CSCE 790: Computer Network Security

1
CSCE 790Computer Network Security

• Chin-Tser Huang
• huangct_at_cse.sc.edu
• University of South Carolina

2
Security in Network Layer

• Implementing security in application layer
  provides flexibility in security policy and key
  management
• Problem is need to implement security mechanism
  in every application individually
• To reduce the overhead, implement security in
  network layer to provide security for all
  applications between selected pair of computers

3
IPSec

• Two protocols
• Authentication Header (AH)
• Encasulating Security Payload (ESP)
• Provide general security services for IP
• Authentication
• Confidentiality
• Anti-replay
• Key management
• Applicable to use over LANs, across public and
  private WANs, and for the Internet

4
Scenario of IPSec Uses
5
Benefits of IPSec

• Provide strong security to all traffic crossing
  the perimeter if installed in a firewall/router
• Resistant to bypass
• IPSec is below transport layer, hence transparent
  to applications
• Can be transparent to end users
• Can provide security for individual users if
  desired

6
IP Security Architecture

• specification is quite complex
• defined in numerous RFCs
• incl. RFC 2401/2402/2406/2408
• many others, grouped by category
• mandatory in IPv6, optional in IPv4

7
Security Association (SA)

• A unidirectional relationship between sender and
  receiver that affords security for traffic flow
• Each IPSec computer maintains a database of SAs
• Defined by 3 parameters
• Security Parameters Index (SPI)
• IP Destination Address
• Security Protocol Identifier

8
SA Parameters

• Sequence Number Counter
• Sequence Number Overflow
• Anti-Replay Window
• AH and ESP information
• Lifetime
• IPSec Protocol Mode
• Path MTU

9
Authentication Header (AH)

• Provide support for data integrity and
  authentication of IP packets
• end system/router can authenticate user/app
• prevent address spoofing attacks by tracking
  sequence numbers
• Based on use of a MAC
• HMAC-MD5-96 or HMAC-SHA-1-96
• Parties must share a secret key

10
Authentication Header
11
End-to-End vs End-to-Intermediate Authentication
12
Scope of AH Authentication
13
Encapsulating Security Payload (ESP)

• Provide message content confidentiality and
  limited traffic flow confidentiality
• Can optionally provide the same authentication
  services as AH
• Support range of ciphers, modes, padding
• DES, Triple-DES, RC5, IDEA, CAST etc
• CBC most common
• pad to meet blocksize, for traffic flow

14
Encapsulating Security Payload
15
Transport vs Tunnel Mode ESP

• Transport mode is used to encrypt and optionally
  authenticate IP data
• data protected but header left in clear
• can do traffic analysis but is efficient
• good for ESP host to host traffic
• Tunnel mode encrypts entire IP packet
• add new header for next hop
• good for VPNs, gateway to gateway security

16
Scope of ESP Encryption and Authentication
17
Combining Security Associations

• SAs can implement either AH or ESP
• To implement both, need to combine SAs
• form a security bundle
• Have 4 cases

18
Combining Security Associations
19
Key Management

• Handle key generation and distribution
• Typically need 2 pairs of keys
• 2 per direction for AH ESP
• Manual key management
• sysadmin manually configures every system
• Automated key management
• automated system for on demand creation of keys
  for SAs in large systems
• Oakley and ISAKMP

20
OAKLEY

• A key exchange protocol
• Based on Diffie-Hellman key exchange
• Add features to address weaknesses of
  Diffie-Hellman
• cookies, groups (global parameters), nonces, DH
  key exchange with authentication
• Can use arithmetic in prime fields or elliptic
  curve fields

21
ISAKMP

• Internet Security Association and Key Management
  Protocol
• Provide framework for key management
• Define procedures and packet formats to
  establish, negotiate, modify, and delete SAs
• Independent of key exchange protocol, encryption
  algorithm, and authentication method

22
ISAKMP
23
Next Class

• Denial-of-Service (DoS) attack
• Hop Integrity