More Related Content
![Chapter 10 wireless hacking [compatibility mode]](https://cdn.slidesharecdn.com/ss_thumbnails/chapter10wirelesshackingcompatibilitymode-160420123723-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to The Security layer
The Security layer
- 1. Nadar Saraswathi collegeof Arts and science Theni Presented by: S.Swetha I M.sc(IT) The Security Layer Department of CS and iT
- 2.
- 3. Index ⢠Wireless Transport LayerSecurity (WTLS) ⢠IP Security ⢠IPsec Protocols ⢠Internet Key Exchange (IKE) Protocol ⢠Security Association (SA) ⢠Authentication Header (AH) ⢠Encapsulating Security Payload (ESP) ⢠IPsec key management
- 4. Wireless Transport Layer Security(WTLS) ⢠It can be integrated into WAP(Wireless Application Protocol) architecture on top of WDP(Wireless Datagram Protocol). ⢠It supports Datagram and connection oriented transport layer protocols. ⢠Based on TLS/SSL protocol.It can provide different levels of security. ⢠Privacy
- 6.
- 7. What is IPSecurity ⢠Framework of open standards to ensure secure communications over the Internet In short: It is the network layer Internet Security Protocol
- 8. IPSEC Service Internet/ Intranet IPSec disabledhost Case 1 : Insecure IP Packet IPSec enabled host Case 2 : Secure IP Packet IP Header Upper layer data IP Header IPSec Header Upper layer data
- 9. IPSec ⢠general IP Securitymechanisms ⢠provides â authentication â confidentiality â key management ⢠applicable to use over LANs, across public & private WANs, & for the Internet
- 10. IP sec Application ⢠IPSecprovides the capability to secure communications across a LAN, across private and public WANs, and across the Internet. â Secure branch office connectivity over the Internet â Secure remote access over the Internet â Establishing extranet and intranet connectivity with partners â Enhancing electronic commerce security
- 11. Security Associations ⢠One ofthe most important concepts in IPSec is called a Security Association (SA). Defined in RFC 1825. ⢠SAs are the combination of a given Security Parameter Index (SPI) and Destination Address. ⢠SAs are one way. A minimum of two SAs are required for a single IPSec connection. ⢠SAs contain parameters including: â Authentication algorithm and algorithm mode â Encryption algorithm and algorithm mode â Key(s) used with the authentication/encryption algorithm(s) â Lifetime of the key â Lifetime of the SA â Source Address(es) of the SA â Sensitivity level (ie Secret or Unclassified)
- 12.
- 13. scenario of IPSecusage ⢠An organization maintains LANs at dispersed locations ⢠Non secure IP traffic is conducted on each LAN. ⢠IPSec protocols are used ⢠These protocols operate in networking devices that connect each LAN to the outside world. (router, firewall ) ⢠The IPSec networking device will typically encrypt and compress all traffic going into the WAN, and decrypt and decompress traffic coming from the WAN
- 14. Why not useIPSec? ⢠Processor overhead to encrypt & verify each packet can be great. ⢠Added complexity in network design.
- 15. Benefits of IPSec ⢠ina firewall/router provides strong security to all traffic crossing the perimeter ⢠in a firewall/router is resistant to bypass ⢠is below transport layer, hence transparent to applications ⢠can be transparent to end users ⢠can provide security for individual users ⢠secures routing architecture
- 16.
- 17. Network Layer Security ⢠IPsecurity (IPsec) â Two protocols ⢠Authentication protocol, using an Authentication Header (AH) ⢠Encryption/authentication protocol, called the Encapsulating Security Payload (ESP) â Two modes of operation ⢠Transport mode: provides protection for upper-layer protocols ⢠Tunnel mode: protects the entire IP datagram
- 18. IPSec protocols âAH protocol ⢠AH - Authentication Header â Defined in RFC 1826 â Integrity: Yes, including IP header â Authentication: Yes â Non-repudiation: Depends on cryptography algorithm. â Encryption: No â Replay Protection: Yes IP Header AH Header Payload (TCP, UDP, etc) IP Header AH Header Payload (TCP. UDP,etc) IP Header Transport Packet layout Tunnel Packet layout
- 19. IPSec protocols âESP protocol ⢠ESP â Encapsulating Security Payload â Defined in RFC 1827 â Integrity: Yes â Authentication: Depends on cryptography algorithm. â Non-repudiation: No â Encryption: Yes â Replay Protection: Yes IP Header ESP Header Payload (TCP, UDP, etc) IP Header ESP Header Payload (TCP. UDP,etc) IP Header Transport Packet layout Tunnel Packet layout Unencrypted Encrypted
- 20. What protocol touse? ⢠Differences between AH and ESP: â ESP provides encryption, AH does not. â AH provides integrity of the IP header, ESP does not. â AH can provide non-repudiation. ESP does not. ⢠However, we donât have to choose since both protocols can be used in together. ⢠Why have two protocols? â Some countries have strict laws on encryption. If you canât use encryption in those countries, AH still provides good security mechanisms. Two protocols ensures wide acceptance of IPSec on the Internet.
- 21. Data Integrity andConfidentiality Basic difference between AH and ESP
- 22. IPSec Protocols (cont) AlgorithmsUsed: Encryption: Symmetric â As IP packets may arrive out of order and Asymmetric algorithms are incredible slow. E.g. DES (Data Encryption Standard) ďˇ Authentication: MAC (Message Authentication Codes) based on symmetric encryption algorithms. One way hash functions. (MD5 or SHA-1)
- 23. Transport Versus TunnelMode Transport Mode: ⢠Used for Peer to Peer communication security ⢠Data is encrypted Tunnel Mode: ⢠Used for site-to-site communication security ⢠Entire packet is encrypted.
- 24. Transport versus Tunnelmode (cont) Transport mode is used when the cryptographic endpoints are also the communication endpoints of the secured IP packets. Cryptographic endpoints: The entities that generate / process an IPSec header (AH or ESP) Communication endpoints: Source and Destination of an IP packet
- 25. Transport versus Tunnelmode (cont) Tunnel mode is used when at least one cryptographic endpoint is not a communication endpoint of the secured IP packets. Outer IP Header â Destination for the router. Inner IP Header â Ultimate Destination
- 26.
- 27. How IPSec works:Phase 1 ⢠Internet Key Exchange (IKE) is used to setup IPSec. ⢠IKE Phase 1: â Establishes a secure, authenticated channel between the two computers â Authenticates and protects the identities of the peers â Negotiates what SA policy to use â Performs an authenticated shared secret keys exchange â Sets up a secure tunnel for phase 2 â Two modes: Main mode or Aggressive mode ⢠Main Mode IKE .1 Negotiate algorithms & hashes. .2 Generate shared secret keys using a Diffie-Hillman exchange. .3 Verification of Identities. ⢠Aggressive Mode IKE â Squeezes all negotiation, key exchange, etc. into less packets. â Advantage: Less network traffic & faster than main mode.
- 28. How IPSec works:Phase 2 â An AH or ESP packet is then sent using the agreed upon âmainâ SA during the IKE phase 1. â IKE Phase 2 ⢠Negotiates IPSec SA parameters ⢠Establishes IPSec security associations for specific connections (like FTP, telnet, etc) ⢠Renegotiates IPSec SAs periodically ⢠Optionally performs an additional Diffie-Hellman exchange
- 29. How IPSec works:Communication ⢠Once Phase 2 has established an SA for a particular connection, all traffic on that connection is communicated using the SA. ⢠IKE Phase 1 exchange uses UDP Port 500. ⢠AH uses IP protocol 51. ⢠ESP uses IP protocol 50.
- 30.