homepage security

IPSec Cheat Sheet

ISAKMP UDP port 500  (cryptographic key management and protocol <~ IKE )
ESP IP protocol 50
AH IP protocol 51

IPSec components:

1.    Security protocol:  AH, ESP
2.    Security Association: SA
3.    Key management: IKE   (in the beginning keys are managed manually)
4.    Algorithm

Characteristic: algorithm independent, modularity

AH Authentication Header
Applying a keyed one-way hash function to the datagram to create a message digest.
- also involves the use of a secret shared between the two -> authenticity guaranteed
+ optional antireplay protection

1.    data integrity
2.    origin authentication
3.    keyed-hash mechanism
4.    NOT provide confidentiality
5.    optional antireplay protection

~> applied to entire datagram except for any mutable IP header fields

ESP Encapsulating Security Protocol
Encryption at IP layer
Support a varity of symmetric encryption alg

1.    data confidentiality (encryption)
2.    limited traffic flow confidentiality
3.    data integrity
4.    origin authentication
5.    antireplay
6.    NOT protect IP header


IKE Internet key exchange

Hybrid protocol, implements Oakley and SKEME key exchanges inside ISAKMP framework
can be used with other protocol, IPSec is the initial implementation
Provide utility service for IPSec:
> authentication of peers
> establishment of key for encryption algorithm
> negotiates IKE and IPSec security association

1. Authentication:
3 common way to authentication in IPSec:
1. pre-share key
IKE peers authenticate each other by computing and sending keyed hash of data that include the pre-shared key, if the receiving peer is able to create the same hash using its pre-shared key <== authenticate
* easier
* do not scale well

2. RSA signature
Uses a digital signature
Each device digitally sign a set of date and sent it
Uses CA to generate a unique ID digital certificate
Initiator and responder using RSA signature send their own:
- ID value (IDi, IDr)
- identity digital certificate
- RSA signature value

3. RSA Encryption
Uses RSA encryption public key cryptography
Requires each party to generate a pseudorandom number (nounces), encrypt it with the other party’s RSA public key.
Authentication occurs when each party decrypt the other party nonce with local private key

2. IKE negotiation:

Divided in two phases:
Phase 1:
Creates an authenticated secure channel between 2 IKE peers
Result: IKE SA
Diffie-Hellman key agreement always performed

Phase 2:
Generate the required key material for IPSec
Result: IPSec SA
Sender offer one or more transform set
Receiver send back a single transform set – mutually agreed
a new Diffie-Hellman agreement can be done
keys can be derived from phase 1 shared secret.

Security Association (SA): relation between 2 or more entities that describe how entities will use security servives.

to be continued…

homepage $Date: Sun May 16 18:58:43 CET 2004 $ © 2003-2004 Omar Gani