1. A Technical Comparison of IPSec
and SSL
Computer and Network Security Course
IUG of Gaza
March 26th, 2013

2. Islamic University of Gaza
Faculty of Engineering
Computer Department
ECOM 6321 :Computer and Network Security
Prepared by:
Eng.Nadeer Ataya A. Abu Jrair
Supervisor:
Prof. Mohammad A. Mikki

3. AbdelNasir Alshamsi
Takamichi Saito
Tokyo University of Technology

4. Agenda
 Abstract
 Introduction
 IPSec
 SSL (Secure Socket Layer)
 Comparison of IPSec and SSL
 Conclusion
 Questions
 References

5. Abstract
IPSec ( IP Security ) and SSL (Secure Socket
Layer) have been the most robust and most
potential tools available for securing
communications over the Internet .
Both IPSec and SSL have advantages and
shortcomings
Yet no paper has been found comparing the two
protocols in terms of characteristic and
functionality .
Our objective is to present an analysis of security

6. Introduction
 Securing data over the network is hard and complicated
issue while the threat of data modification and data
interruption is rising .
 The goal of network security is to provide confidentiality
integrity and authenticity .
 confidentiality is keeping the data secret from the
unintended listeners on the network .
 Integrity is ensuring that the received data is the data was
actually sent.
 Authenticity is proving the identity of the endpoint to
ensure that the endpoint is the intended entity to
communicate with.

7. Introduction
 Using both strong authentication and encryption
algorithm protects the data but it will decrease the
transmission rate and could induce CPU
consumption.
 With the recent development of the security tools so
many protocols and powerful tools have been
proposed but the most famous secure and widely
deployed are IPSec IP Security and SSL Secure
Socket Layer.
 In this paper we will provide a technical comparison of
IPSec and SSL the similarities and the differences of
the cryptographic properties

8. IPSec
 IPSec :is an IP layer protocol that enables the
sending and receiving of cryptographically
protected packets of any kind ( TCP, UDP, ICMP
, etc )without any modification.
 IPSec provides two kinds of cryptographic
services Based on necessity IPSec can provide
confidentiality and authenticity or it can provide
authenticity only
 ESP (Encapsulated Security Payload) .
 AH (Authentication Header) .

9. IPSec
 ESP header
includes the necessary information for decrypting
and authenticating the data where
 AH header
includes the necessary information required for
authenticating the protected data.

10. IPSec
Establishing IPSec connection requires two phases
:
 Phase 1 :
 has two modes Main Mode and Aggressive Mode.
 The differences between these two modes are the number
of messages exchanged and the ID protection.
 Psk (Phase-shift keying).
 Phase 2 :
 has one mode Quick Mod.

11. SSL (Secure Socket Layer)
 SSL : is an Application layer protocol.
 SSL is mostly utilized to protect HTTP
transactions , and has been used for other
purposes like IMAP and POP ,etc .
 Internet message Access Protocol (IMAP), Post
Office Protocol (POP).
 SSL is compatible with applications running only
over TCP, but some modifications are required for
the applications to run over SSL.

12. SSL (Secure Socket Layer)
 SSL is composed of the following protocols
 Handshake protocol.
 Change Cipher Spec protocol.
 Alert protocol.
 Application Data protocol.

13. SSL (Secure Socket Layer)
 Handshake protocol is used to perform
authentication and key exchanges.
 Change Cipher Spec protocol is used to indicate
that the chosen keys will now be used.
 Alert protocol is used for signaling errors and
session closure.
 Application Data protocol transmits and receives
encrypted data.

14. Comparison of IPSec and SSL
1. Authentication Algorithm
 IPSec supports the use of Digital Signature and
the use of a Secret Key Algorithm .
 SSL supports only the use of Digital Signature.
 The use of a random 2048 bit Secret Key is
considered as strong as any other
authentication methods

15. Comparison of IPSec and SSL
2. Authentication Method
 IPSec supports one type of authentication
method, as Mutual Authentication .
 SSL supports a various types of authentication
, as Server Authentication , Client
Authentication.

16. Comparison of IPSec and SSL
3. MAC (Message Authentication Code)
 is used for Authentication the exchanged
messages after the connection is established .
 The strength of the Hash Algorithm is based on
the length of the output .
 Hash Length of SSL is Longer than IPSec.

17. Comparison of IPSec and SSL
4. Connection Mode
 IPSec has two connection modes
 Tunnel Mode
 This is established between Gateway to Gateway Gateway
to Host and Host to Host.
 it requires adding a new IP header to the original packet.
 Transport Mode
 Transport Mode is Host to Host connection.
 The data between the two entities are encrypted.
 SSL is one connection per one session type.

18. Comparison of IPSec and SSL
5. Cipher List Proposal
 Because IPSec is a two phase protocol, it has a
unique function called bi-directional .
 SSL is a one direction protocol.

19. Comparison of IPSec and SSL
6. Interoperability
 IPSec doesn't integrate well with other IPSec
vendors.
 Some cases require some modification.
 SSL is trouble free and well integrated.

20. Comparison of IPSec and SSL
7. Overhead Size
 One disadvantage of IPSec is the extra size
added to the original packet.
 SSL needs less overhead than IPSec .

21. Comparison of IPSec and SSL
8. Residing Layer
 IPSec resides in the IP layer which allows it to
work
with the above layers smoothly.
 SSL resides in the Application layer and that is a
problem for some application to work with SSL.

22. Comparison of IPSec and SSL
9. Time of Handshake Process

23. Comparison of IPSec and SSL
10. Perfect Forward Secrecy
 Both IPSec and SSL use PFS (Perfect Forward
Secrecy) in their resumption session.
 In the case of IPSec , the main goal for Phase 1
beside authentication is producing the encryption
key required to safe guard Phase 2 exchange.
 In the case of SSL, PFS is implemented in the same
manner as with IPSec when Ephemeral Diffie-
Hellman is negotiated.
 The protocol allows two users to exchange a secret
key over an insecure medium without any prior
secrets.

24. Comparison of IPSec and SSL
11. Order of Cryptographic Operations
 IPSec encrypts the data first then creates MAC
for the encrypted data .
 If a modified data were inserted in the middle of
transaction IPSec would verify the MAC before
performing any decryption process.

25. Comparison of IPSec and SSL
11. Order of Cryptographic Operations
 SSL is the opposite it creates the MAC for the
plaintext first then encrypts the data.
 SSL on the other hand, is obligated to decrypt it
first then verifies the MAC which could result in
wasting CPU over decrypting modified packets.

26. Conclusion
Function IPSec SSL
Configuration Hard Easy
Client Authentication Must Option
Pre-Shared Key Yes No
Interoperability Yes No
Problem
TCP Application All Some
Support
UDP support Yes No
Throughput Rate High High
Compression Support Yes OpenSSL only
Handshake Time Slow Fast

27. Questions

28. References
1. Sheila Frankel" Demystifying the IPSec Puzzle",
Artec House Publisher,2001.
2. Eric Rescorla "S SL and TLS Designing and
Building Secure Systems" , Addison-Wesley ,
3Rd Printing, Aug ,2001
3. www.freeswan.com
4. www.stunnel.org

29. Thank you!
Thank you for your
attention!