropping. 4. Key Exchange and Authentication:  Aggressive Mode includes the exchange of Diffie-Hellman public keys for key exchange. It also incorporates authentication methods, such as digital signatures or shared secret keys, to ensure the identities of the communicating parties. 5. Efficiency vs. Security Trade-off:  Aggressive Mode is often chosen in situations where the efficiency of the setup process is prioritized over certain aspects of identity protection. It is suitable for scenarios where the communicating parties are not as concerned about the potential exposure of their identities during the negotiation. 6. Creation of IKE Phase 1 SA:  Similar to Main Mode, upon successful completion of the Aggressive Mode negotiation, an IKE Phase 1 Security Association (SA) is established. This SA contains the agreed-upon security parameters, the Diffie-Hellman shared secret, and other information necessary for secure communication.
11 IKE PHASE 2: IKE Phase 2, also known as the Quick Mode, follows the completion of IKE Phase 1 (either Main Mode or Aggressive Mode) and is the second stage of the Internet Key Exchange (IKE) protocol within the IPsec (Internet Protocol Security) suite. In Phase 2, the primary focus is on negotiating the parameters for data encryption and integrity protection, establishing the specific Security Associations (SAs) that will be used for securing the actual data traffic between two device. 1. Negotiation of IPsec SAs:  IKE Phase 2 negotiates the parameters for the IPsec Security Associations that will be applied to the actual data traffic. These parameters include the encryption algorithm, integrity algorithm, and the duration for which the keys should be valid. 2. Selection of IPsec Transform Sets:  Transform sets specify the algorithms and settings for encryption, authentication, and other security features. During Phase 2, the negotiating parties agree on a common set of transform sets that will be used to protect the data. 3. Perfect Forward Secrecy (PFS):  PFS is an optional feature in IKE Phase 2 that ensures even higher security. If PFS is enabled, new Diffie-Hellman keys are exchanged for each Phase 2 negotiation, providing forward secrecy and enhancing the security of the communication. 4. Creation of IPsec SAs:  Upon successful negotiation, IKE Phase 2 establishes the IPsec SAs. These SAs contain the agreed-upon parameters for securing the data, including the keys derived from the Phase 1 negotiation. 5. Renegotiation and Rekeying:  IPsec SAs have a limited lifetime to enhance security. IKE Phase 2 provides the mechanism for renegotiating and rekeying SAs to ensure that the security
12 parameters are regularly updated and to prevent potential vulnerabilities associated with long-term key usage. 6. Data Protection:  Once IKE Phase 2 is complete, the established IPsec SAs are used to protect the actual data traffic between the devices. This includes encrypting the payload of IP packets and ensuring the integrity of the transmitted data. IKE Phase 2 builds upon the foundation established in Phase 1 and focuses on securing the data communication between the devices. The negotiation of IPsec SAs and the establishment of transform sets during this phase play a crucial role in defining how the actual data will be protected as it traverses the network. X = pair of cookies generated in phase 1 Y = a 32-bit number to distinguish different phase 2 sessions CP = Crypto Proposal, CPA = Crypto Proposal Accept. X and Y are in clear rest of the phase 2 messages are encryptedand integrity protected IV = ack of the previous message. Case Study: FIG5: FLOW DIAGRAM OF P2
13 Company Overview: Secure Net Solutions serves a diverse range of clients, including financial institutions, healthcare providers, and technology companies. The company's VPN services are crucial for clients who need to transmit sensitive data securely between their offices, remote employees, and external partners. Challenge SecureNet Solutions faces the challenge of enhancing the security of its VPN infrastructure. As the number of cyber threats continues to rise, the company recognizes the need to update its Internet Key Exchange (IKE) security policies to ensure robust protection against potential attacks. Objectives: 1. *Enhance Security:* Strengthen the IKE security policies to protect against evolving cyber threats and vulnerabilities. 2. *Compliance:* Ensure compliance with industry standards and regulations, such as GDPR and HIPAA, to meet the specific security requirements of clients in different sectors. 3. *Scalability:* Design the IKE security policies to be scalable and adaptable to accommodate the company's growth and changing client needs. 4. *Usability:* Balance security measures with usability to ensure that employees and clients can easily access the VPN services without compromising security. Implementation: SecureNet Solutions decides to conduct a comprehensive review and update of its IKE security policies. The process involves: 1. *Risk Assessment:* Conduct a thorough risk assessment to identify potential vulnerabilities and threats to the VPN infrastructure. 2. *Policy Review:* Evaluate the existing IKE security policies, considering industry best practices and compliance requirements.
14 3. *Update Encryption Standards:* Upgrade encryption algorithms and key lengths to meet current security standards and best practices. 4. *Two-Factor Authentication:* Implement two-factor authentication to enhance user authentication and access control. 5. *Logging and Monitoring:* Strengthen logging and monitoring capabilities to detect and respond to any suspicious activities promptly. 6. *Employee Training:* Provide training for employees on the updated security policies and best practices for secure VPN usage. 7. *Regular Audits:* Conduct regular security audits to assess the effectiveness of the IKE security policies and identify areas for improvement. Results: The implementation of the updated IKE security policies significantly improves the overall security posture of SecureNet Solutions. The company successfully addresses potential vulnerabilities, enhances encryption standards, and ensures compliance with industry regulations. Clients appreciate the proactive approach to security, leading to increased trust and satisfaction. Conclusion: SecureNet Solutions demonstrates a commitment to security by regularly reviewing and updating its IKE security policies. This case study highlights the importance of evolving security measures in response to emerging threats and the need for a comprehensive approach to securing communication infrastructure in a dynamic business environment.
15 ADVANTAGES: Internet Key Exchange (IKE) offers several advantages in the realm of network security, particularly in the context of Virtual Private Networks (VPNs) and the implementation of IPsec (Internet Protocol Security). Here are some key advantages of IKE: 1. Secure Key Exchange: - IKE facilitates secure key exchange between communicating devices, ensuring that cryptographic keys used for data encryption and integrity protection are exchanged in a secure manner. The use of Diffie-Hellman key exchange in IKE Phase 1 allows for secure negotiation without transmitting the actual secret key. 2. Authentication: - IKE provides robust authentication mechanisms to verify the identities of communicating parties. This helps prevent man-in-the-middle attacks and ensures that only authorized devices can establish secure connections. 3. Flexibility in Authentication Methods: - IKE supports various authentication methods, including pre-shared keys, digital certificates, and public key infrastructure (PKI). This flexibility allows organizations to choose the authentication method that best fits their security requirements and infrastructure. 4. Adaptability to Network Changes: - IKE is designed to handle changes in network configurations and supports dynamic IP addresses. This adaptability is especially important in scenarios where devices may have dynamic or changing network addresses, such as those connecting over the Internet. 5. Support for Multiple Encryption and Hash Algorithms: - IKE supports a variety of encryption and hash algorithms, providing flexibility in choosing the level of security based on the specific requirements of the network. This allows organizations to adapt to evolving security standards and technologies. 6. Perfect Forward Secrecy (PFS):
16 - IKE supports PFS in Phase 2, enhancing security by ensuring that even if a long-term key is compromised, it cannot be used to decrypt past communications. PFS is an important feature for maintaining the confidentiality of data over time. 7.Efficient Key Management: - IKE manages cryptographic keys efficiently, handling the negotiation, exchange, and management of keys for secure communication. The rekeying mechanisms in IKE Phase 2 ensure that keys are regularly refreshed, contributing to the overall security of the system. 8. Compatibility with IPsec: - IKE is specifically designed to work seamlessly with IPsec, providing a standardized and widely adopted framework for securing IP communications. This compatibility ensures interoperability between devices from different vendors. 9. Protection Against Replay Attacks: - IKE includes mechanisms to protect against replay attacks, where an attacker might intercept and retransmit data. This helps ensure the integrity and freshness of the exchanged data. 10. Enhanced Network Security: - By establishing secure connections and enforcing encryption, authentication, and integrity checks, IKE significantly enhances the overall security of network communications, especially in scenarios where data traverses untrusted networks, such as the Internet. Overall, IKE plays a crucial role in establishing and maintaining secure communication channels, and its features contribute to the robustness and effectiveness of IPsec-based security solutions. DISADVANTAGES: 1. Complexity: Configuration and management of IKE can be complex, potentially leading to misconfigurations that compromise security. 2. Denial-of-Service (DoS) Vulnerability: IKE is susceptible to DoS attacks, where attackers may flood the system with requests, leading to resource exhaustion.
17 3. Interoperability Challenges: Despite being standardized, interoperability issues may arise, especially when dealing with devices from different vendors. 4. Resource Intensive: The cryptographic operations involved in IKE can be resource- intensive, impacting the performance of devices, particularly those with limited processing power. 5. Potential for Brute Force Attacks: Weak pre-shared keys or passwords may be susceptible to brute force attacks, compromising the security of the system. 6. Quantum Computing Concerns: The emergence of powerful quantum computers could potentially undermine the security of cryptographic algorithms used in IKE, posing a long-term security concern.

