IPSec
Cheat Sheet
ISAKMP UDP port
500 (cryptographic key management and protocol <~ IKE )
ESP IP protocol 50
AH IP protocol 51
IPSec components:
1.
Security protocol: AH, ESP
2.
Security Association: SA
3. Key
management: IKE (in the beginning keys are managed manually)
4.
Algorithm
Characteristic:
algorithm independent, modularity
AH Authentication Header
Applying a keyed one-way
hash function to the datagram to create a message digest.
- also involves the use
of a secret shared between the two -> authenticity guaranteed
+ optional antireplay
protection
Provides:
1.
data integrity
2.
origin authentication
3.
keyed-hash mechanism
4. NOT
provide confidentiality
5.
optional antireplay protection
~> applied to entire
datagram except for any mutable IP header fields
ESP Encapsulating
Security Protocol
Encryption at IP layer
Support a varity of
symmetric encryption alg
Provides:
1.
data confidentiality (encryption)
2.
limited traffic flow confidentiality
3.
data integrity
4.
origin authentication
5.
antireplay
6. NOT
protect IP header
IKE Internet key exchange
Hybrid protocol,
implements Oakley and SKEME key exchanges inside ISAKMP framework
can be used with other
protocol, IPSec is the initial implementation
Provide utility service
for IPSec:
> authentication of
peers
> establishment of
key for encryption algorithm
> negotiates IKE and
IPSec security association
1. Authentication:
3 common way to
authentication in IPSec:
1. pre-share key
IKE peers authenticate
each other by computing and sending keyed hash of data that include the
pre-shared key, if the receiving peer is able to create the same hash
using its pre-shared key <== authenticate
* easier
* do not scale well
2. RSA signature
Uses a digital signature
Each device digitally
sign a set of date and sent it
Uses CA to generate a
unique ID digital certificate
Initiator and responder
using RSA signature send their own:
- ID value (IDi, IDr)
- identity digital
certificate
- RSA signature value
3. RSA Encryption
Uses RSA encryption
public key cryptography
Requires each party to
generate a pseudorandom number (nounces), encrypt it with the other
party’s RSA public key.
Authentication occurs
when each party decrypt the other party nonce with local private key
2. IKE negotiation:
Divided in two phases:
Phase 1:
Creates an authenticated
secure channel between 2 IKE peers
Result: IKE SA
Diffie-Hellman key
agreement always performed
Phase 2:
Generate the required
key material for IPSec
Result: IPSec SA
Sender offer one or more
transform set
Receiver send back a
single transform set – mutually agreed
a new Diffie-Hellman
agreement can be done
keys can be derived from
phase 1 shared secret.
Security Association
(SA): relation between 2 or more entities that describe how entities
will use security servives.
to
be
continued…
|
