SlideShare a Scribd company logo

Digital Security 101

G
Gary Jan

Fundamentals of digital security. Some info I made throughout the years as a refresher for digital security. Basic primer for beginners. If you are an expert, comments and feedbacks welcome.

Technology
1 of 29
Digital Security 101 Just for Fun: Gary Jan
Why Network Security? • The Internet was not designed to be secured • No “Security Layer” in the OSI 7 Layer reference model • Internet was designed in 1970 for academic institutions communicating across the continent • Digital information flows in plain text • Everyone can pick it up and read it • How does the receiver know the sender is who it claimed to be? • How does the receiver know the received information is not altered? • How does the sender make sure only the intended receiver can read it? • How to enforce network policy and security practice?
Trudy the Intruder Alice BobChannel Trudy What are the problems here? 1. Trudy can eavesdrop the communication between A and B ▪ Eavesdropping <-> Confidentiality / Privacy 2. Trudy can intercept the message and alter the content ▪ Man-in-the-Middle Attack <-> Integrity 3. Trudy can pretend to be either A or B ▪ Imposter <-> Authentication 4. Trudy can flood the resource on A and B ▪ Denial of Service <-> Availability / Access Control
What is Network Security 4 key elements in secure communication 1. Privacy / Confidentiality 2. Authentication 3. Integrity 4. Nonrepudiation
Principles of Cryptography • Cryptography • Disguise the data so that Trudy cannot access the intercepted data • Only the intended receiver can reconstruct the original data • Disguise the “Plaintext” into “Ciphertext” using Encryption Algorithm • These algorithms are usually published and standardized Example Plaintext: a b c d e f g h i j k l m n o p q r s t u v w x y z Ciphertext: w x y z s t u v o p q r k l m n g h i j c d e f a b “How are you” => “vme wgs amc?”
Security Key • Security Key • A string of numbers or character (cipher-block) as input to the encryption algorithm to mix with the plaintext • The key encrypted data is only decrypt-able by the receiver • Trudy must know the “key” to decrypt • The encrypted plaintext (ciphertext) is unique and is extremely difficult if not impossible to be decrypted by Trudy m X KA X KB mKA (m)A B m= Message x= Encryption Algorithm KA= A’s Key KB= B’s Key KA(m)= Encrypted message using a’s Key
Type of Key Systems 1/2 1. Symmetric (Private) Key Systems • When KA = KB • The shared secret key is usually express as KAB 2. Asymmetric (Public) Key Systems • When KA ≠ KB • Use a pair of key • A Public Key (K+) • A Private Key (K-) • In this example • KA = KA + • KB = KA - m X KA X KB mKA (m)A B
Type of Key Systems 2/2 1. Symmetric Key • Also known as Private Key • The key is pre-agreed by the two end hosts for all sessions • A shared secret “Session Key” can also be generated for each session • Diffie-Hellman Key Exchange • Internet Key Exchange Protocol 2. Asymmetric Key • Also known as Public Key • Each host has a pair of keys: Public and Private Key • Use Public Key to encrypt; Private key to decrypt • Requires a Trusted third party to store the public key of a host • Key Distribution Centre • CA
Symmetric Key- DES and AES • Data Encryption Standard & Advanced Data Encryption Standard • A Symmetric (Private) Key based Encryption Algorithm • DES- 56 bit key size • AES- 128, 192, and 256 key size • FYI… it took 4 months to decrypt DES in 1997 • FYI… it took 22 hours to decrypt DES in 1999 • AES is the U.S. government standard replacing 3DES in 2002 m X KA X KB mKA (m)A B DES & AES addressed the Confidentiality/Privacy Requirement
Symmetric Key- Diffie-Hellman • Diffie-Hellman Algorithm • Provide a method to securely generate a private Session Key between two hosts in a public network • How it works? • Tx and Rx agrees on a generator number (g) and a large prime number (p) • Before exchanging, Tx selects a random number (x) and RX selects a random number (y) • Tx sends T= (gx mod p); Rx sends R= (gy mod p) • Tx receives R and generates K; K= gxy mod p • Rx receives T and generates K; K= gxy mod p • Trudy can eavesdrop p, g, T, and R but not x and y • x= logy(T) ; y= logx(R) Tx Rx T= (gx mod p) R= (gy mod p) K= Rx mod p K= gxy mod p K= Ty mod p K= gxy mod p K is the Symmetric Session Key Computation of x and y is extremely time consuming for large numbers of T and R
Diffie-Hellman Security Issues • Diffie-Hellman is subjected to Man-in-the-Middle and Client- Imposter Attack • Trudy can intercept T and R and fake it with T’ and R’ • How does Rx know the received message is indeed from Tx? Tx Rx T Trudy T’ R’ R K1 K2 In general Key Algorithms provide Privacy/Confidentiality but not Authentication. What about Authentication? What do we do?
Authentication Protocol 1/x • Authentication • To verify the validity of the person is who it claimed to be • Passport Photo • Driver’s License Number • Social Insurance Number and etc… • In digital communication world • ???
1. A indicates it wants to talk to B 3. A encrypts r using the shared key KAB and sends m= KAB(r) 5. A then sends a Nonce (r’) to B 7. A decrypts m’ using shared secret key KAB. If the result is r, B knows it is indeed talking to A Authentication Protocol 2/x • Nonce- Number used Once • Also Known as Challenge-Response approach • Use Nonce to confirm the receiver is indeed talking to the intended transmitter • A random pseudonumber • Symmetric Key + Nonce • A and B can share a secret key, or • A and B can share a session key • Used to Authenticate the host and to verify the sender is “live” A B “I am A” r m= KAB(r) r’ m’= KAB(r’) 2. B sends a Nonce (r) to A 4. B decrypts m using shared secret key KAB. If the result is r, B knows it is indeed talking to A 6. B encrypts r’ using the shared key KAB and sends m’= KAB(r’) Using Nonce+ Key Cryptography, A knows it is indeed talking to B; B knows it is indeed talking to A
Authentication Protocol 3 • Asymmetric Key + Nonce • A and B knows each others Public and Private Key • Used to Authenticate the host and to verify the sender is “live” A B “I am A” r m= KA - (r) “What’s your public key?” My Public Key= KA + 2. B sends a Nonce (r) to A 4. B asks for A’s public key 6. B decrypts m using A’s public key KA + If the result is r, B knows it is indeed talking to A 1. A indicates it wants to talk to B 3. A encrypts r using A’s secret key KA - and sends m= KA -(r) 5. A sends it’s Public Key, KA +, to B How does B know KA + is indeed A’s public key? A sends data using KA - to Encrypt and receive data using KA - to Decrypt B sends data using KA + to Encrypt and receive data using KA + to Decrypt Encrypted Data
