复旦大学：《信息安全》教学课件_11.1 IP Security

Information Security 11.1 IP Security Chapter 16 復大软件学院

1 Information Security 11.1 IP Security Chapter 16

Review Cryptography Authentication techniques PKL CA. cert 復大软件学院

2 Review • Cryptography • Authentication techniques • PKI, CA, cert

Review Cryptography Authentication techniques PKL CA. cert 系统安全 应用安全 网络安全 安全协议 安全的密码算法 復大软件学院

3 Review • Cryptography • Authentication techniques • PKI, CA, cert. 安全的密码算法 安全协议 系统安全 应用安全 网络安全

IP Security have a range of application specific security mechanisms eg. S/mime, Pgp, Kerberos, Ssl/hTtps however there are security concerns that cut across protocol layers would like security implemented by the network for all applications Q: If security mechanisms in app layer have implemented. Security is needed in network level? Or vice versa? 復大软件学院

4 IP Security • have a range of application specific security mechanisms – eg. S/MIME, PGP, Kerberos, SSL/HTTPS • however there are security concerns that cut across protocol layers • would like security implemented by the network for all applications • Q: If security mechanisms in app layer have implemented. Security is needed in network level? Or vice versa?

IPSec general IP Security mechanisms provides authentication confidentiality key management applicable to use over LANS, across public private WaNs, for the Internet 復大软件学院

5 IPSec • general IP Security mechanisms • provides – authentication – confidentiality – key management • applicable to use over LANs, across public & private WANs, & for the Internet

IPSec Uses User system with IPSec Public(Internet) or Private Network Networking device with IPSec Networking device with IPSec Payload 復大软件学院

6 IPSec Uses

Benefits of iPsec in a firewall/router provides strong security to all traffic crossing the perimeter in a firewall/router is resistant to by pass is below transport layer, hence transparent to applications can be transparent to end users can provide security for individual users secures routing architecture 復大软件学院

7 Benefits of IPSec • in a firewall/router provides strong security to all traffic crossing the perimeter • in a firewall/router is resistant to bypass • is below transport layer, hence transparent to applications • can be transparent to end users • can provide security for individual users • secures routing architecture

IP Security Architecture specification is quite complex defined in numerous rfcs inc|.RFC2401/2402/2406/2408 many others, grouped by category mandatory in IPv6, optional in IPV4 have two security header extensions Authentication Header(AH) Encapsulating Security Payload(ESP) 復大软件学院

8 IP Security Architecture • specification is quite complex • defined in numerous RFC’s – incl. RFC 2401/2402/2406/2408 – many others, grouped by category • mandatory in IPv6, optional in IPv4 • have two security header extensions: – Authentication Header (AH) – Encapsulating Security Payload (ESP)

IPSec Services ESP (encryption ESP (encryption plus only) authentication) Access control Connectionless integrity Data origin authentication Rejection of replayed packets Confidentiality Limited traffic flow confidentiality 復大软件学院

9 IPSec Services

do Authentication Header(AH provides support for data integrity authentication of IP packets end system/router can authenticate user/app prevents address spoofing /replay attacks by tracking sequence numbers based on use of a mac HMAC-MD5-96 or HMAC-SHA-1-96 parties must share a secret key 復大软件学院

11 Authentication Header (AH) • provides support for data integrity & authentication of IP packets – end system/router can authenticate user/app – prevents address spoofing / replay attacks by tracking sequence numbers • based on use of a MAC – HMAC-MD5-96 or HMAC-SHA-1-96 • parties must share a secret key