Recommended

Design methodology for ip secured tunel based embedded platform for aaa server
Design methodology for ip secured tunel based embedded platform for aaa serverDesign methodology for ip secured tunel based embedded platform for aaa server
Design methodology for ip secured tunel based embedded platform for aaa serverijmnct
 
cryptography.pptx
cryptography.pptxcryptography.pptx
cryptography.pptxMvidhya9
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols NetProtocol Xpert
 
Cn36539543
Cn36539543Cn36539543
Cn36539543IJERA Editor
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network securityPriyadharshiniVS
 
IRJET- A Secure File Storage & Retrieval using Blockchain Technology
IRJET- A Secure File Storage & Retrieval using Blockchain TechnologyIRJET- A Secure File Storage & Retrieval using Blockchain Technology
IRJET- A Secure File Storage & Retrieval using Blockchain TechnologyIRJET Journal
 
A NEW COMMUNICATION PLATFORM FOR DATA TRANSMISSION IN VIRTUAL PRIVATE NETWORK
A NEW COMMUNICATION PLATFORM FOR DATA TRANSMISSION IN VIRTUAL PRIVATE NETWORKA NEW COMMUNICATION PLATFORM FOR DATA TRANSMISSION IN VIRTUAL PRIVATE NETWORK
A NEW COMMUNICATION PLATFORM FOR DATA TRANSMISSION IN VIRTUAL PRIVATE NETWORKijmnct
 
Internet Protocol Security as the Network Cryptography System
Internet Protocol Security as the Network Cryptography SystemInternet Protocol Security as the Network Cryptography System
Internet Protocol Security as the Network Cryptography SystemUniversitas Pembangunan Panca Budi
 

Recommended

Design methodology for ip secured tunel based embedded platform for aaa server
Design methodology for ip secured tunel based embedded platform for aaa serverDesign methodology for ip secured tunel based embedded platform for aaa server
Design methodology for ip secured tunel based embedded platform for aaa serverijmnct
 
cryptography.pptx
cryptography.pptxcryptography.pptx
cryptography.pptxMvidhya9
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols NetProtocol Xpert
 
