http://www.icst.pku.edu.cn/InfoSecCourse

About This Presentation

Title:

http://www.icst.pku.edu.cn/InfoSecCourse

Description:

Title: Author: Last modified by: panaimin Created Date: 10/2/1998 5:29:39 AM Document presentation format – PowerPoint PPT presentation

Number of Views:37

Avg rating:3.0/5.0

Slides: 76

Provided by: 6649153

Category:

more less

Transcript and Presenter's Notes

Title: http://www.icst.pku.edu.cn/InfoSecCourse

1
??????????? (?)

???,??????????
http//www.icst.pku.edu.cn/InfoSecCourse

2
??

IPSec
??
????
PKI

3
IATF(????????)???
Enclave Boundaries
Networks Infrastructures
Classified Enclave
Telecommunications Service
Local
Providers (TSPs)
Computing
Environment
Remote
Users
Private Enclave
Local
Computing
Remote
Environment
Users
Connections to Other Enclaves
Public Enclave
Internet Service Provider
Remote
Local
Users
Computing
Remote
Remote
Connections
Environment
Users
Public Telephone
Via TSPs
Network
Remote
Users
PBX
Facility
Enclave Boundaries
Supporting Infrastructures
Boundary Protection
(Guard, Firewall, etc.)
1 Detect Respond
Remote Access Protection
2 Key Management Infrastructure/Public Key
Infrastructure
(Communications Servers, Encryption, etc.)
4
IPSec

??????
?????(??)????????
???????????????,???????????????????????
??IPv4????????????????
IPSec?IETF???????IP???
??IP?????IP????????
IPv4???????????,?IPv6???????????
??????IPv4???

5
IPSec???

????,??
AH Authentication Header
ESP Encapsulating Security Payload
????(Key Management)
SA(Security Association)
ISAKMP?????????
IKE?????????IPSec???????

6
SA(Security Association)

????
??????????IPSec????????????????,??????????????????
????????????
??SA??????,??,????????,?????SA
SA?IPSec?????????????
???????(SPD)
???????(SAD)
??SA?????????
SPI(Security Parameters Index)
????IP
??????

7
SPD SAD

SPD
??????????
????discard, bypass IPsec, apply Ipsec
????
?????????,?????IP??
SAD,?????????
Sequence Number Counter
Sequence Counter Overflow
Anti-Replay Window
AH Authentication algorithm, keys, etc
ESP Encryption algorithm, keys, IV mode, IV, etc
ESP authentication algorithm, keys, etc
Lifetime of this Security Association
IPsec protocol mode
Path MTU

8
AH(Authentication Header)

?IP?????????????
??MAC?????,??????????
?????SA??
????????
??????
???????IP??,????AH
??????????IP?,?AH??????IP????IP???????

9
AH???????
10
IPSec Authentication Header

Next Header ???????
Payload LengthAH???(32?????)
SPI????SA
Sequence Number????????
Authentication Data??????,????????ICV??MAC

11
AH????

AH??
?IP???,?????????
????
??ICV??MAC
???????(Outbound Packet )???,??AH
??SA
?????
??ICV(Integrity Check Value)
????IP??????AH?????????
??

12
AH????(?)

???????(Inbound Packet )???
????
??SA
????IP???AH???SPI
?????(??,??????)
?????????????????
ICV??

13
ESP(Encapsulating Security Payload)

??????,?????????
???????????????????????IP??,ESP???ESP??????
??????????SA??
???????????????

14
ESP???????
??????
??????
Orig IP Hdr ESP hdr TCP Data ESP trlr ESP auth
(1) ????
15
IPSec ESP??
0 8 16
24 32
Security Parameters Index (SPI)
Sequence Number
????
????
Payload Data (variable)
Padding (0-255 bytes)
Pad Length Next Header
Authentication Data (variable)
16
ESP????

ESP???
??????????SA??
???????(Outbound Packet )???
??SA
??
???????,??payload data???????,?????????
?????padding??
????
?????
??ICV,??,????????????
??

17
ESP????(?)

???????(Inbound Packet )???
????
??SA
????IP???ESP???SPI
?????(??,??????)
?????????????????
ICV??
??
??SA????????????,??????????????
??padding
?????IP?

18
AH?ESP?????
Transport
Tunnel -----------------
---------------------
1. IP1AHupper
4. IP2AHIP1upper 2.
IP1ESPupper 5.
IP2ESPIP1upper 3.
IP1AHESPupper

??upper???????
IP1????IP?
IP2??????IP?

19
IPSec??

????
?IP???????
????IP???????
????????,????????
(BITS) Bump-in-the-stack
??IP????????????
?????????
BITW (Bump-in-the-wire)
??????????,???BITS??
????BITW??,????IP???

20
IPSec????

ISAKMP Internet Security Association and Key
Management Protocol
RFC 2408
???????????????
IKE The Internet Key Exchange
??ISAKMP??
???Oakley?SKEME?????????