Authentication Protocol 4 • Authentication using Asymmetric Key still subjects to Man-in-the-Middle Attack A BTrudy“I am A” r m= KA - (r) “What’s your public key?” My Public Key= KA + “I am A” r m= KA - (r) “What’s your public key?” My Public Key= KT + B sends data using KT + to Encrypt and receive data using KT + to Decrypt Encrypted Data B sends data using KA - to Encrypt and receive data using KA - to Decrypt Encrypted Data Trudy decrypts received message from B using KT - Trudy sends modified data to A How does A and B ensure each other is who it claimed to be?- Authentication How does A and B ensure the received data is not altered?- Integrity
CA- Certificate Authority • Certificate Authority • Validate identities and issue certificates • A certificate is the binding of an Identity with a Public Key • One must trust CA in identifying the validity of a Identity/Public Key pair • Some popular CA- VeriSign, Comodo, and GoDaddy • How is a Certificate issued? X A’s Certificate KCA - [A, KA +] CA= KCA -[A, KA +] CA A A sends its identity and public key in Certificate Authority CA encrypts A’s identity and public key using CA’s private key KCA - and produce a Certificate CA of A. The certificate is now registered and available only in CA’s server
Authentication Protocol 5 • Authentication using Asymmetric Key + Certificate A B “I am A” r m= KA - (r) “What’s your public key?” My Public Key= KA + 2. B sends a Nonce (r) to A 4. B asks for A’s public key 6. B go to CA to verify A’s Certificate 7. B decrypts A’s Certificate using CA’s public key If the identity and the public key matches B knows it’s A’s public key B decrypts m using A’s public key KA + If the result is r, B knows it is indeed talking to A 1. A indicates it wants to talk to B 3. A encrypts r using A’s secret key KA - and sends m= KA -(r) 5. A sends it’s Public Key, KA +, to B A sends data using KA - to Encrypt and receive data using KA - to Decrypt Encrypted Data CA What’s A’s Certificate? A’s Certificate= CA = KCA -[A, KA +] B sends data using KA + to Encrypt and receive data using KA + to Decrypt How does A and B ensure each other is who it claimed to be?- Authentication How does A and B ensure the received data is not altered?- Integrity
Security Elements • 5 key elements in secure communication 1. Privacy / Confidentiality • Symmetric, Asymmetric, and Session Key 2. Authentication • Symmetric Key, Asymmetric Key + Certificate Authority 3. Integrity 4. Nonrepudiation 5. Availability and Access Control
Integrity and Nonrepudiation • Nonrepudiation • The sender must be able to prove it is the creator of the content • The sender must be able to prove it is the approver of the content • The receiver must be able to verify the creator and approver of the received content • Exactly like Human Signature • Sign checks, credit card receipts, and etc… • Signature indicates the signer has verified and is responsible for the content • Digital Signature • A cryptographic technique used to achieve the same goals of Human Signature
Digital Signature • To prove that a document signed by an individual was indeed signed by that individual (verifiable) • To prove that only that individual could have signed the document (Nonrepudiation) • How does it work in Digital World? • Use Asymmetric Key to produce Digital Signature • Whoever signed the document must have used KA - • Verifiable • “A” must be the only person who possesses the key KA • Nonrepudiate KA - [m] X Signed Message = KA -[m] X KA + KA +[KA -[m]] [m] A B
Security Elements • 5 key elements in secure communication 1. Privacy / Confidentiality • Symmetric, Asymmetric, and Session Key 2. Authentication • Symmetric Key, Asymmetric Key + Certificate Authority 3. Integrity 4. Nonrepudiation • Digital Signature 5. Availability and Access Control
Integrity- Message Digest • To verify the received data is not altered and is what is being sent by the sender • Message Digest • A mathematical function which takes an input message (m) and produces an mathematically calculated output (H(m)). • The Hash Function must have extremely low probability of producing same output with different inputs. • i.e. H(x) != H(y) • Popular Hash Algorithms • MD5, MD6 • SHA-1/2/3 [m] Hash Function H( ) H(m)
Integrity + Authentication 1/2 • HMAC- Hashed Message Authentication Code • Provides Integrity and Authentication • Two techniques: HMAC + Key Cryptography [m] Hash Function H( ) H(m) A KA - X {m, K A - [H(m)]}+ K A - [H(m)] Message is Hashed and Signed. Signed Hash message is sent along original message.
Integrity + Authentication 2/2 • HMAC- Hashed Message Authentication Code • Provides Integrity and Authentication • Two techniques: HMAC + Key Cryptography B {m, K A - [H(m)]} - K A - [H(m)] m Hash Function H( ) X KA + = ? H(m) H(m) Y Message is not altered Received signed hashed message is unlocked to reveal H(m) Received original message is hashed to compare results
IPSec ▪ IPSec- Internet Protocol Security ▪ Suite of protocols to ensure Confidentiality, Authentication, and Integrity across IP network ▪ Works on Layer 3 Packets ▪ Three Components ▪ AH- Authentication Header ▪ Authentication & Integrity ▪ ESP ▪ Authentication, Integrity, and Confidentiality ▪ IKE ▪ Key Management and Security Association Management ▪ Two Modes ▪ Tunnel Mode ▪ Transport Mode
IPSec- ESP • ESP- Encapsulating Security Payload • Confidentiality- Encrypted over payload, only intended receiver can decrypt • Authentication & Integrity- HMAC + MD5 IP HDR ESP HDR TCP Data ESP Trailer ESP Authenticat ion IP HDR TCP Data Encrypted Authenticated
IP HDR TCP Data TCP Data + X ESP Trailer K K[TCP, Data, ESP Trailer] + ESP HDR ESP HDR Encrypted Data HMAC MD5 H[ESP HDR, Encrypted Data] KA - X + K A - [H(m)] i.e. ESP Auth HDR ESP HDR, Encrypted Data IP HDR ESP HDR Encrypted Data ESP Authenticati on TCP Data ESP Trailer
ESP- Confidentiality IP HDR TCP Data TCP Data + X ESP Trailer KDES KDES[TCP, Data, ESP Trailer] TCP Data ESP Trailer Encrypted Payload ▪ ESP Confidentiality ▪ Achieved by encrypting [TCP, Data] payload ▪ AES, DES, 3DES or etc DES encrypted payload DES key arranged during IKE Session
ESP- Authentication & Integrity Encrypted Payload + ESP HDR Hash H(ESP HDR, Encrypted Data) KHMAC + KHMAC[H(m)] i.e. ESP Auth HDR IP HDR, ESP HDR, Encrypted Data IP HDR ESP HDR Encrypted Data ESP Authenticat ion ESP HDR Encrypted Data ▪ ESP Authentication & Integrity ▪ Achieved by using HMAC-MD5/SHA over DES encrypted payload X

