Scribd Logo
Carica

Benvenuto in Scribd!

  • Network Security Protocols: Anisha Raghu

    Caricato da

    Muktesh Mukul
    36 visualizzazioni53 pagine
    This document discusses several network security protocols: PGP, S/MIME, SSL/TLS, and IPSec. It provides an overview of each protocol, including what problems they aim to solve, their basic functions and architecture. Some key points covered include how PGP and S/MIME provide encryption and authentication for email, how SSL/TLS provide encryption for network traffic between clients and servers, and how IPSec provides security services like access control and data confidentiality at the network layer for VPNs.

    Descrizione originale:

    Titolo originale

    2.Protocols

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Formati disponibili

    PPT, PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    This document discusses several network security protocols: PGP, S/MIME, SSL/TLS, and IPSec. It provides an overview of each protocol, including what problems they aim to solve, their basic functions and architecture. Some key points covered include how PGP and S/MIME provide encryption and authentication for email, how SSL/TLS provide encryption for network traffic between clients and servers, and how IPSec provides security services like access control and data confidentiality at the network layer for VPNs.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Scarica in formato PPT, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    36 visualizzazioni53 pagine

    Network Security Protocols: Anisha Raghu

    Caricato da

    Muktesh Mukul
    This document discusses several network security protocols: PGP, S/MIME, SSL/TLS, and IPSec. It provides an overview of each protocol, including what problems they aim to solve, their basic functions and architecture. Some key points covered include how PGP and S/MIME provide encryption and authentication for email, how SSL/TLS provide encryption for network traffic between clients and servers, and how IPSec provides security services like access control and data confidentiality at the network layer for VPNs.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Scarica in formato PPT, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 53

    Network Security Protocols

    Anisha Raghu

    Agenda
    PGP S/MIME SSL TLS IPSec

    PGP
    Pretty Good Privacy

    Introduction
    Developed by Phil Zimmermann Uses Public Key Encryption

    E-mail security

    Basic Services
    Authentication Confidentiality Compression Radix 64 conversion for e-mail compatibility Segmentation

    Authentication
    Message
    Senders Private key SHA-1

    hash RSA Message digest encrypt Signature

    To compression stage

    Compression & Encryption


    Generate key
    Session key Receivers public key

    encrypt RSA

    compression compressed message

    encrypt
    IDEA encrypt

    Message+ signature

    To conversion stage
    encrypted message + key

    Radix 64 conversion
    E-mail compatibility
    Radix-64 conversion A group of three octets of binary data is mapped into four ASCII characters. Each 6 bits is encoded as follows:
    0 to 25 : A to Z 26 to 51 : a to z 52 to 61: 0 to 9 62: +, 63: /, padding: =

    Results in expansion of message by 33%. Some level of confidentiality since text after conversion is not readable

    Segmentation & Reassembly


    Restriction on maximum size of message transmitted Message subdivided into segments At receiving end headers removed and reassembly done

    10

    Combining services
    X := file signature?
    no yes

    generate signature X := s(X) || X

    compress X := Z(X) generate envelop X := {k}Krcv || {X}k

    encryption?
    no

    yes

    radix 64 X := R64(X)

    Message Format
    Session key
    Receivers public key Key ID Session key Timestamp Senders public key Key ID Leading 2 octets of message digest Message digest Filename Timestamp Encrypt with receivers public key

    Signature

    Encrypt with senders private key

    ZIP & encrypt using session key

    Radix 64

    Message
    Data

    Key IDs
    a user may have several public key private key pairs
    which private key to use to decrypt the session key? which public key to use to verify a signature?

    transmitting the whole public key would be wasteful associating a random ID to a public key would result in management burden PGP key ID: least significant 64 bits of the public key
    unique within a user with very high probability

    Agenda
    PGP S/MIME SSL TLS IPSec

    S/MIME
    Secure/Multipurpose Internet Mail Extension

    Introduction
    Security enhancement to MIME Developed by RSA Data Security Inc. MIME Multipurpose Internet Mail Extension
    supports non-text data
    Text Image Video Audio Application (Post Script or octet-stream).

    Multipart message support.