21
ISAKMP

?????
??SA
????,????
????????????
????
????????????????
??????????
??????????payload??
??????????????

22
ISAKMP????

ISAKMP????

23
??payload
Type Parameters
Security Association(SA) DOI, Situation
Proposal(P) Proposal , Protocol-ID,
Transform(T) Transform , SA Attributes
Key Exchange(KE) Key Exchange Data
Identification(ID) ID type, ID date
Certificate(CERT) Cert Encoding, Certificate data
Certificate Request(CR) Cert types,Cert auths,
Hash(HASH) Hash Data
Signature(SIG) Signature Data
Nonce(NONCE) Nonce Data
Notification(N) DOI, Protocol-ID,
Delete(D) DOI, Protocol-ID,
24
?????(Two phases of negotiation)

The first phase, ???ISAKMP SA
??(??ISAKMP Servers)???????????
?SA????????protocol SA?????
The second phase, ????????????SA(??,IPSec SA)
??????????SA
?SA??????????????????????

25
????????

???????,???????????????
??,????????
?????????????????????,?????SA??????ISAKMP SA???
????????????????????????
??,?????ISAKMP SA??????????????????????,??????????
?????
?????,????????

26
?? Diffie-Hellman????

???????????????????,?????????
??????????????????
??
??????q??q?????r
A??Xltq,??XArXmod p, A?B XA
B??Yltq,??YBrYmod p, B?A YB
A?? (YB)X?(rY)X?rXYmod p
B?? (XA)Y?(rX)Y?rXYmod p
??????????(rXYmod p)
??q??q???r?????

27
Cookie exchange

?? Diffie-Hellman???????????
??????????
Clogging attack
Cookie exchange
???????????????????,?cookie,?????????????
Cookie???
Cookie?????????????,????????????
????cookie??????,???????????????cookie?,??,?????co
okie????????????
Cookie??????????????
?????IP?????????????,????????????hash?????

28
ISAKMP?????

ISAKMP???5???????
Base Exchange
????,?????????
Identity Protection Exchange
????,???????
Authentication Only Exchange
????(??????)
Aggressive Exchange
??????,???base exchange
Informational Exchange
????,??SA??

29
IKE?????

PFS Perfect Forward Secrecy
?????????,???????????????
Phase
?ISAKMP??phase
Group
Oakley???Diffie-Hellman??????
Mode
??Oakley????
?????????
??mode
Main Mode, Aggressive Mode??phase 1
Quick Mode??phase 2
New Group Mode??phase 1??,?????????????

30
IKE???

IKE??????(Diffie Helman????)
768-bit MODP group
??q 2768 - 2 704 - 1 264 2638 pi
149686
a 2
1024-bit MODP group
??q 21024 - 2960 - 1 264 2894 pi
129093
a 2
EC2N group on GP2155
EC2N group on GP2185

31
IKE??????Main Mode

?ISAKMP?Identity Protection Exchange?????I -gt R
SAR -gt I SAI -gt R KE NONCER -gt I KE
NONCEI -gt R IDI AUTH (????) R -gt I IDR AUTH
(????)
?????????
?????????????
????????Diffie-Hellman Exchange
??phase 1

32
IKE??????Aggressive Mode

?ISAKMP?Aggressive Exchange?????I -gt R SA KE
NONCE IDIR -gt I SA KE NONCE IDR AUTHI -gt
R AUTH (????)
?????????,??Diffie-Hellman????,?????????,?????
???????????
??????????
??phase 1

33
IKE Phase 1??????

IKE Phase 1 Authenticated With Signatures
Phase 1 Authenticated With Public Key Encryption
Phase 1 Authenticated With a Pre-Shared Key

34
IKE??????Quick Mode

?ISAKMP??????????I -gt R SA NONCE IDI, IDR,
KE HASH(1)R -gt I SA NONCE IDI, IDR, KE
HASH(2)I -gt R HASH(3)??????????
??PFS?????,?????KE
???????

35
IKE??????New Group Mode

?ISAKMP??????????I -gt R SA HASH(1)R -gt I SA
HASH(2)??????????
????????

36
IPSec?IKE??

IPSec???????????
???????AH?ESP
IKE?????????
??ISAKMP????????Oakley?SKEME??????????
??SA????????
??????Internet??
????
IPSec???
?????,????????????
???????,???????
???????
??DOS,?????????????????
???????

37
IPSec??

????????
??CISCO?
??????
??Linux???UNIX??
IPv6??
??VPN???

38
Windows 2000?XP??IPSec

??
http//online.securityfocus.com/infocus/1519
http//online.securityfocus.com/infocus/1526
http//online.securityfocus.com/infocus/1528
????
?IETF??
??Kerberos??????????????????
????IPSec?????????????RSVP??IKE??Kerberos?
?L2TP?????????VPN????
???NAT????
????????DOS,?????????
??FreeBSD???http//www.freebsd.org/doc/en_US.ISO8
859-1/books/handbook/ipsec.html

39
Windows 2000?XP??IPSec????

IPSec Security Policies snap-in for the MMC
(secpol.msc)

40
??????