Recommended

Digital signature
Digital signatureDigital signature
Digital signatureSadhana28
 
Information and network security 45 digital signature standard
Information and network security 45 digital signature standardInformation and network security 45 digital signature standard
Information and network security 45 digital signature standardVaibhav Khanna
 
Digital signatures - A mathematical scheme for demonstrating the authenticity...
Digital signatures - A mathematical scheme for demonstrating the authenticity...Digital signatures - A mathematical scheme for demonstrating the authenticity...
Digital signatures - A mathematical scheme for demonstrating the authenticity...Bitcoin Association of Australia
 
Digital signature
Digital signatureDigital signature
Digital signatureNisha Menon K
 
PUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTIONPUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTIONraf_slide
 
Digital signature schemes
Digital signature schemesDigital signature schemes
Digital signature schemesravik09783
 
Cryptography and PKI
Cryptography and PKICryptography and PKI
Cryptography and PKIRabei Hassan
 
Authentication: keys, MAC
Authentication: keys, MACAuthentication: keys, MAC
Authentication: keys, MACShafaan Khaliq Bhatti
 

Recommended

Digital signature
Digital signatureDigital signature
Digital signatureSadhana28
 
Information and network security 45 digital signature standard
Information and network security 45 digital signature standardInformation and network security 45 digital signature standard
Information and network security 45 digital signature standardVaibhav Khanna
 