    Functions
    Enveloped data Signed data Clear-signed data Signed and enveloped data

    Enveloped Data
    Generate key
    Session key

    RSA encrypt x.509 Algo ID

    Recipients Public key

    3-DES

    Recipient Info

    encrypt
    Message
    Enveloped Data

    encode

    To Receiver

    Signed Data
    Senders Private key

    SHA digest

    DSS encrypt

    Message Signed Data x.509 Algo ID Algo ID To Receiver Signer Info

    encode

    Comparison
    Key Issues
    Main Usage

    S/MIME
    Company, enterprise Certification Authority E-mail security

    PGP
    personal

    Authentication policy Utility

    Web of trust

    E-mail security, file Key rings

    Key storage

    Key certificates

    Agenda
    PGP S/MIME SSL TLS IPSec

    SSL
    Secure Socket Layer

    Introduction
    Developed by Netscape Client/server applications Port 443 https://www.mywebpage.com

    Deployment Layer

    SSL Protocols
    Handshake Protocol Change Cipher Spec Protocol Alert Protocol Record Protocol

    SSL Architecture

    Handshake Protocol

    Server Authentication

    Record Protocol
    Application Data Fragment

    Compress (optional)

    Add MAC Encrypt

    Append SSL record header

    Agenda
    PGP S/MIME SSL TLS IPSec

    TLS (Transport Layer Security)


    Next generation of SSL IETF formed TLS working group to create an internet standard protocol for security above transport layer. Difference from SSL
    Version Number Cipher suite algorithms Alert Codes Padding

    Agenda
    PGP S/MIME SSL TLS IPSec

    IPSec
    Internet Protocol Security

    33

    IP is not Secure!
    IP protocol was designed in the late 70s to early 80s
    Part of DARPA Internet Project Very small network
    All hosts are known! So are the users! Therefore, security was not an issue

    34

    Security Issues in IP
    source spoofing replay packets no data integrity or confidentiality

    DOS attacks

    Replay attacks Spying and more

    Virtual Private Network

    Introduction to IPSec
    Framework for security operating at network layer. Based on standards developed by the Internet Engineering Task Force (IETF) Services provided
    Access Control Connectionless integrity Data origin authentication Rejection of replayed packets Data Confidentiality Limited traffic flow confidentiality.

    Where to deploy in a Network?


    Gateway between the local intranet and the internet Can be used for protection between
    Pair of hosts Pair of security gateways (e.g. routers or firewalls) Security gateway and host.

    38

    IPSec Architecture
    ESP Encapsulating Security Payload AH

    Authentication Header
    IPSec Security Policy

    IKE The Internet Key Exchange

    Security Protocols
    Two security protocols introduced
    Authentication Header (AH)

    Encapsulating Security Payload (ESP)

    Security Protocols
    Two security protocols introduced
    Authentication Header (AH)
    Connectionless integrity Data Origin authentication Anti replay services

    Encapsulating Security Payload (ESP)


    Data confidentiality Traffic flow confidentiality

    Modes of operation

    Transport Mode

    Router

    Router

    Tunnel Mode

    Modes - Transport Mode


    Gateway Gateway

    Encrypted/ Authenticated

    A
    Orig IP Header IPSec Header TCP Data

    Authentication Header (AH) Transport Mode


    Orig.IP header

    TCP Before applying AH

    Data

    Orig.IP header

    AH

    TCP

    Data

    Authenticated After applying AH

    Encapsulating Security Payload (ESP) Transport Mode

    Orig.IP header

    TCP Before applying ESP

    Data

    Authentication Encryption Orig.IP header ESP hdr


    TCP

    Data

    ESP trlr

    ESP auth

    After applying ESP

    Modes- Tunnel Mode


    Gateway Tunnel Gateway

    Encrypted/ Authenticated

    A
    New IP Header IPSec Header Orig IP Header TCP Data

    Three types of Tunnels

    Authentication Header (AH)- Tunnel Mode


    Orig.IP header
    TCP Before applying AH Data

    New IP hdr

    AH

    Orig.IP header

    TCP

    Data

    Authentication After applying AH

    Encapsulating Security Payload (ESP) Tunnel Mode


    Orig.IP header

    TCP Before applying ESP

    Data

    Authentication Encryption New IP ESP Orig.IP header hdr header


    TCP Data

    ESP trlr

    ESP auth

    After applying ESP

    IKE , Internet Key Exchange


    Exchange and negotiate security policies Establish security sessions
    Identified as Security Associations

    Key exchange

    Key management

    Security Association (SA)


    Simplex connection that provides security services to the traffic carried by it For bi-directional communication, 2 SAs required Each SA is identified by
    Security Parameters Index IP Destination Address Security Protocol Identifier. (AH or ESP)

    Key Management
    handles key generation & distribution typically need 2 pairs of keys
    2 per direction for AH & ESP

    manual key management


    sysadmin manually configures every system

    automated key management


    automated system for on demand creation of keys for SAs in large systems has Oakley & ISAKMP elements

    Oakley
    a key exchange protocol based on Diffie-Hellman key exchange

    ISAKMP
    Internet Security Association and Key Management Protocol provides framework for key management defines procedures and packet formats to establish, negotiate, modify, & delete SAs independent of key exchange protocol, encryption alg, & authentication method

    Potrebbero piacerti anche