Slide 1

Securing the UnsecuredAn Introduction to Encrypting Messages on the Internet

Mike KaderlyINFS 750Summer 20101Learning ObjectivesUnderstand why we need encryption.Identify and explain the three types of security assurance.Describe the purposes of the Internet Protocol Security (IPsec) and its related sub-protocols.Describe the difference between transport and tunnel IPsec modes.

2Why do we need encryption?The Internet is inherently insecure.The entire global network is based upon millions of hosts, switches, firewalls, routers, and the transport media used to connect these nodesall of which are owned, operated and used by a countless number of people/organizations.

3Why do we need encryption?Without relying on a recognized authority in charge of developing security specifications and standards, there would be no way to secure the information of such a wide-spread, public network.Furthermore, IP packets, as originally designed in the TCP/IP protocols, have no built-in security mechanism.

4Modern Security Standards DevelopmentInternet Engineering Task Force (IETF) develops TCP/IP and Internet protocol standardsComposed of volunteer professionals sponsored by both corporations and governmentsCreated in 1986Focus is on building consensus for specifications, backward compatibility and running code *

* http://en.wikipedia.org/wiki/Internet_Engineering_Task_Force

5Types of Security AssurancesIntegrity assurance ensures information has not been altered during transport.Authentication assurance ensures information is coming from the true source.Confidentiality assurance ensures the information has not been read by others who were not intended to view the information.

6Internet Protocol Security (IPsec)IPsec is security protocol developed by the IETFIPsec defines how packets are made secure from node to nodeIt has been implemented on Windows, Apple, Linux, Unix and other platformsIt is application-independent.

7Internet Protocol Security (IPsec)Hybrid TCP/IP-OSI ArchitectureApplication Layer (Layer 5)TCP/IP Transport (Layer 4)TCP/IP Internet (Layer 3)Data Link (Layer 2)Physical Layer (Layer 1)IPsec Standards

8Internet Protocol Security (IPsec)IPsec is implemented using a number of sub-protocols with special responsibilities:Internet Key ExchangeSecurity AssociationAuthentication HeaderEncapsulating Security Payload

9Internet Key Exchange (IKE) The Internet Key Exchange (IKE) service is called upon to handle the key exchange between two nodes and allows for the initial handshake.IKE supports three types of authentication methods: pre-shared keys, public key encryption, and digital signatures (to be discussed later)

10Security Association (SA)Once an initial connection is created using IKE, the Security Policy Database on each node is used to determine the agreed upon rules for encrypting packets during the lifetime of the communication.These rules are collectively called Security Associations.* IPv6 Security by Scott CCIE No. 5133 Hogg; Eric Vyncke

11Authentication Header (AH)Through the use of algorithms, AH provides authentication and integrity assurances:Did the packet come from the true source it claims to be from?Have the packet contents been modified?It may be used separately or in combination with ESP.AH guards against replay attack an attacker takes a copy of a packet and later resends the packet to the intended destination node.

12Encapsulating Security Payload (ESP)ESP is used to provide authentication, integrity and confidentiality assurances by encrypting the payload of the packet.It can be used separately or in conjunction with AH services.

13Transport ModeTransport mode requires configuration and a digital certificate and is used between two hosts.Only the payload is encrypted/authenticated.Used for host to host communications.Expensive management on each host computer.

14Tunnel ModeTunnel mode implements IPsec between two IPsec-configured routers. The entire packet can be encrypted, authenticated and is encapsulated within a new packet and new IP header to make sure the original IP packet is unchanged.Tunnel mode is used to create Virtual Private Networks (VPN).

15Illustration of Tunneling and VPN

http://www.unixwiz.net/techtips/iguide-ipsec.html

Review QuestionsWhy is IPsec needed?What are the three types of security assurances?How does an encrypted IP packet differ from one without encryption?What layer of the TCP/IP-OSI model does IPsec fall under? What are the major differences between transport and tunnel IPsec modes?