Cn36539543
Cn36539543Cn36539543
Cn36539543IJERA Editor
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network securityPriyadharshiniVS
 
IRJET- A Secure File Storage & Retrieval using Blockchain Technology
IRJET- A Secure File Storage & Retrieval using Blockchain TechnologyIRJET- A Secure File Storage & Retrieval using Blockchain Technology
IRJET- A Secure File Storage & Retrieval using Blockchain TechnologyIRJET Journal
 
A NEW COMMUNICATION PLATFORM FOR DATA TRANSMISSION IN VIRTUAL PRIVATE NETWORK
A NEW COMMUNICATION PLATFORM FOR DATA TRANSMISSION IN VIRTUAL PRIVATE NETWORKA NEW COMMUNICATION PLATFORM FOR DATA TRANSMISSION IN VIRTUAL PRIVATE NETWORK
A NEW COMMUNICATION PLATFORM FOR DATA TRANSMISSION IN VIRTUAL PRIVATE NETWORKijmnct
 
Internet Protocol Security as the Network Cryptography System
Internet Protocol Security as the Network Cryptography SystemInternet Protocol Security as the Network Cryptography System
Internet Protocol Security as the Network Cryptography SystemUniversitas Pembangunan Panca Budi
 
IMPLEMENT A NOVEL SYMMETRIC BLOCK CIPHER ALGORITHM
IMPLEMENT A NOVEL SYMMETRIC BLOCK CIPHER ALGORITHMIMPLEMENT A NOVEL SYMMETRIC BLOCK CIPHER ALGORITHM
IMPLEMENT A NOVEL SYMMETRIC BLOCK CIPHER ALGORITHMijcisjournal
 
college assignment on Applications of ipsec
college assignment on Applications of ipsec college assignment on Applications of ipsec
college assignment on Applications of ipsec bigchill29
 
Implement a novel symmetric block
Implement a novel symmetric blockImplement a novel symmetric block
Implement a novel symmetric blockijcisjournal
 
A Review Paper on Secure authentication and data sharing in cloud storage usi...
A Review Paper on Secure authentication and data sharing in cloud storage usi...A Review Paper on Secure authentication and data sharing in cloud storage usi...
A Review Paper on Secure authentication and data sharing in cloud storage usi...ijsrd.com
 
SURVEY AND TAXONOMY OF KEY MANAGEMENT PROTOCOLS FOR WIRED AND WIRELESS NETWORKS
SURVEY AND TAXONOMY OF KEY MANAGEMENT PROTOCOLS FOR WIRED AND WIRELESS NETWORKSSURVEY AND TAXONOMY OF KEY MANAGEMENT PROTOCOLS FOR WIRED AND WIRELESS NETWORKS
SURVEY AND TAXONOMY OF KEY MANAGEMENT PROTOCOLS FOR WIRED AND WIRELESS NETWORKSIJNSA Journal
 
I psecurity
I psecurityI psecurity
I psecurityZainabNoorGul
 
20 palo alto site to site
20 palo alto site to site20 palo alto site to site
20 palo alto site to siteMostafa El Lathy
 
Wireless Network Security Architecture with Blowfish Encryption Model
Wireless Network Security Architecture with Blowfish Encryption ModelWireless Network Security Architecture with Blowfish Encryption Model
Wireless Network Security Architecture with Blowfish Encryption ModelIOSR Journals
 
network security
network securitynetwork security
network securityBishalWosti1
 
Ip Security.pptx
Ip Security.pptxIp Security.pptx
Ip Security.pptxTouseeqHaider11
 
Lecture 07 networking
Lecture 07 networkingLecture 07 networking
Lecture 07 networkingHNDE Labuduwa Galle
 
Hybrid Cryptography security in public cloud using TwoFish and ECC algorithm
Hybrid Cryptography security in public cloud using TwoFish and ECC algorithmHybrid Cryptography security in public cloud using TwoFish and ECC algorithm
Hybrid Cryptography security in public cloud using TwoFish and ECC algorithmIJECEIAES
 
Which of the following can be used to authenticate and encrypt IP (Int.docx
Which of the following can be used to authenticate and encrypt IP (Int.docxWhich of the following can be used to authenticate and encrypt IP (Int.docx
Which of the following can be used to authenticate and encrypt IP (Int.docxjbarbara1
 
Mutual query data sharing protocol for public key encryption through chosen-c...
Mutual query data sharing protocol for public key encryption through chosen-c...Mutual query data sharing protocol for public key encryption through chosen-c...
Mutual query data sharing protocol for public key encryption through chosen-c...IJECEIAES
 
Ipsec rbe guide
Ipsec rbe guideIpsec rbe guide
Ipsec rbe guideWahyu Nasution
 
A SECURE KEY COMPUTATION PROTOCOL FOR SECURE GROUP COMMUNICATION WITH PASSWOR...
A SECURE KEY COMPUTATION PROTOCOL FOR SECURE GROUP COMMUNICATION WITH PASSWOR...A SECURE KEY COMPUTATION PROTOCOL FOR SECURE GROUP COMMUNICATION WITH PASSWOR...
A SECURE KEY COMPUTATION PROTOCOL FOR SECURE GROUP COMMUNICATION WITH PASSWOR...cscpconf
 
A secure key computation protocol for secure group communication with passwor...
A secure key computation protocol for secure group communication with passwor...A secure key computation protocol for secure group communication with passwor...
A secure key computation protocol for secure group communication with passwor...csandit
 
