Network Security Based on Computer Networking A Top

Network Security Based on: Computer Networking: A Top Down Approach , 5 th edition. Jim Kurose, Keith Ross Addison-Wesley, April 2009. 1

Network Security (Chapter 8) Chapter goals: r understand principles of network security: m cryptography and its many uses beyond “confidentiality” m message integrity and Authentication r security in practice: m security in application, transport, network, link layers m Firewalls (would not be covered) 2

Roadmap • • • What is network security? Principles of cryptography Message Integrity Example: Securing e-mail Securing TCP connections: SSL Network layer security: IPsec 3

What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver decrypts message Authentication: sender, receiver want to confirm identity of each other Message integrity: sender, receiver want to ensure message not altered (in transit, or afterwards) without detection Access and availability: services must be accessible and available to users 4

The Basic Setting: Alice, Bob, Trudy r well-known in network security world r Bob, Alice (lovers!) want to communicate “securely” r Trudy (intruder) may intercept, delete, add messages r In some texts, Trudy aka Eve (eavesdropping). Alice channel data secure sender Bob data, control messages secure receiver data Trudy 5

Who might Alice & Bob be? r … well, real-life Bobs and Alices! r Web browser/server for electronic transactions (e. g. , on-line purchases) r on-line banking client/server r DNS servers r routers exchanging routing table updates r other examples? 6

Who might Trudy be? Q: What can a “bad guy” do? A: A lot! m eavesdrop: intercept messages m actively insert messages into connection m impersonation: can fake (spoof) source address in packet (or any field in packet) m hijacking: “take over” ongoing connection by removing sender or receiver, inserting himself in place. MIM (Man In The Middle) Attack m denial of service (DOS, DDOS): prevent service from being used by others (e. g. , by overloading resources) 7

Roadmap • • • What is network security? Principles of cryptography Message Integrity Example: Securing e-mail Securing TCP connections: SSL Network layer security: IPsec 8

The language of cryptography Alice’s K encryption A key plaintext encryption algorithm Bob’s K decryption B key ciphertext decryption plaintext algorithm m plaintext message KA(m) ciphertext, encrypted with key KA m = KB(KA(m)) 9

Monoalphabetic Cipher substitution cipher: substituting one thing for another m monoalphabetic cipher: substitute one letter for another plaintext: abcdefghijklmnopqrstuvwxyz ciphertext: mnbvcxzasdfghjklpoiuytrewq E. g. : Plaintext: bob. i love you. alice ciphertext: nkn. s gktc wky. mgsbc Key: the (reversible) mapping from the set of 26 letters to the set of 26 letters 10

Monoalphabetic Cipher r Caesar Cipher: m Was used by Julius Caesar to communicate with his generals during military campaigns. m Each letter in the plaintext is dreplaced by a letter some fixed number of positions further down the alphabet. m Classic Ceasar cipher: shift of 3. r Very easy to break! Using empiric statistical information about the English language. 11

Polyalphabetic encryption r n monoalphabetic cyphers, M 1, M 2, …, Mn r Cycling pattern: m e. g. , n=4, M 1, M 3, M 4, M 3, M 2; r For each new plaintext symbol, use subsequent monoalphabetic pattern in cyclic pattern m dog: d from M 1, o from M 3, g from M 4 r Examples: Vigenère cipher, The Enigma. r Key: the n ciphers and the cyclic pattern 12

Breaking an encryption scheme r Cipher-text only attack: Trudy has ciphertext that she can analyze r Two approaches: m m Search through all keys: must be able to differentiate resulting plaintext from gibberish Statistical analysis r Known-plaintext attack: trudy has some plaintext corresponding to some ciphertext m eg, in monoalphabetic cipher, trudy determines pairings for a, l, i, c, e, b, o, r Chosen-plaintext attack: trudy can get the cyphertext for some chosen plaintext 13

Types of Cryptography r Crypto often uses keys: m Algorithm is known to everyone m Only “keys” are secret r Symmetric key cryptography (DES, AES) m Involves the use one key r Public key cryptography (RSA) m Involves the use of two keys r Hash functions (would not be covered) m Involves the use of no keys m Nothing secret: How can this be useful? 14

Symmetric key cryptography KS KS plaintext message, m encryption ciphertext algorithm K (m) S decryption plaintext algorithm m = KS(KS(m)) symmetric key crypto: Bob and Alice share same (symmetric) key: K S r e. g. , key is knowing substitution pattern in mono alphabetic substitution cipher 15