Digital signatures - A mathematical scheme for demonstrating the authenticity...
Digital signatures - A mathematical scheme for demonstrating the authenticity...Digital signatures - A mathematical scheme for demonstrating the authenticity...
Digital signatures - A mathematical scheme for demonstrating the authenticity...Bitcoin Association of Australia
 
Digital signature
Digital signatureDigital signature
Digital signatureNisha Menon K
 
PUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTIONPUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTIONraf_slide
 
Digital signature schemes
Digital signature schemesDigital signature schemes
Digital signature schemesravik09783
 
Cryptography and PKI
Cryptography and PKICryptography and PKI
Cryptography and PKIRabei Hassan
 
Authentication: keys, MAC
Authentication: keys, MACAuthentication: keys, MAC
Authentication: keys, MACShafaan Khaliq Bhatti
 
Authentication Protocols
Authentication ProtocolsAuthentication Protocols
Authentication ProtocolsTrinity Dwarka
 
2. public key cryptography and RSA
2. public key cryptography and RSA2. public key cryptography and RSA
2. public key cryptography and RSADr.Florence Dayana
 
3 public key cryptography
3 public key cryptography3 public key cryptography
3 public key cryptographyRutvik Mehta
 
Public Key Cryptography
Public Key CryptographyPublic Key Cryptography
Public Key Cryptographyanusachu .
 
Digital Signature Certificate
Digital Signature CertificateDigital Signature Certificate
Digital Signature Certificatehome
 
Elgamal &amp; schnorr digital signature scheme copy
Elgamal &amp; schnorr digital signature scheme copyElgamal &amp; schnorr digital signature scheme copy
Elgamal &amp; schnorr digital signature scheme copyNorth Cap University (NCU) Formely ITM University
 
Dsa & Digi Cert
Dsa & Digi CertDsa & Digi Cert
Dsa & Digi CertRam Dutt Shukla
 
Protocols for Public Key Management
Protocols for Public Key ManagementProtocols for Public Key Management
Protocols for Public Key ManagementShafaan Khaliq Bhatti
 
Dss digital signature standard and dsa algorithm
Dss digital signature standard and dsa algorithmDss digital signature standard and dsa algorithm
Dss digital signature standard and dsa algorithmAbhishek Kesharwani
 
Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, ...
Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, ...Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, ...
Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, ...Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Distribution of public keys and hmac
Distribution of public keys and hmacDistribution of public keys and hmac
Distribution of public keys and hmacanuragjagetiya
 
Public Key Encryption & Hash functions
Public Key Encryption & Hash functionsPublic Key Encryption & Hash functions
Public Key Encryption & Hash functionsDr.Florence Dayana
 
Is case study
Is case studyIs case study
Is case studyShehrevar Davierwala
 
BAIT1103 Chapter 3
BAIT1103 Chapter 3BAIT1103 Chapter 3
BAIT1103 Chapter 3limsh
 
Final ss2-digital-signature-group5
Final ss2-digital-signature-group5Final ss2-digital-signature-group5
Final ss2-digital-signature-group5Phan Minh
 
Whatisdigitalsignature
WhatisdigitalsignatureWhatisdigitalsignature
WhatisdigitalsignatureKishankant Yadav
 
Seminar on ECommerce
Seminar on ECommerce Seminar on ECommerce
Seminar on ECommerce STS
 
Digital signatures
Digital signaturesDigital signatures
Digital signaturesKannan Ravindran
 
Cryptography
CryptographyCryptography
Cryptographyfsl khan
 
SSL/TLS 101
SSL/TLS 101SSL/TLS 101
SSL/TLS 101Chul-Woong Yang
 
SSL/TLS 101
SSL/TLS 101SSL/TLS 101
SSL/TLS 101Chul-Woong Yang
 
20 security
20 security20 security
20 securityabiy2004
 

More Related Content

What's hot

Authentication Protocols
Authentication ProtocolsAuthentication Protocols
Authentication ProtocolsTrinity Dwarka
 
2. public key cryptography and RSA
2. public key cryptography and RSA2. public key cryptography and RSA
2. public key cryptography and RSADr.Florence Dayana
 
3 public key cryptography
3 public key cryptography3 public key cryptography
3 public key cryptographyRutvik Mehta
 
Public Key Cryptography
Public Key CryptographyPublic Key Cryptography
Public Key Cryptographyanusachu .
 