Comparison of Various Encryption Algorithms and Techniques for improving secu...
Comparison of Various Encryption Algorithms and Techniques for improving secu...Comparison of Various Encryption Algorithms and Techniques for improving secu...
Comparison of Various Encryption Algorithms and Techniques for improving secu...IOSR Journals
 
L017136269
L017136269L017136269
L017136269IOSR Journals
 
Ipsecurity
IpsecurityIpsecurity
IpsecurityJyoshna Cec Cse Staf bejjam
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 

More Related Content

Similar to CRYPTO_REPORT on SECURITY POLICY.pdf

IMPLEMENT A NOVEL SYMMETRIC BLOCK CIPHER ALGORITHM
IMPLEMENT A NOVEL SYMMETRIC BLOCK CIPHER ALGORITHMIMPLEMENT A NOVEL SYMMETRIC BLOCK CIPHER ALGORITHM
IMPLEMENT A NOVEL SYMMETRIC BLOCK CIPHER ALGORITHMijcisjournal
 
college assignment on Applications of ipsec
college assignment on Applications of ipsec college assignment on Applications of ipsec
college assignment on Applications of ipsec bigchill29
 
Implement a novel symmetric block
Implement a novel symmetric blockImplement a novel symmetric block
Implement a novel symmetric blockijcisjournal
 
A Review Paper on Secure authentication and data sharing in cloud storage usi...
A Review Paper on Secure authentication and data sharing in cloud storage usi...A Review Paper on Secure authentication and data sharing in cloud storage usi...
A Review Paper on Secure authentication and data sharing in cloud storage usi...ijsrd.com
 
SURVEY AND TAXONOMY OF KEY MANAGEMENT PROTOCOLS FOR WIRED AND WIRELESS NETWORKS
SURVEY AND TAXONOMY OF KEY MANAGEMENT PROTOCOLS FOR WIRED AND WIRELESS NETWORKSSURVEY AND TAXONOMY OF KEY MANAGEMENT PROTOCOLS FOR WIRED AND WIRELESS NETWORKS
SURVEY AND TAXONOMY OF KEY MANAGEMENT PROTOCOLS FOR WIRED AND WIRELESS NETWORKSIJNSA Journal
 
Wireless Network Security Architecture with Blowfish Encryption Model
Wireless Network Security Architecture with Blowfish Encryption ModelWireless Network Security Architecture with Blowfish Encryption Model
Wireless Network Security Architecture with Blowfish Encryption ModelIOSR Journals
 
Hybrid Cryptography security in public cloud using TwoFish and ECC algorithm
Hybrid Cryptography security in public cloud using TwoFish and ECC algorithmHybrid Cryptography security in public cloud using TwoFish and ECC algorithm
Hybrid Cryptography security in public cloud using TwoFish and ECC algorithmIJECEIAES
 
Which of the following can be used to authenticate and encrypt IP (Int.docx
Which of the following can be used to authenticate and encrypt IP (Int.docxWhich of the following can be used to authenticate and encrypt IP (Int.docx
Which of the following can be used to authenticate and encrypt IP (Int.docxjbarbara1
 
Mutual query data sharing protocol for public key encryption through chosen-c...
Mutual query data sharing protocol for public key encryption through chosen-c...Mutual query data sharing protocol for public key encryption through chosen-c...
Mutual query data sharing protocol for public key encryption through chosen-c...IJECEIAES
 
A SECURE KEY COMPUTATION PROTOCOL FOR SECURE GROUP COMMUNICATION WITH PASSWOR...
A SECURE KEY COMPUTATION PROTOCOL FOR SECURE GROUP COMMUNICATION WITH PASSWOR...A SECURE KEY COMPUTATION PROTOCOL FOR SECURE GROUP COMMUNICATION WITH PASSWOR...
A SECURE KEY COMPUTATION PROTOCOL FOR SECURE GROUP COMMUNICATION WITH PASSWOR...cscpconf
 
A secure key computation protocol for secure group communication with passwor...
A secure key computation protocol for secure group communication with passwor...A secure key computation protocol for secure group communication with passwor...
A secure key computation protocol for secure group communication with passwor...csandit
 
Comparison of Various Encryption Algorithms and Techniques for improving secu...
Comparison of Various Encryption Algorithms and Techniques for improving secu...Comparison of Various Encryption Algorithms and Techniques for improving secu...
Comparison of Various Encryption Algorithms and Techniques for improving secu...IOSR Journals
 

Similar to CRYPTO_REPORT on SECURITY POLICY.pdf (20)

IMPLEMENT A NOVEL SYMMETRIC BLOCK CIPHER ALGORITHM
IMPLEMENT A NOVEL SYMMETRIC BLOCK CIPHER ALGORITHMIMPLEMENT A NOVEL SYMMETRIC BLOCK CIPHER ALGORITHM
IMPLEMENT A NOVEL SYMMETRIC BLOCK CIPHER ALGORITHM
 
college assignment on Applications of ipsec
college assignment on Applications of ipsec college assignment on Applications of ipsec
college assignment on Applications of ipsec
 
Implement a novel symmetric block
Implement a novel symmetric blockImplement a novel symmetric block
Implement a novel symmetric block
 
A Review Paper on Secure authentication and data sharing in cloud storage usi...
A Review Paper on Secure authentication and data sharing in cloud storage usi...A Review Paper on Secure authentication and data sharing in cloud storage usi...
A Review Paper on Secure authentication and data sharing in cloud storage usi...
 