Two types of symmetric ciphers r Stream ciphers m encrypt one bit at time r Block ciphers m Break plaintext message in equal-size blocks m Encrypt each block as a unit 16

Stream Ciphers pseudo random keystream generator keystream r Combine each bit of keystream with bit of r r r plaintext to get bit of ciphertext m(i) = ith bit of message ks(i) = ith bit of keystream c(i) = ith bit of ciphertext c(i) = ks(i) m(i) ( = exclusive or) m(i) = ks(i) c(i) 17

RC 4 Stream Cipher r RC 4 is a popular stream cipher m Extensively analyzed and considered good m Key can be from 1 to 256 bytes m Used in WEP for 802. 11 m Can be used in SSL 18

Block ciphers r Message to be encrypted is processed in blocks of k bits (e. g. , 64 -bit blocks). r 1 -to-1 mapping is used to map k-bit block of plaintext to k-bit block of ciphertext Example with k=3: input output 000 110 001 111 010 101 011 100 input output 100 011 101 010 110 000 111 001 What is the ciphertext for 010110001111 ? 19

Block ciphers r How many possible mappings are there for k=3? m How many 3 -bit inputs? (23) m How many permutations of the 3 -bit inputs? (8!) m Answer: 40, 320 ; not very many! r In general, 2 k! mappings; huge for k=64 r Problem: m Table approach requires table with 264 entries, each entry with 64 bits r Table too big: instead use function that simulates a randomly permuted table 20

From Kaufman et al Prototype function 64 -bit input 8 bits 8 bits S 1 S 2 S 3 S 4 S 5 S 6 S 7 S 8 8 bits 8 bits 64 -bit intermediate Loop for n rounds 8 -bit to 8 -bit mapping 64 -bit output 21

Why rounds in prototpe? r If only a single round, then one bit of input affects at most 8 bits of output. r In 2 nd round, the 8 affected bits get scattered and inputted into multiple substitution boxes. r How many rounds? m How many times do you need to shuffle cards m Becomes less efficient as n increases 22

Encrypting a large message r Why not just break message in 64 -bit blocks, encrypt each block separately? m If same block of plaintext appears twice, will give same cyphertext. r How about: m Generate random 64 -bit number r(i) for each plaintext block m(i) m Calculate c(i) = KS( m(i) r(i) ) m Transmit c(i), r(i), i=1, 2, … m At receiver: m(i) = KS(c(i)) r(i) m Problem: inefficient, need to send c(i) and r(i) 23

Cipher Block Chaining (CBC) r CBC generates its own random numbers m Have encryption of current block depend on result of previous block m c(i) = KS( m(i) c(i-1) ) m m(i) = KS( c(i)) c(i-1) r How do we encrypt first block? m Initialization vector (IV): random block = c(0) m IV does not have to be secret r Change IV for each message (or session) m Guarantees that even if the same message is sent repeatedly, the ciphertext will be completely different each time 24

Cipher Block Chaining r cipher block: if input block repeated, will produce same cipher text: t=1 … t=17 m(1) = “HTTP/1. 1” block cipher c(1) m(17) = “HTTP/1. 1” block cipher c(17) = “k 329 a. M 02” r cipher block chaining: XOR ith input block, m(i), with previous block of cipher text, c(i-1) m c(0) transmitted to receiver in clear m what happens in “HTTP/1. 1” scenario from above? m(i) c(i-1) + block cipher c(i) 25

Symmetric key crypto: DES: Data Encryption Standard r US encryption standard [NIST 1993] r 56 -bit symmetric key, 64 -bit plaintext input r Block cipher with cipher block chaining r How secure is DES? m DES Challenge: 56 -bit-key-encrypted phrase decrypted (brute force) in less than a day m No known good analytic attack r making DES more secure: m 3 DES: encrypt 3 times with 3 different keys (actually encrypt, decrypt, encrypt) 26

Symmetric key crypto: DES operation initial permutation 16 identical “rounds” of function application, each using different 48 bits of key final permutation 27

AES: Advanced Encryption Standard r new (Nov. 2001) symmetric-key NIST standard, replacing DES r processes data in 128 bit blocks r 128, 192, or 256 bit keys r brute force decryption (try each key) taking 1 sec on DES, takes 149 trillion years for AES 28