Digital Signature Certificate
Digital Signature CertificateDigital Signature Certificate
Digital Signature Certificatehome
 
Dss digital signature standard and dsa algorithm
Dss digital signature standard and dsa algorithmDss digital signature standard and dsa algorithm
Dss digital signature standard and dsa algorithmAbhishek Kesharwani
 
Distribution of public keys and hmac
Distribution of public keys and hmacDistribution of public keys and hmac
Distribution of public keys and hmacanuragjagetiya
 
Public Key Encryption & Hash functions
Public Key Encryption & Hash functionsPublic Key Encryption & Hash functions
Public Key Encryption & Hash functionsDr.Florence Dayana
 
BAIT1103 Chapter 3
BAIT1103 Chapter 3BAIT1103 Chapter 3
BAIT1103 Chapter 3limsh
 
Final ss2-digital-signature-group5
Final ss2-digital-signature-group5Final ss2-digital-signature-group5
Final ss2-digital-signature-group5Phan Minh
 
Seminar on ECommerce
Seminar on ECommerce Seminar on ECommerce
Seminar on ECommerce STS
 
Cryptography
CryptographyCryptography
Cryptographyfsl khan
 

What's hot (19)

Authentication Protocols
Authentication ProtocolsAuthentication Protocols
Authentication Protocols
 
2. public key cryptography and RSA
2. public key cryptography and RSA2. public key cryptography and RSA
2. public key cryptography and RSA
 
3 public key cryptography
3 public key cryptography3 public key cryptography
3 public key cryptography
 
Public Key Cryptography
Public Key CryptographyPublic Key Cryptography
Public Key Cryptography
 
Digital Signature Certificate
Digital Signature CertificateDigital Signature Certificate
Digital Signature Certificate
 
Elgamal &amp; schnorr digital signature scheme copy
Elgamal &amp; schnorr digital signature scheme copyElgamal &amp; schnorr digital signature scheme copy
Elgamal &amp; schnorr digital signature scheme copy
 
Dsa & Digi Cert
Dsa & Digi CertDsa & Digi Cert
Dsa & Digi Cert
 
Protocols for Public Key Management
Protocols for Public Key ManagementProtocols for Public Key Management
Protocols for Public Key Management
 
Dss digital signature standard and dsa algorithm
Dss digital signature standard and dsa algorithmDss digital signature standard and dsa algorithm
Dss digital signature standard and dsa algorithm
 
Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, ...
Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, ...Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, ...
Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, ...
 
Distribution of public keys and hmac
Distribution of public keys and hmacDistribution of public keys and hmac
Distribution of public keys and hmac
 
Public Key Encryption & Hash functions
Public Key Encryption & Hash functionsPublic Key Encryption & Hash functions
Public Key Encryption & Hash functions
 
Is case study
Is case studyIs case study
Is case study
 
BAIT1103 Chapter 3
BAIT1103 Chapter 3BAIT1103 Chapter 3
BAIT1103 Chapter 3
 
Final ss2-digital-signature-group5
Final ss2-digital-signature-group5Final ss2-digital-signature-group5
Final ss2-digital-signature-group5
 
Whatisdigitalsignature
WhatisdigitalsignatureWhatisdigitalsignature
Whatisdigitalsignature
 
Seminar on ECommerce
Seminar on ECommerce Seminar on ECommerce
Seminar on ECommerce
 
Digital signatures
Digital signaturesDigital signatures
Digital signatures
 
Cryptography
CryptographyCryptography
Cryptography
 

Similar to Digital Security 101

20 security
20 security20 security
20 securityabiy2004
 
Network Security.ppt
Network Security.pptNetwork Security.ppt
Network Security.pptChSheraz3
 
aacyberessential3cryptography-131067585699078884.pptx
aacyberessential3cryptography-131067585699078884.pptxaacyberessential3cryptography-131067585699078884.pptx
aacyberessential3cryptography-131067585699078884.pptxImXaib
 
Cryptography
CryptographyCryptography
CryptographyPPT4U
 
Cryptography Fundamentals
Cryptography FundamentalsCryptography Fundamentals
Cryptography FundamentalsDuy Do Phan
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network SecurityKathirvel Ayyaswamy
 
What is digital signature or DSC
What is digital signature or DSCWhat is digital signature or DSC
What is digital signature or DSCAdv Prashant Mali
 
HifnCrypto101
HifnCrypto101HifnCrypto101
HifnCrypto101Jim Faith
 

Similar to Digital Security 101 (20)

SSL/TLS 101
SSL/TLS 101SSL/TLS 101
SSL/TLS 101
 
SSL/TLS 101
SSL/TLS 101SSL/TLS 101
SSL/TLS 101
 
20 security
20 security20 security
20 security
 
Whatisdigitalsignature
WhatisdigitalsignatureWhatisdigitalsignature
Whatisdigitalsignature
 
Role of Certification Authority in E-Commerce
Role of Certification Authority in E-CommerceRole of Certification Authority in E-Commerce
Role of Certification Authority in E-Commerce
 
Network Security.ppt
Network Security.pptNetwork Security.ppt
Network Security.ppt
 
Part2-Apps-Security.pptx
Part2-Apps-Security.pptxPart2-Apps-Security.pptx
Part2-Apps-Security.pptx
 
Crypt
CryptCrypt
Crypt
 
Part2-Apps-Security.pptx
Part2-Apps-Security.pptxPart2-Apps-Security.pptx
Part2-Apps-Security.pptx
 
aacyberessential3cryptography-131067585699078884.pptx
aacyberessential3cryptography-131067585699078884.pptxaacyberessential3cryptography-131067585699078884.pptx
aacyberessential3cryptography-131067585699078884.pptx
 