SURVEY AND TAXONOMY OF KEY MANAGEMENT PROTOCOLS FOR WIRED AND WIRELESS NETWORKS
SURVEY AND TAXONOMY OF KEY MANAGEMENT PROTOCOLS FOR WIRED AND WIRELESS NETWORKSSURVEY AND TAXONOMY OF KEY MANAGEMENT PROTOCOLS FOR WIRED AND WIRELESS NETWORKS
SURVEY AND TAXONOMY OF KEY MANAGEMENT PROTOCOLS FOR WIRED AND WIRELESS NETWORKS
 
I psecurity
I psecurityI psecurity
I psecurity
 
20 palo alto site to site
20 palo alto site to site20 palo alto site to site
20 palo alto site to site
 
Wireless Network Security Architecture with Blowfish Encryption Model
Wireless Network Security Architecture with Blowfish Encryption ModelWireless Network Security Architecture with Blowfish Encryption Model
Wireless Network Security Architecture with Blowfish Encryption Model
 
network security
network securitynetwork security
network security
 
Ip Security.pptx
Ip Security.pptxIp Security.pptx
Ip Security.pptx
 
Lecture 07 networking
Lecture 07 networkingLecture 07 networking
Lecture 07 networking
 
Hybrid Cryptography security in public cloud using TwoFish and ECC algorithm
Hybrid Cryptography security in public cloud using TwoFish and ECC algorithmHybrid Cryptography security in public cloud using TwoFish and ECC algorithm
Hybrid Cryptography security in public cloud using TwoFish and ECC algorithm
 
Which of the following can be used to authenticate and encrypt IP (Int.docx
Which of the following can be used to authenticate and encrypt IP (Int.docxWhich of the following can be used to authenticate and encrypt IP (Int.docx
Which of the following can be used to authenticate and encrypt IP (Int.docx
 
Mutual query data sharing protocol for public key encryption through chosen-c...
Mutual query data sharing protocol for public key encryption through chosen-c...Mutual query data sharing protocol for public key encryption through chosen-c...
Mutual query data sharing protocol for public key encryption through chosen-c...
 
Ipsec rbe guide
Ipsec rbe guideIpsec rbe guide
Ipsec rbe guide
 
A SECURE KEY COMPUTATION PROTOCOL FOR SECURE GROUP COMMUNICATION WITH PASSWOR...
A SECURE KEY COMPUTATION PROTOCOL FOR SECURE GROUP COMMUNICATION WITH PASSWOR...A SECURE KEY COMPUTATION PROTOCOL FOR SECURE GROUP COMMUNICATION WITH PASSWOR...
A SECURE KEY COMPUTATION PROTOCOL FOR SECURE GROUP COMMUNICATION WITH PASSWOR...
 
A secure key computation protocol for secure group communication with passwor...
A secure key computation protocol for secure group communication with passwor...A secure key computation protocol for secure group communication with passwor...
A secure key computation protocol for secure group communication with passwor...
 
Comparison of Various Encryption Algorithms and Techniques for improving secu...
Comparison of Various Encryption Algorithms and Techniques for improving secu...Comparison of Various Encryption Algorithms and Techniques for improving secu...
Comparison of Various Encryption Algorithms and Techniques for improving secu...
 
L017136269
L017136269L017136269
L017136269
 
Ipsecurity
IpsecurityIpsecurity
Ipsecurity
 

Recently uploaded

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdfChristopherTHyatt
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 

Recently uploaded (20)