Public Key Cryptography symmetric key crypto r requires sender, receiver know shared secret key r Q: how to agree on key in first place (particularly if never “met”)? public key cryptography r radically different approach [Diffie. Hellman 76, RSA 78] r sender, receiver do not share secret key r public encryption key known to all r private decryption key known only to receiver 29

Public key cryptography + Bob’s public B key K K plaintext message, m encryption ciphertext algorithm + K (m) B - Bob’s private B key decryption plaintext algorithm message + m = K B(K (m)) B 30

Public key encryption algorithms Requirements: 1 2 . . + need K B( ) and K - ( ) such that B - + K (K (m)) = m B B + given public key KB , it should be impossible to compute private key K B RSA: Rivest, Shamir, Adelson algorithm 31

Prerequisite: modular arithmetic r x mod n = remainder of x when divide by n r Facts: [(a mod n) + (b mod n)] mod n = (a+b) mod n [(a mod n) - (b mod n)] mod n = (a-b) mod n [(a mod n) * (b mod n)] mod n = (a*b) mod n r Thus (a mod n)d mod n = ad mod n r Example: x=14, n=10, d=2: (x mod n)d mod n = 42 mod 10 = 6 xd = 142 = 196 xd mod 10 = 6 32

RSA: getting ready r A message is a bit pattern. r A bit pattern can be uniquely represented by an integer number. r Thus encrypting a message is equivalent to encrypting a number. Example r m= 10010001. This message is uniquely represented by the decimal number 145. r To encrypt m, we encrypt the corresponding number, which gives a new number (the cyphertext). 33

RSA: Creating public/private key pair 1. Choose two large prime numbers p, q. (e. g. , 1024 bits each) 2. Compute n = pq, z = (p-1)(q-1) 3. Choose e (with e<n) that has no common factors with z. (e, z are “relatively prime”). 4. Choose d such that ed-1 is exactly divisible by z. (in other words: ed mod z = 1 ). 5. Public key is (n, e). Private key is (n, d). + KB - KB 34

RSA: Encryption, decryption 0. Given (n, e) and (n, d) as computed above 1. To encrypt message m (<n), compute c = m e mod n 2. To decrypt received bit pattern, c, compute m = c d mod n Magic d m = (m e mod n) mod n happens! c 35

RSA example: Bob chooses p=5, q=7. Then n=35, z=24. e=5 (so e, z relatively prime). d=29 (so ed-1 exactly divisible by z). Encrypting 8 -bit messages. encrypt: decrypt: bit pattern m me 0000 l. I 00 12 248832 c 17 d c 48196857210675091411825223071697 c = me mod n 17 m = cd mod n 12 36

Why does RSA work? r Must show that cd mod n = m where c = me mod n r Fact: for any x and y: xy mod n = x(y mod z) mod n m where n= pq and z = (p-1)(q-1) r Thus, cd mod n = (me mod n)d mod n = med mod n = m(ed mod z) mod n = m 1 mod n =m 37

RSA: another important property The following property will be very useful for digital fingerprint (Authentication): - + B B K (K (m)) + = m = K (K (m)) B B use public key first, followed by private key use private key first, followed by public key Result is the same! 38

Why - + B B K (K (m)) + = m = K (K (m)) B B ? Follows directly from modular arithmetic: (me mod n)d mod n = med mod n = mde mod n = (md mod n)e mod n 39

Why is RSA Secure? r Suppose you know Bob’s public key (n, e). How hard is it to determine d? r Essentially need to find factors of n without knowing the two factors p and q. r Fact: factoring a big number is hard. Generating RSA keys r Have to find big primes p and q r Approach: make good guess then apply testing rules (see Kaufman) 40

Session keys r Exponentiation is computationally intensive r DES is at least 100 times faster than RSA Session key, KS r Bob and Alice use RSA to exchange a symmetric key KS r Once both have KS, they use symmetric key cryptography 41

Roadmap • • • What is network security? Principles of cryptography Message Integrity Example: Securing e-mail Securing TCP connections: SSL Network layer security: IPsec 42

Message Integrity r Allows communicating parties to verify that received messages are authentic. m Content of message has not been altered m Source of message is who/what you think it is m Message has not been replayed m Sequence of messages is maintained r Let’s first talk about message digests 43