Cryptography
CryptographyCryptography
Cryptography
 
Cryptography
CryptographyCryptography
Cryptography
 
Cryptography Fundamentals
Cryptography FundamentalsCryptography Fundamentals
Cryptography Fundamentals
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
 
What is digital signature or DSC
What is digital signature or DSCWhat is digital signature or DSC
What is digital signature or DSC
 
HifnCrypto101
HifnCrypto101HifnCrypto101
HifnCrypto101
 
Security and trust in e payment
Security and trust in e paymentSecurity and trust in e payment
Security and trust in e payment
 
CNS - Unit - 4 - Public Key Cryptosystem
CNS - Unit - 4 - Public Key Cryptosystem CNS - Unit - 4 - Public Key Cryptosystem
CNS - Unit - 4 - Public Key Cryptosystem
 
authentication.ppt
authentication.pptauthentication.ppt
authentication.ppt
 
cyber security-2.pptx
cyber security-2.pptxcyber security-2.pptx
cyber security-2.pptx
 

Recently uploaded

Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 

Recently uploaded (20)

Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 

Digital Security 101

  • 1. Digital Security 101 Just for Fun: Gary Jan
  • 2. Why Network Security? • The Internet was not designed to be secured • No “Security Layer” in the OSI 7 Layer reference model • Internet was designed in 1970 for academic institutions communicating across the continent • Digital information flows in plain text • Everyone can pick it up and read it • How does the receiver know the sender is who it claimed to be? • How does the receiver know the received information is not altered? • How does the sender make sure only the intended receiver can read it? • How to enforce network policy and security practice?
  • 3. Trudy the Intruder Alice BobChannel Trudy What are the problems here? 1. Trudy can eavesdrop the communication between A and B ▪ Eavesdropping <-> Confidentiality / Privacy 2. Trudy can intercept the message and alter the content ▪ Man-in-the-Middle Attack <-> Integrity 3. Trudy can pretend to be either A or B ▪ Imposter <-> Authentication 4. Trudy can flood the resource on A and B ▪ Denial of Service <-> Availability / Access Control
  • 4. What is Network Security 4 key elements in secure communication 1. Privacy / Confidentiality 2. Authentication 3. Integrity 4. Nonrepudiation
  • 5. Principles of Cryptography • Cryptography • Disguise the data so that Trudy cannot access the intercepted data • Only the intended receiver can reconstruct the original data • Disguise the “Plaintext” into “Ciphertext” using Encryption Algorithm • These algorithms are usually published and standardized Example Plaintext: a b c d e f g h i j k l m n o p q r s t u v w x y z Ciphertext: w x y z s t u v o p q r k l m n g h i j c d e f a b “How are you” => “vme wgs amc?”
  • 6. Security Key • Security Key • A string of numbers or character (cipher-block) as input to the encryption algorithm to mix with the plaintext • The key encrypted data is only decrypt-able by the receiver • Trudy must know the “key” to decrypt • The encrypted plaintext (ciphertext) is unique and is extremely difficult if not impossible to be decrypted by Trudy m X KA X KB mKA (m)A B m= Message x= Encryption Algorithm KA= A’s Key KB= B’s Key KA(m)= Encrypted message using a’s Key
  • 7. Type of Key Systems 1/2 1. Symmetric (Private) Key Systems • When KA = KB • The shared secret key is usually express as KAB 2. Asymmetric (Public) Key Systems • When KA ≠ KB • Use a pair of key • A Public Key (K+) • A Private Key (K-) • In this example • KA = KA + • KB = KA - m X KA X KB mKA (m)A B
  • 8. Type of Key Systems 2/2 1. Symmetric Key • Also known as Private Key • The key is pre-agreed by the two end hosts for all sessions • A shared secret “Session Key” can also be generated for each session • Diffie-Hellman Key Exchange • Internet Key Exchange Protocol 2. Asymmetric Key • Also known as Public Key • Each host has a pair of keys: Public and Private Key • Use Public Key to encrypt; Private key to decrypt • Requires a Trusted third party to store the public key of a host • Key Distribution Centre • CA
  • 9. Symmetric Key- DES and AES • Data Encryption Standard & Advanced Data Encryption Standard • A Symmetric (Private) Key based Encryption Algorithm • DES- 56 bit key size • AES- 128, 192, and 256 key size • FYI… it took 4 months to decrypt DES in 1997 • FYI… it took 22 hours to decrypt DES in 1999 • AES is the U.S. government standard replacing 3DES in 2002 m X KA X KB mKA (m)A B DES & AES addressed the Confidentiality/Privacy Requirement