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 

CRYPTO_REPORT on SECURITY POLICY.pdf

  • 1. CRYPTOGRAPHY AND NETWORK SECURITY 20EC733 Report submitted as a part of Event 2 On “Security Policy: Internet Key Exchange” Bachelor of Engineering In Electronics and Communication Engineering Submitted by Name Section USN Marks PRATHAM M A 01JST20EC072 PRABHUSWAMY A 01JST20EC068 MV SANKALP REDDY A 01JST20EC054 SUDEEP G A 01JST20EC099 Submitted to Prof. Anupama S Assistant professor Dept of ECE SJCE, JSSSTU Department of Electronics and Communication Engineering JSS Science and Technology University, Mysuru 2023-2024
  • 2. 1 ABSTRACT: The Internet Key Exchange (IKE) plays a pivotal role in the establishment of secure communication channels within a network, facilitating the exchange of cryptographic keys and negotiation of security parameters. As an integral component of security policies, IKE ensures the confidentiality, integrity, and authenticity of data transmissions over the Internet. This abstract delves into the fundamental principles of IKE, exploring its role in the creation of secure connections and its adaptability to diverse security policies. The study emphasizes the importance of IKE in mitigating potential threats, fostering secure data exchange, and contributing to the overall resilience of networked systems. Through a comprehensive examination of the Internet Key Exchange, this abstract provides insights into its significance within the broader context of cybersecurity and network protection.
  • 3. 2 Table of Content SI NO TOPIC PG NO 1. INTRODUCTION 3 2. IPSEC 3 3 IKE PHASE 1 5 4. MODES OF PHASE 1 7 5. IKE PHASE 2 11 6. CASE STUDY 12 7. ADVANTAGE 15 8. DISADVANTAGE 16
  • 4. 3 Introduction: Internet Key Exchange (IKE) is a protocol used in the IPsec (Internet Protocol Security) suite to establish a secure and authenticated communication channel between two devices. Overview of IPsec: IPsec, or Internet Protocol Security, is a comprehensive suite of protocols and standards designed to secure Internet Protocol (IP) communications.  The IP protocol itself doesn't have any security features at all.  IPSec is a framework that helps us to protect IP traffic on the network layer. FIG 1 : IKE BLOCK FIG2 : IPSEC BLOCK
  • 5. 4 Key Aspects of IPsec are as follows 1. Security Services:  Confidentiality: IPsec can encrypt the data payload of IP packets, ensuring that the information is not readable by unauthorized entities.  Integrity: IPsec uses cryptographic mechanisms to ensure the integrity of the transmitted data, detecting and preventing tampering.  Authentication: IPsec provides methods for authenticating the identities of communicating parties, ensuring that the data is exchanged between trusted entities.  Replay Protection: IPsec guards against replay attacks by incorporating mechanisms to detect and discard duplicated or delayed packets. 2. Security Protocols:  Authentication Header (AH): AH provides authentication and integrity protection for the entire IP packet, including both the header and the payload.  Encapsulating Security Payload (ESP): ESP primarily provides confidentiality for the payload of the IP packet, but it can also include optional authentication and integrity protection. 3. Key Management:  IPsec relies on cryptographic keys for securing communications. Key management protocols, such as the Internet Key Exchange (IKE), are used to negotiate and exchange these keys securely. 4. Modes of Operation:  Transport Mode: In transport mode, only the payload (data) of the IP packet is encrypted and/or authenticated. The original IP header remains intact.  Tunnel Mode: In tunnel mode, the entire original IP packet (including the header) is encapsulated within a new IP packet. This is often used in VPNs to protect entire communication streams between networks.
  • 6. 5 Internet Key Exchange  Before we can protect any IP packets, we need two IPSec entity that build the IPSec tunnel  To establish an IPSec tunnel, we use a protocol called IKE (Internet Key Exchange). There are two phases IKE phase 1: Mutual authentication and session keys IKE phase 2: Use results of phase 1 to create multiple associations between the same entities IKE PHASE-1: Internet Key Exchange (IKE) Phase 1 is the initial stage of the IKE protocol used in the IPsec (Internet Protocol Security) suite to establish a secure and authenticated communication channel between two devices During Phase 1, the devices negotiate and establish a secure preliminary connection, including the exchange of keying material and the establishment of a secure channel for further negotiations in Phase 2. The key components and steps involved in IKE Phase 1: 1. Initiation of IKE Session:  The IKE Phase 1 process begins with the initiation of an IKE session by one of the communicating devices. This device is typically referred to as the initiator. 2. Proposal and Selection of Security Parameters:  The initiator proposes a set of security parameters, including encryption algorithms, integrity algorithms, and a method for authentication (such as pre- shared keys or digital certificates). FIG 3 :IKE PHASE-
  • 7. 6 3. Responder's Response:  The responder, which is the other device in the communication, evaluates the proposals received from the initiator and selects the appropriate security parameters based on its own policies and capabilities. 4. Diffie-Hellman Key Exchange:  The devices perform a Diffie-Hellman key exchange to establish a shared secret. This shared secret is used to derive the symmetric keys that will be used for securing further communications. 5. Authentication:  The devices authenticate each other using the agreed-upon authentication method. This can involve the exchange of digital certificates, pre-shared keys, or other methods, depending on the chosen authentication mechanism. 6. Creation of IKE Phase 1 SA (Security Association):  Once the Diffie-Hellman exchange and authentication are successful, the devices create an IKE Phase 1 SA. This SA contains the negotiated security parameters, the shared secret, and other relevant information needed for secure communication. 7. Establishment of Secure Channel:  With the IKE Phase 1 SA established, the devices have a secure channel through which they can conduct further negotiations, including the establishment of additional SAs for data encryption and integrity protection in IKE Phase 2. IKE Phase 1 lays the groundwork for a secure and authenticated communication session. Once Phase 1 is completed, the devices proceed to IKE Phase 2 to further refine the security parameters and establish the specific parameters for data encryption and protection. Two peers negotiate about the oncryption, authentication, hashing and other protocols that they want to use and some other parameters that are required.  In this phase, an ISAKMP (Internet Security Association and Key Management Protocol) session is established.  This is also called the ISAKMP tunnel or IKE phase 1 tunnel.  The collection of parameters that the two devices will use is called a SA (Security Association). Steps in Phase 1 The main purpose of IKE phase 1 is to establish a secure tunnel that we can use for IKE phase 2.
