Save
Cryptography
IPSec
Save
Share
Learn
Content
Leaderboard
Learn
Created by
Lance De Guzman
Visit profile
Cards (16)
IPSec
Offers
authentication
, confidentiality, integrity, access control, and protection against
replay
attacks
IPSec
Operates on
network
layer,
transparent
to the user
Automatically
negotiates cryptographic protection with another
IPSec
enabled computer
IPSec negotiation
1. Both ends negotiate
cryptographic parameters
and assurance, complete
authentication
, and agree on shared secret keys
2. Provide data
encryption
confidentiality and
message
integrity
Security Association (SA)
Contains
secret
keys, names of
cryptographic
algorithms for encryption and authentication, and other parameters
IPSec Phase 1
1. Authentication
2. Key Agreement
3. SA-1 parameters are derived
IPSec Phase 2
1. Negotiation of bulk data encryption parameters
2. SA-2 parameters are derived
SA-1 parameters
Used to encrypt and authenticate Phase
2
messages
SA-2 parameters
Used to encrypt and authenticate all
Phase
2
messages
Transport Mode
IPSec
protects what is delivered from the
transport
layer to the
network
layer, but does not protect the
IP
Header
Tunnel
Mode
IPSec protects the entire
IP packet
, including the header, by applying IPSec security methods and adding a new
IP Header
Authentication
Header
(
AH
)
Protocol
Provides
data
integrity
and
source
authentication,
but
not
confidentiality
Encapsulating Security
Payload
(
ESP
) Protocol
Provides
confidentiality
, data integrity, and
source authentication
IPSec combinations
ESP + Transport
ESP + Tunnel
AH + Transport
AH + Tunnel
The most robust protection is ESP +
Tunnel
, often used for
VPNs
Services provided by IPSec
Access Control
Message Authentication
Entity Authentication
Confidentiality
Replay attack protection
Two-phase key exchange in IPSec
Single SA-1
can generate many
SA-2
Fast
changes in
SA-2
keys
Encryption
algorithms in
SA-2
can be changed