IPSec

Cards (16)

  • IPSec
    Offers authentication, confidentiality, integrity, access control, and protection against replay attacks
  • IPSec
    • Operates on network layer, transparent to the user
    • Automatically negotiates cryptographic protection with another IPSec enabled computer
  • IPSec negotiation
    1. Both ends negotiate cryptographic parameters and assurance, complete authentication, and agree on shared secret keys
    2. Provide data encryption confidentiality and message integrity
  • Security Association (SA)
    Contains secret keys, names of cryptographic algorithms for encryption and authentication, and other parameters
  • IPSec Phase 1
    1. Authentication
    2. Key Agreement
    3. SA-1 parameters are derived
  • IPSec Phase 2
    1. Negotiation of bulk data encryption parameters
    2. SA-2 parameters are derived
  • SA-1 parameters
    Used to encrypt and authenticate Phase 2 messages
  • SA-2 parameters
    Used to encrypt and authenticate all Phase 2 messages
  • Transport Mode
    IPSec protects what is delivered from the transport layer to the network layer, but does not protect the IP Header
  • Tunnel Mode
    IPSec protects the entire IP packet, including the header, by applying IPSec security methods and adding a new IP Header
  • Authentication Header (AH) Protocol
    Provides data integrity and source authentication, but not confidentiality
  • Encapsulating Security Payload (ESP) Protocol

    Provides confidentiality, data integrity, and source authentication
  • IPSec combinations
    • ESP + Transport
    • ESP + Tunnel
    • AH + Transport
    • AH + Tunnel
  • The most robust protection is ESP + Tunnel, often used for VPNs
  • Services provided by IPSec
    • Access Control
    • Message Authentication
    • Entity Authentication
    • Confidentiality
    • Replay attack protection
  • Two-phase key exchange in IPSec
    • Single SA-1 can generate many SA-2
    • Fast changes in SA-2 keys
    • Encryption algorithms in SA-2 can be changed