  • 8. 7 We can break down phase 1 in three simple steps: Step 1: Negotiation : The two peers will negotiate about the following items:  Hashing (MD5, SHA)  Authentication (Pre-shared keys, DSS, etc)  DH (Diffie Hellman) parameters  Lifetim  Encryption (DES, 3DES, IDEA) Step 2: DH Key Exchange: Both entities use the DH group that they negotiated to exchange keying material. The end result will be that both peers will have a shared key. Step 3: Authentication: The two peers will authenticate each other using the authentication method that they agreed upon on in the negotiation. The end result is a IKE phase 1 tunnel (ISAKMP tunnel) which is bidirectional. Modes of Phase 1 The three steps above can be completed using two different modes:  Main mode  Aggressive mode Main Mode: IKE Phase 1 Main Mode is one of the two modes used for negotiating the initial connection and establishing the first set of Security Associations (SAs) in the Internet Key Exchange (IKE) protocol within the context of IPsec (Internet Protocol Security). Main Mode is characterized by a more robust and secure negotiation process, making it suitable for scenarios where a higher level of security is required. Main Mode is considered more secure than the alternative IKE Phase 1 Aggressive Mode because it provides additional protection for the identities of the communicating peers. This is achieved by encrypting and authenticating the identities within the negotiation process, enhancing the overall security of the initial connection.
  • 9. 8 the key features of IKE Phase 1 Main Mode: 1. Six-Message Exchange:  Main Mode consists of a six-message exchange between the initiator and responder. These messages are used for negotiating keying material and establishing the initial Security Association. 2. Identity Protection:  Main Mode provides protection for the identities of the communicating peers during the negotiation process. This is achieved through the use of encryption and integrity protection for certain parts of the IKE messages. 3. Key Exchange and Authentication:  Main Mode includes the exchange of Diffie-Hellman public keys for secure key exchange. It also incorporates authentication methods, such as digital FIG 4:MAIN MODE
  • 10. 9 signatures or shared secret keys, to ensure the identities of the communicating parties. 4. Protection Against Eavesdropping:  Main Mode is designed to resist eavesdropping attacks by protecting the exchanged information, including the identities and keying material, with encryption and integrity checks. 5. Negotiation of Security Parameters:  During Main Mode, the negotiating parties propose and agree upon security parameters, such as encryption algorithms, integrity algorithms, and authentication methods. The negotiation process aims to establish a common set of parameters that both parties can use for secure communication. 6. Creation of IKE Phase 1 SA:  Upon successful completion of the Main Mode negotiation, an IKE Phase 1 Security Association (SA) is established. This SA contains the agreed-upon security parameters, the Diffie-Hellman shared secret, and other information necessary for secure communication. Aggressive mode: IKE Phase 1 Aggressive Mode is another method used for negotiating the initial connection and establishing the first set of Security Associations (SAs) in the Internet Key Exchange (IKE) protocol within the context of IPsec (Internet Protocol Security).
  • 11. 10 The key features of IKE Phase 1 Aggressive Mode: 1. Three-Message Exchange:  Aggressive Mode uses a three-message exchange between the initiator and responder. This streamlined process allows for a faster setup compared to the six-message exchange of Main Mode. 2. Simplified and Faster Negotiation:  Aggressive Mode simplifies the negotiation process by combining the first two messages of Main Mode into a single message, reducing the number of round- trip communications required to establish the initial connection. This leads to quicker setup times. 3. Less Identity Protection:  Unlike Main Mode, Aggressive Mode provides less protection for the identities of the communicating peers during the negotiation process. The identities are exchanged in the clear, making them potentially vulnerable to eavesdropping. 4. Key Exchange and Authentication:  Aggressive Mode includes the exchange of Diffie-Hellman public keys for key exchange. It also incorporates authentication methods, such as digital signatures or shared secret keys, to ensure the identities of the communicating parties. 5. Efficiency vs. Security Trade-off:  Aggressive Mode is often chosen in situations where the efficiency of the setup process is prioritized over certain aspects of identity protection. It is suitable for scenarios where the communicating parties are not as concerned about the potential exposure of their identities during the negotiation. 6. Creation of IKE Phase 1 SA:  Similar to Main Mode, upon successful completion of the Aggressive Mode negotiation, an IKE Phase 1 Security Association (SA) is established. This SA contains the agreed-upon security parameters, the Diffie-Hellman shared secret, and other information necessary for secure communication.
  • 12. 11 IKE PHASE 2: IKE Phase 2, also known as the Quick Mode, follows the completion of IKE Phase 1 (either Main Mode or Aggressive Mode) and is the second stage of the Internet Key Exchange (IKE) protocol within the IPsec (Internet Protocol Security) suite. In Phase 2, the primary focus is on negotiating the parameters for data encryption and integrity protection, establishing the specific Security Associations (SAs) that will be used for securing the actual data traffic between two device. 1. Negotiation of IPsec SAs:  IKE Phase 2 negotiates the parameters for the IPsec Security Associations that will be applied to the actual data traffic. These parameters include the encryption algorithm, integrity algorithm, and the duration for which the keys should be valid. 2. Selection of IPsec Transform Sets:  Transform sets specify the algorithms and settings for encryption, authentication, and other security features. During Phase 2, the negotiating parties agree on a common set of transform sets that will be used to protect the data. 3. Perfect Forward Secrecy (PFS):  PFS is an optional feature in IKE Phase 2 that ensures even higher security. If PFS is enabled, new Diffie-Hellman keys are exchanged for each Phase 2 negotiation, providing forward secrecy and enhancing the security of the communication. 4. Creation of IPsec SAs:  Upon successful negotiation, IKE Phase 2 establishes the IPsec SAs. These SAs contain the agreed-upon parameters for securing the data, including the keys derived from the Phase 1 negotiation. 5. Renegotiation and Rekeying:  IPsec SAs have a limited lifetime to enhance security. IKE Phase 2 provides the mechanism for renegotiating and rekeying SAs to ensure that the security
  • 13. 12 parameters are regularly updated and to prevent potential vulnerabilities associated with long-term key usage. 6. Data Protection:  Once IKE Phase 2 is complete, the established IPsec SAs are used to protect the actual data traffic between the devices. This includes encrypting the payload of IP packets and ensuring the integrity of the transmitted data. IKE Phase 2 builds upon the foundation established in Phase 1 and focuses on securing the data communication between the devices. The negotiation of IPsec SAs and the establishment of transform sets during this phase play a crucial role in defining how the actual data will be protected as it traverses the network. X = pair of cookies generated in phase 1 Y = a 32-bit number to distinguish different phase 2 sessions CP = Crypto Proposal, CPA = Crypto Proposal Accept. X and Y are in clear rest of the phase 2 messages are encryptedand integrity protected IV = ack of the previous message. Case Study: FIG5: FLOW DIAGRAM OF P2