Message Digests r Function H( ) that takes as input an arbitrary length message and outputs a fixed-length string: “message signature” r Note that H( ) is a many-to -1 function r H( ) is often called a “hash function” large message m H: Hash Function H(m) r Desirable properties: m m Easy to calculate Irreversibility: Can’t determine m from H(m) Collision resistance: Computationally difficult to produce m and m’ such that H(m) = H(m’) Seemingly random output 44

Internet checksum: poor message digest Internet checksum has some properties of hash function: ü produces fixed length digest (16 -bit sum) of input ü is many-to-one r But given message with given hash value, it is easy to find another message with same hash value. 45

Hash Function Algorithms r MD 5 hash function widely used (RFC 1321) m computes 128 -bit message digest in 4 -step process. r SHA-1 is also used. m US standard [NIST, FIPS PUB 180 -1] m 160 -bit message digest 46

Message Authentication Code (MAC) s = shared secret message s H( ) compare r Authenticates sender r Verifies message integrity r No encryption ! r Also called “keyed hash” r Notation: MDm = H(s||m) ; send m||MDm 47

HMAC r Popular MAC standard r Addresses some subtle security flaws Concatenates secret to front of message. 2. Hashes concatenated message 3. Concatenates the secret to front of digest 4. Hashes the combination again. 1. 48

End-point authentication r Want to be sure of the originator of the message – end-point authentication. r Assuming Alice and Bob have a shared secret, will MAC provide end-point authentication. m We do know that Alice created the message. m But did she send it? 49

Playback attack MAC = f(msg, s) Transfer $1 M from Bill to Trudy MAC Transfer $1 M from MAC Bill to Trudy 50

Defending against playback attack: nonce “I am Alice” R MAC = f(msg, s, R) Transfer $1 M from Bill to Susan MAC 51

Roadmap • • • What is network security? Principles of cryptography Message Integrity Example: Securing e-mail Securing TCP connections: SSL Network layer security: IPsec 52

SSL: Secure Sockets Layer r Widely deployed security protocol m m m Supported by almost all browsers and web servers https Tens of billions $ spent per year over SSL r Originally designed by Netscape in 1993 r Number of variations: m TLS: transport layer security, RFC 2246 r Provides m Confidentiality m Integrity m Authentication r Original goals: m Had Web e-commerce transactions in mind m Encryption (especially credit-card numbers) m Web-server authentication m Optional client authentication m Minimum hassle in doing business with new merchant r Available to all TCP applications m Secure socket interface 53

SSL and TCP/IP Application TCP Application SSL TCP IP IP Normal Application with SSL • SSL provides application programming interface (API) to applications • C and Java SSL libraries/classes readily available 54

Toy SSL: a simple secure channel r Handshake: Alice and Bob use their certificates and private keys to authenticate each other and exchange shared secret r Key Derivation: Alice and Bob use shared secret to derive set of keys r Data Transfer: Data to be transferred is broken up into a series of records r Connection Closure: Special messages to securely close connection 55

Toy: A simple handshake hello certificate KB +(MS) = EMS r MS = master secret r EMS = encrypted master secret 56

Toy: Key derivation r Considered bad to use same key for more than one cryptographic operation m Use different keys for message authentication code (MAC) and encryption r Four keys: m Kc = encryption key for data sent from client to server m Mc = MAC key for data sent from client to server m Ks = encryption key for data sent from server to client m Ms = MAC key for data sent from server to client r Keys derived from key derivation function (KDF) m Takes master secret and (possibly) some additional random data and creates the keys 57

Toy: Data Records r Why not encrypt data in constant stream as we write it to TCP? m m Where would we put the MAC? If at end, no message integrity until all data processed. For example, with instant messaging, how can we do integrity check over all bytes sent before displaying? r Instead, break stream in series of records m Each record carries a MAC m Receiver can act on each record as it arrives r Issue: in record, receiver needs to distinguish MAC from data m Want to use variable-length records length data MAC 58

Toy: Sequence Numbers r Attacker can capture and replay record or re-order records r Solution: put sequence number into MAC: m MAC = MAC(Mx, sequence||data) m Note: no sequence number field r Attacker could still replay all of the records m Use random nonce 59

Toy: Control information r Truncation attack: m attacker forges TCP connection close segment m One or both sides thinks there is less data than there actually is. r Solution: record types, with one type for closure m type 0 for data; type 1 for closure r MAC = MAC(Mx, sequence||type||data) length type data MAC 60

Toy SSL: summary hello ce certificate, non KB +(MS) = EMS type 0, seq 1, data encrypted type 0, seq 2, data bob. com ta , seq 1, da type 0, seq 3, data type 1, seq 4, close type 1, seq 2 61

