Transcript Slide 1
An Introduction to Encrypting Messages
on the Internet
Mike Kaderly
INFS 750
Summer 2010
Learning Objectives
Understand why we need encryption.
Identify and explain the three types of security
assurance.
Describe the purposes of the Internet Protocol
Security (IPsec) and it’s related sub-protocols.
Describe the difference between transport and tunnel
IPsec modes.
Why do we need encryption?
The Internet is inherently insecure.
The entire global network is based upon millions of
hosts, switches, firewalls, routers, and the transport
media used to connect these nodes—all of which are
owned, operated and used by a countless number of
people/organizations.
Why do we need encryption?
Without relying on a recognized authority in charge of
developing security specifications and standards, there
would be no way to secure the information of such a
wide-spread, public network.
Furthermore, IP packets, as originally designed in the
TCP/IP protocols, have no built-in security
mechanism.
Modern Security Standards
Development
Internet Engineering Task Force (IETF) develops
TCP/IP and Internet protocol standards
Composed of volunteer professionals sponsored by both
corporations and governments
Created in 1986
Focus is on building consensus for specifications,
backward compatibility and running code *
* http://en.wikipedia.org/wiki/Internet_Engineering_Task_Force
Types of Security Assurances
Integrity assurance – ensures information has not
been altered during transport.
Authentication assurance – ensures information is
coming from the true source.
Confidentiality assurance – ensures the information
has not been read by others who were not intended to
view the information.
Internet Protocol Security (IPsec)
IPsec is security protocol developed by the IETF
IPsec defines how packets are made secure from node
to node
It has been implemented on Windows, Apple, Linux,
Unix and other platforms
It is application-independent.
Internet Protocol Security (IPsec)
Hybrid TCP/IP-OSI Architecture
Application Layer (Layer 5)
TCP/IP Transport (Layer 4)
TCP/IP Internet (Layer 3)
Data Link (Layer 2)
Physical Layer (Layer 1)
IPsec Standards
Internet Protocol Security (IPsec)
IPsec is implemented using a number of sub-protocols
with special responsibilities:
Internet Key Exchange
Security Association
Authentication Header
Encapsulating Security Payload
Internet Key Exchange (IKE)
The Internet Key Exchange (IKE) service is called upon
to handle the key exchange between two nodes and
allows for the initial handshake.
IKE supports three types of authentication methods:
pre-shared keys, public key encryption, and digital
signatures (to be discussed later)
Security Association (SA)
Once an initial connection is created using IKE, the
Security Policy Database on each node is used to
determine the agreed upon rules for encrypting
packets during the lifetime of the communication.
These rules are collectively called Security
Associations.
* IPv6 Security by Scott CCIE No. 5133 Hogg; Eric Vyncke
Authentication Header (AH)
Through the use of algorithms, AH provides
authentication and integrity assurances:
Did the packet come from the true source it claims to be
from?
Have the packet contents been modified?
It may be used separately or in combination with ESP.
AH guards against replay attack – an attacker takes a
copy of a packet and later resends the packet to the
intended destination node.
Encapsulating Security Payload
(ESP)
ESP is used to provide authentication, integrity and
confidentiality assurances by encrypting the payload
of the packet.
It can be used separately or in conjunction with AH
services.
Transport Mode
Transport mode requires configuration and a digital
certificate and is used between two hosts.
Only the payload is encrypted/authenticated.
Used for host to host communications.
Expensive management on each host computer.
Tunnel Mode
Tunnel mode implements IPsec between two IPsec-
configured routers.
The entire packet can be encrypted, authenticated and
is encapsulated within a new packet and new IP
header to make sure the original IP packet is
unchanged.
Tunnel mode is used to create Virtual Private
Networks (VPN).
Illustration of Tunneling and VPN
http://www.unixwiz.net/techtips/iguide-ipsec.html
Review Questions
Why is IPsec needed?
What are the three types of security assurances?
How does an encrypted IP packet differ from one
without encryption?
What layer of the TCP/IP-OSI model does IPsec fall
under?
What are the major differences between transport and
tunnel IPsec modes?