  • 14. 13 Company Overview: Secure Net Solutions serves a diverse range of clients, including financial institutions, healthcare providers, and technology companies. The company's VPN services are crucial for clients who need to transmit sensitive data securely between their offices, remote employees, and external partners. Challenge SecureNet Solutions faces the challenge of enhancing the security of its VPN infrastructure. As the number of cyber threats continues to rise, the company recognizes the need to update its Internet Key Exchange (IKE) security policies to ensure robust protection against potential attacks. Objectives: 1. *Enhance Security:* Strengthen the IKE security policies to protect against evolving cyber threats and vulnerabilities. 2. *Compliance:* Ensure compliance with industry standards and regulations, such as GDPR and HIPAA, to meet the specific security requirements of clients in different sectors. 3. *Scalability:* Design the IKE security policies to be scalable and adaptable to accommodate the company's growth and changing client needs. 4. *Usability:* Balance security measures with usability to ensure that employees and clients can easily access the VPN services without compromising security. Implementation: SecureNet Solutions decides to conduct a comprehensive review and update of its IKE security policies. The process involves: 1. *Risk Assessment:* Conduct a thorough risk assessment to identify potential vulnerabilities and threats to the VPN infrastructure. 2. *Policy Review:* Evaluate the existing IKE security policies, considering industry best practices and compliance requirements.
  • 15. 14 3. *Update Encryption Standards:* Upgrade encryption algorithms and key lengths to meet current security standards and best practices. 4. *Two-Factor Authentication:* Implement two-factor authentication to enhance user authentication and access control. 5. *Logging and Monitoring:* Strengthen logging and monitoring capabilities to detect and respond to any suspicious activities promptly. 6. *Employee Training:* Provide training for employees on the updated security policies and best practices for secure VPN usage. 7. *Regular Audits:* Conduct regular security audits to assess the effectiveness of the IKE security policies and identify areas for improvement. Results: The implementation of the updated IKE security policies significantly improves the overall security posture of SecureNet Solutions. The company successfully addresses potential vulnerabilities, enhances encryption standards, and ensures compliance with industry regulations. Clients appreciate the proactive approach to security, leading to increased trust and satisfaction. Conclusion: SecureNet Solutions demonstrates a commitment to security by regularly reviewing and updating its IKE security policies. This case study highlights the importance of evolving security measures in response to emerging threats and the need for a comprehensive approach to securing communication infrastructure in a dynamic business environment.
  • 16. 15 ADVANTAGES: Internet Key Exchange (IKE) offers several advantages in the realm of network security, particularly in the context of Virtual Private Networks (VPNs) and the implementation of IPsec (Internet Protocol Security). Here are some key advantages of IKE: 1. Secure Key Exchange: - IKE facilitates secure key exchange between communicating devices, ensuring that cryptographic keys used for data encryption and integrity protection are exchanged in a secure manner. The use of Diffie-Hellman key exchange in IKE Phase 1 allows for secure negotiation without transmitting the actual secret key. 2. Authentication: - IKE provides robust authentication mechanisms to verify the identities of communicating parties. This helps prevent man-in-the-middle attacks and ensures that only authorized devices can establish secure connections. 3. Flexibility in Authentication Methods: - IKE supports various authentication methods, including pre-shared keys, digital certificates, and public key infrastructure (PKI). This flexibility allows organizations to choose the authentication method that best fits their security requirements and infrastructure. 4. Adaptability to Network Changes: - IKE is designed to handle changes in network configurations and supports dynamic IP addresses. This adaptability is especially important in scenarios where devices may have dynamic or changing network addresses, such as those connecting over the Internet. 5. Support for Multiple Encryption and Hash Algorithms: - IKE supports a variety of encryption and hash algorithms, providing flexibility in choosing the level of security based on the specific requirements of the network. This allows organizations to adapt to evolving security standards and technologies. 6. Perfect Forward Secrecy (PFS):
  • 17. 16 - IKE supports PFS in Phase 2, enhancing security by ensuring that even if a long-term key is compromised, it cannot be used to decrypt past communications. PFS is an important feature for maintaining the confidentiality of data over time. 7.Efficient Key Management: - IKE manages cryptographic keys efficiently, handling the negotiation, exchange, and management of keys for secure communication. The rekeying mechanisms in IKE Phase 2 ensure that keys are regularly refreshed, contributing to the overall security of the system. 8. Compatibility with IPsec: - IKE is specifically designed to work seamlessly with IPsec, providing a standardized and widely adopted framework for securing IP communications. This compatibility ensures interoperability between devices from different vendors. 9. Protection Against Replay Attacks: - IKE includes mechanisms to protect against replay attacks, where an attacker might intercept and retransmit data. This helps ensure the integrity and freshness of the exchanged data. 10. Enhanced Network Security: - By establishing secure connections and enforcing encryption, authentication, and integrity checks, IKE significantly enhances the overall security of network communications, especially in scenarios where data traverses untrusted networks, such as the Internet. Overall, IKE plays a crucial role in establishing and maintaining secure communication channels, and its features contribute to the robustness and effectiveness of IPsec-based security solutions. DISADVANTAGES: 1. Complexity: Configuration and management of IKE can be complex, potentially leading to misconfigurations that compromise security. 2. Denial-of-Service (DoS) Vulnerability: IKE is susceptible to DoS attacks, where attackers may flood the system with requests, leading to resource exhaustion.
  • 18. 17 3. Interoperability Challenges: Despite being standardized, interoperability issues may arise, especially when dealing with devices from different vendors. 4. Resource Intensive: The cryptographic operations involved in IKE can be resource- intensive, impacting the performance of devices, particularly those with limited processing power. 5. Potential for Brute Force Attacks: Weak pre-shared keys or passwords may be susceptible to brute force attacks, compromising the security of the system. 6. Quantum Computing Concerns: The emergence of powerful quantum computers could potentially undermine the security of cryptographic algorithms used in IKE, posing a long-term security concern.