Toy SSL isn’t complete r How long are the fields? r What encryption protocols? r No negotiation m Allow client and server to support different encryption algorithms m Allow client and server to choose together specific algorithm before data transfer 62

Most common symmetric ciphers in SSL r DES – Data Encryption Standard: block r 3 DES – Triple strength: block r RC 2 – Rivest Cipher 2: block r RC 4 – Rivest Cipher 4: stream Public key encryption r RSA 63

Real Connection handshake: Client. Hel lo er. Hello hake: Serv hands rtificate dshake: Ce han ello. Done e: Server. H handshake: Client. Key Exchange Change. Cipher. Sp ec handshake: Finished Everything henceforth is encrypted r. Spec Change. Ciphe inished dshake: F han application_data application_d TCP Fin follow Alert: warning, close_ notify 64

Key derivation r Client nonce, server nonce, and pre-master secret input into pseudo random-number generator. m Produces master secret r Master secret and new nonces inputed into another random-number generator: “key block” m Because of resumption: TBD r Key block sliced and diced: m client MAC key m server MAC key m client encryption key m server encryption key m client initialization vector (IV) m server initialization vector (IV) 65

Roadmap • • • What is network security? Principles of cryptography Message Integrity Example: Securing e-mail Securing TCP connections: SSL Network layer security: IPsec 66

What is confidentiality at the network-layer? Between two network entities: r Sending entity encrypts the payloads of datagrams. Payload could be: m TCP segment, UDP segment, ICMP message, OSPF message, and so on. r All data sent from one entity to the other would be hidden: m Web pages, e-mail, P 2 P file transfers, TCP SYN packets, and so on. r That is, “blanket coverage”. 67

Virtual Private Networks (VPNs) r Institutions often want private networks for security. m Costly! Separate routers, links, DNS infrastructure. r With a VPN, institution’s inter-office traffic is sent over public Internet instead. m But inter-office traffic is encrypted before entering public Internet 68

Virtual Private Network (VPN) IP header IPsec header Secure payload IP er ad ec IPs der a he IPsec heade r laptop w/ IPsec salesperson in hotel he Secur e payloa d Public Internet IP heade r re cu Se load y pa IP er ad pay Router w/ IPv 4 and IPsec he loa d Router w/ IPv 4 and IPsec ylo IP hea der pa ad headquarters branch office 69

IPsec services r Data integrity r Origin authentication r Replay attack prevention r Confidentiality r Two protocols providing different service models: m AH m ESP 70

IPsec Transport Mode IPsec r IPsec datagram emitted and received by end-system. r Protects upper level protocols 71

IPsec – tunneling mode (1) IPsec r End routers are IPsec aware. Hosts need not be. 72

IPsec – tunneling mode (2) IPsec r Also tunneling mode. 73

Two protocols r Authentication Header (AH) protocol m provides source authentication & data integrity but not confidentiality r Encapsulation Security Protocol (ESP) m provides source authentication, data integrity, and confidentiality m more widely used than AH 74

Four combinations are possible! Host mode with AH Host mode with ESP Tunnel mode with AH Tunnel mode with ESP Most common and most important 75

Security associations (SAs) r Before sending data, a virtual connection is established from sending entity to receiving entity. r Called “security association (SA)” m SAs are simplex: for only one direction r Both sending and receiving entities maintain state information about the SA m m Recall that TCP endpoints also maintain state information. IP is connectionless; IPsec is connection-oriented! r How many SAs in VPN w/ headquarters, branch office, and n traveling salesperson? 76

Example SA from R 1 to R 2 Internet Headquarters 200. 168. 1. 100 R 1 172. 16. 1/24 SA Branch Office 193. 68. 2. 23 R 2 172. 16. 2/24 R 1 stores for SA r 32 -bit identifier for SA: Security Parameter Index (SPI) r the origin interface of the SA (200. 168. 1. 100) r destination interface of the SA (193. 68. 2. 23) r type of encryption to be used (for example, 3 DES with CBC) r encryption key r type of integrity check r authentication key 77

Security Association Database (SAD) r Endpoint holds state of its SAs in a SAD, where it can locate them during processing. r With n salespersons, 2 + 2 n SAs in R 1’s SAD r When sending IPsec datagram, R 1 accesses SAD to determine how to process datagram. r When IPsec datagram arrives to R 2, R 2 examines SPI in IPsec datagram, indexes SAD with SPI, and processes datagram accordingly. 78