  • 10. Symmetric Key- Diffie-Hellman • Diffie-Hellman Algorithm • Provide a method to securely generate a private Session Key between two hosts in a public network • How it works? • Tx and Rx agrees on a generator number (g) and a large prime number (p) • Before exchanging, Tx selects a random number (x) and RX selects a random number (y) • Tx sends T= (gx mod p); Rx sends R= (gy mod p) • Tx receives R and generates K; K= gxy mod p • Rx receives T and generates K; K= gxy mod p • Trudy can eavesdrop p, g, T, and R but not x and y • x= logy(T) ; y= logx(R) Tx Rx T= (gx mod p) R= (gy mod p) K= Rx mod p K= gxy mod p K= Ty mod p K= gxy mod p K is the Symmetric Session Key Computation of x and y is extremely time consuming for large numbers of T and R
  • 11. Diffie-Hellman Security Issues • Diffie-Hellman is subjected to Man-in-the-Middle and Client- Imposter Attack • Trudy can intercept T and R and fake it with T’ and R’ • How does Rx know the received message is indeed from Tx? Tx Rx T Trudy T’ R’ R K1 K2 In general Key Algorithms provide Privacy/Confidentiality but not Authentication. What about Authentication? What do we do?
  • 12. Authentication Protocol 1/x • Authentication • To verify the validity of the person is who it claimed to be • Passport Photo • Driver’s License Number • Social Insurance Number and etc… • In digital communication world • ???
  • 13. 1. A indicates it wants to talk to B 3. A encrypts r using the shared key KAB and sends m= KAB(r) 5. A then sends a Nonce (r’) to B 7. A decrypts m’ using shared secret key KAB. If the result is r, B knows it is indeed talking to A Authentication Protocol 2/x • Nonce- Number used Once • Also Known as Challenge-Response approach • Use Nonce to confirm the receiver is indeed talking to the intended transmitter • A random pseudonumber • Symmetric Key + Nonce • A and B can share a secret key, or • A and B can share a session key • Used to Authenticate the host and to verify the sender is “live” A B “I am A” r m= KAB(r) r’ m’= KAB(r’) 2. B sends a Nonce (r) to A 4. B decrypts m using shared secret key KAB. If the result is r, B knows it is indeed talking to A 6. B encrypts r’ using the shared key KAB and sends m’= KAB(r’) Using Nonce+ Key Cryptography, A knows it is indeed talking to B; B knows it is indeed talking to A
  • 14. Authentication Protocol 3 • Asymmetric Key + Nonce • A and B knows each others Public and Private Key • Used to Authenticate the host and to verify the sender is “live” A B “I am A” r m= KA - (r) “What’s your public key?” My Public Key= KA + 2. B sends a Nonce (r) to A 4. B asks for A’s public key 6. B decrypts m using A’s public key KA + If the result is r, B knows it is indeed talking to A 1. A indicates it wants to talk to B 3. A encrypts r using A’s secret key KA - and sends m= KA -(r) 5. A sends it’s Public Key, KA +, to B How does B know KA + is indeed A’s public key? A sends data using KA - to Encrypt and receive data using KA - to Decrypt B sends data using KA + to Encrypt and receive data using KA + to Decrypt Encrypted Data
  • 15. Authentication Protocol 4 • Authentication using Asymmetric Key still subjects to Man-in-the-Middle Attack A BTrudy“I am A” r m= KA - (r) “What’s your public key?” My Public Key= KA + “I am A” r m= KA - (r) “What’s your public key?” My Public Key= KT + B sends data using KT + to Encrypt and receive data using KT + to Decrypt Encrypted Data B sends data using KA - to Encrypt and receive data using KA - to Decrypt Encrypted Data Trudy decrypts received message from B using KT - Trudy sends modified data to A How does A and B ensure each other is who it claimed to be?- Authentication How does A and B ensure the received data is not altered?- Integrity
  • 16. CA- Certificate Authority • Certificate Authority • Validate identities and issue certificates • A certificate is the binding of an Identity with a Public Key • One must trust CA in identifying the validity of a Identity/Public Key pair • Some popular CA- VeriSign, Comodo, and GoDaddy • How is a Certificate issued? X A’s Certificate KCA - [A, KA +] CA= KCA -[A, KA +] CA A A sends its identity and public key in Certificate Authority CA encrypts A’s identity and public key using CA’s private key KCA - and produce a Certificate CA of A. The certificate is now registered and available only in CA’s server
  • 17. Authentication Protocol 5 • Authentication using Asymmetric Key + Certificate A B “I am A” r m= KA - (r) “What’s your public key?” My Public Key= KA + 2. B sends a Nonce (r) to A 4. B asks for A’s public key 6. B go to CA to verify A’s Certificate 7. B decrypts A’s Certificate using CA’s public key If the identity and the public key matches B knows it’s A’s public key B decrypts m using A’s public key KA + If the result is r, B knows it is indeed talking to A 1. A indicates it wants to talk to B 3. A encrypts r using A’s secret key KA - and sends m= KA -(r) 5. A sends it’s Public Key, KA +, to B A sends data using KA - to Encrypt and receive data using KA - to Decrypt Encrypted Data CA What’s A’s Certificate? A’s Certificate= CA = KCA -[A, KA +] B sends data using KA + to Encrypt and receive data using KA + to Decrypt How does A and B ensure each other is who it claimed to be?- Authentication How does A and B ensure the received data is not altered?- Integrity