IPsec datagram Focus for now on tunnel mode with ESP “enchilada” authenticated encrypted new IP header ESP hdr SPI original IP hdr Seq # Original IP datagram payload padding ESP trl ESP auth pad next length header 79

What happens? Internet Headquarters 200. 168. 1. 100 SA Branch Office 193. 68. 2. 23 R 1 R 2 172. 16. 1/24 172. 16. 2/24 “enchilada” authenticated encrypted new IP header ESP hdr SPI original IP hdr Seq # Original IP datagram payload padding ESP trl ESP auth pad next length header 80

R 1 converts original datagram into IPsec datagram r Appends to back of original datagram (which includes r r r original header fields!) an “ESP trailer” field. Encrypts result using algorithm & key specified by SA. Appends to front of this encrypted quantity the “ESP header, creating “enchilada”. Creates authentication MAC over the whole enchilada, using algorithm and key specified in SA; Appends MAC to back of enchilada, forming payload; Creates brand new IP header, with all the classic IPv 4 header fields, which it appends before payload. 81

Inside the enchilada: “enchilada” authenticated encrypted new IP header ESP hdr SPI original IP hdr Seq # Original IP datagram payload padding ESP trl ESP auth pad next length header r ESP trailer: Padding for block ciphers r ESP header: m SPI, so receiving entity knows what to do m Sequence number, to thwart replay attacks r MAC in ESP auth field is created with shared secret key 82

IPsec sequence numbers r For new SA, sender initializes seq. # to 0 r Each time datagram is sent on SA: m Sender increments seq # counter m Places value in seq # field r Goal: m Prevent attacker from sniffing and replaying a packet • Receipt of duplicate, authenticated IP packets may disrupt service r Method: m Destination checks for duplicates m But doesn’t keep track of ALL received packets; instead uses a window 83

Security Policy Database (SPD) r Policy: For a given datagram, sending entity needs to know if it should use IPsec. r Needs also to know which SA to use m May use: source and destination IP address; protocol number. r Info in SPD indicates “what” to do with arriving datagram; r Info in the SAD indicates “how” to do it. 84

Summary: IPsec services r Suppose Trudy sits somewhere between R 1 and R 2. She doesn’t know the keys. m Will Trudy be able to see contents of original datagram? How about source, dest IP address, transport protocol, application port? m Flip bits without detection? m Masquerade as R 1 using R 1’s IP address? m Replay a datagram? 85

Internet Key Exchange r In previous examples, we manually established IPsec SAs in IPsec endpoints: Example SA SPI: 12345 Source IP: 200. 168. 1. 100 Dest IP: 193. 68. 2. 23 Protocol: ESP Encryption algorithm: 3 DES-cbc HMAC algorithm: MD 5 Encryption key: 0 x 7 aeaca… HMAC key: 0 xc 0291 f… r Such manually keying is impractical for large VPN with, say, hundreds of sales people. r Instead use IPsec IKE (Internet Key Exchange) 86

IKE: PSK and PKI r Authentication (proof who you are) with either m pre-shared secret (PSK) or m with PKI (pubic/private keys and certificates). r With PSK, both sides start with secret: m then run IKE to authenticate each other and to generate IPsec SAs (one in each direction), including encryption and authentication keys r With PKI, both sides start with public/private key pair and certificate. m run IKE to authenticate each other and obtain IPsec SAs (one in each direction). m Similar with handshake in SSL. 87

IKE Phases r IKE has two phases m Phase 1: Establish bi-directional IKE SA • Note: IKE SA different from IPsec SA • Also called ISAKMP security association m Phase 2: ISAKMP is used to securely negotiate the IPsec pair of SAs r Phase 1 has two modes: aggressive mode and main mode m Aggressive mode uses fewer messages m Main mode provides identity protection and is more flexible 88

Summary of IPsec r IKE message exchange for algorithms, secret r r keys, SPI numbers Either the AH or the ESP protocol (or both) The AH protocol provides integrity and source authentication The ESP protocol (with AH) additionally provides encryption IPsec peers can be two end systems, two routers/firewalls, or a router/firewall and an end system 89

Network Security (summary) Basic techniques…. . . m cryptography (symmetric and public) m message integrity m end-point authentication …. used in many different security scenarios m secure email m secure transport (SSL) m IPsec 90