  • 18. Security Elements • 5 key elements in secure communication 1. Privacy / Confidentiality • Symmetric, Asymmetric, and Session Key 2. Authentication • Symmetric Key, Asymmetric Key + Certificate Authority 3. Integrity 4. Nonrepudiation 5. Availability and Access Control
  • 19. Integrity and Nonrepudiation • Nonrepudiation • The sender must be able to prove it is the creator of the content • The sender must be able to prove it is the approver of the content • The receiver must be able to verify the creator and approver of the received content • Exactly like Human Signature • Sign checks, credit card receipts, and etc… • Signature indicates the signer has verified and is responsible for the content • Digital Signature • A cryptographic technique used to achieve the same goals of Human Signature
  • 20. Digital Signature • To prove that a document signed by an individual was indeed signed by that individual (verifiable) • To prove that only that individual could have signed the document (Nonrepudiation) • How does it work in Digital World? • Use Asymmetric Key to produce Digital Signature • Whoever signed the document must have used KA - • Verifiable • “A” must be the only person who possesses the key KA • Nonrepudiate KA - [m] X Signed Message = KA -[m] X KA + KA +[KA -[m]] [m] A B
  • 21. Security Elements • 5 key elements in secure communication 1. Privacy / Confidentiality • Symmetric, Asymmetric, and Session Key 2. Authentication • Symmetric Key, Asymmetric Key + Certificate Authority 3. Integrity 4. Nonrepudiation • Digital Signature 5. Availability and Access Control
  • 22. Integrity- Message Digest • To verify the received data is not altered and is what is being sent by the sender • Message Digest • A mathematical function which takes an input message (m) and produces an mathematically calculated output (H(m)). • The Hash Function must have extremely low probability of producing same output with different inputs. • i.e. H(x) != H(y) • Popular Hash Algorithms • MD5, MD6 • SHA-1/2/3 [m] Hash Function H( ) H(m)
  • 23. Integrity + Authentication 1/2 • HMAC- Hashed Message Authentication Code • Provides Integrity and Authentication • Two techniques: HMAC + Key Cryptography [m] Hash Function H( ) H(m) A KA - X {m, K A - [H(m)]}+ K A - [H(m)] Message is Hashed and Signed. Signed Hash message is sent along original message.
  • 24. Integrity + Authentication 2/2 • HMAC- Hashed Message Authentication Code • Provides Integrity and Authentication • Two techniques: HMAC + Key Cryptography B {m, K A - [H(m)]} - K A - [H(m)] m Hash Function H( ) X KA + = ? H(m) H(m) Y Message is not altered Received signed hashed message is unlocked to reveal H(m) Received original message is hashed to compare results
  • 25. IPSec ▪ IPSec- Internet Protocol Security ▪ Suite of protocols to ensure Confidentiality, Authentication, and Integrity across IP network ▪ Works on Layer 3 Packets ▪ Three Components ▪ AH- Authentication Header ▪ Authentication & Integrity ▪ ESP ▪ Authentication, Integrity, and Confidentiality ▪ IKE ▪ Key Management and Security Association Management ▪ Two Modes ▪ Tunnel Mode ▪ Transport Mode
  • 26. IPSec- ESP • ESP- Encapsulating Security Payload • Confidentiality- Encrypted over payload, only intended receiver can decrypt • Authentication & Integrity- HMAC + MD5 IP HDR ESP HDR TCP Data ESP Trailer ESP Authenticat ion IP HDR TCP Data Encrypted Authenticated
  • 27. IP HDR TCP Data TCP Data + X ESP Trailer K K[TCP, Data, ESP Trailer] + ESP HDR ESP HDR Encrypted Data HMAC MD5 H[ESP HDR, Encrypted Data] KA - X + K A - [H(m)] i.e. ESP Auth HDR ESP HDR, Encrypted Data IP HDR ESP HDR Encrypted Data ESP Authenticati on TCP Data ESP Trailer
  • 28. ESP- Confidentiality IP HDR TCP Data TCP Data + X ESP Trailer KDES KDES[TCP, Data, ESP Trailer] TCP Data ESP Trailer Encrypted Payload ▪ ESP Confidentiality ▪ Achieved by encrypting [TCP, Data] payload ▪ AES, DES, 3DES or etc DES encrypted payload DES key arranged during IKE Session
  • 29. ESP- Authentication & Integrity Encrypted Payload + ESP HDR Hash H(ESP HDR, Encrypted Data) KHMAC + KHMAC[H(m)] i.e. ESP Auth HDR IP HDR, ESP HDR, Encrypted Data IP HDR ESP HDR Encrypted Data ESP Authenticat ion ESP HDR Encrypted Data ▪ ESP Authentication & Integrity ▪ Achieved by using HMAC-MD5/SHA over DES encrypted payload X