????
?????????????
??????
????????

41
??????

????????

42
??????

????????

?????
?????
43
PKI???

????
??????????
??????????
???????????
??????????????
??????
??????(certificate)
??????????????

44
??????
45
PKI(Public Key Infrastructure)

??
??????????????????????????????
?????PKI????
????(CA)
???
????
???????
??????
??????
????
??????
???
?????

46
PKI???????

??
????????,????????????
?????? ???????
????????? ??????
???????challenge?? ????
???
PKI???????
????????????,?????????
MAC(?????)?DES-CBC-MAC??HMAC-MD5
???
?????????,????????????
????
???????? ????
???????? ?? ????

47
PKI?????

????????????,?????
??
???????????,????,??????????,?????????????
?????????????????,?????MAC??HMAC?????????
???????
???????????????
???????????????????
????????????????????
????????????
??????????,??????????
????
??????????,???CA?????????

48
PKI????

RA(Registration Authority)
?????????????????????
CA(Certificate Authority)
??
???/??
????,?????

49
???????

??????,???????
??,??????????????
PKI??????
CA????CRL(Certificate Revocation List)
??Web?CRL??
??CRL?URL???????????
????????(SSL)??URL
????????
???????????

50
PKI????

??(certificate),??????cert
PKI????????,???????????????????
???????????????????,??????????????????
?????,?????????????????????????????
???????????
?????????X.509 v3

51
X.509????

??1?2?3
???
?CA????
???????
??????????
?????
CA???
????
???????
????

52
X.509????(?)

???????
??
??
??
????????
???????
???
??

53
X.509?????
54
CA(Certificate Authority)

??
???????
(?RA??????????????)
??????????
??????
????????
???????
??????????

55
???????
Password??
Help!!
?
??????
?????( ???)
56
CA????

?????

Sep 1998
Oct 1998
Nov 1998
Dec 1998
Jan 1999
Feb 1999
Mar 1999
Apr 1999
May 1999
Jun 1999
Jul 1999
Aug 1999
CA????????????????PKI????
57
CA????

??????????????????????,?????????
??????,??????????
??CA
????????CA??????????????-?????????,???????CA,?CA
???CA
????
???????????
????
???????????

58
CA????

??????CA?????????,??????????????CA???
???????CA????

59
CA???????

?CA??????????
?CA???????CA????
???????????CA???????????
??????,??????CA,???CA??????(???)???????????CA???
?CA????,??????
?????CA?,??????cert(1) Forward Certificates
??CA????certs(2) Reverse Certificates
?????CA?certs

60
????CA??????

????A??B?????
B????????????CA???
????????,?????????,?????
????
??????,??????,??????????????????,????????,????????
???
?????B???????
????????????,?A??????????????,??????CA,??????B????
??
??????????

61
????????
62
????

?????CA??????????????
??????
??CA???????CA?????????????????????
??????
????????
??????(?????????)
??????(?????????)
???????
????
??????
????

63
???????????

?????????,??????????,???????????
??????????

64
?????????????PGP
65
?PKI???????

Certificates X.509 v.3
???? PKIX group in IETF(RFC 2459)
???/???? PKCS 11
PKCS??
????LDAP

66
PKCS????

PKCS 1
RSA Encryption Standard
PKCS 3
Diffie-Hellman Key-Agreement Standard
PKCS 5
Password-Based Encryption Standard
PKCS 6
Extended-Certificate Syntax Standard
PKCS 7
Cryptographic Message Syntax Standard
PKCS 8
Private-Key Information Syntax Standard

67
PKCS????(?)

PKCS 9
Selected Attribute Types
PKCS 10
Certification Request Syntax Standard
PKCS 11
Cryptographic Token Interface Standard
PKCS 12
Personal Information Exchange Standard
PKCS 13
Elliptic Curve Cryptography Standard
PKCS 15
Cryptographic Token Information Format Standard

68
????Web??????
PKCS10
69
CA??????
PKCS7
70
PKI??

?????
????
E-mail
Web??
??
VPN
SSL/TLS
XML/e-business
WAP

71
PKI?????

?????PKI
????PKI
??????PKI??
??????PKI
PKI???????,????

72
Windows 2000??PKI

Windows 2000?????????

73
Windows 2000???????
74
Windows 2000?,????????
75
????

?
William Stallings, Cryptography and network
security principles and practice, Second Edition
???,?????????,???????,2001
David Chappell, Understanding Microsoft Windows
2000 Distributed Services, ???(???????,????),
2001
??
RFC 2401, Security Architecture for the Internet
Protocol
RFC 2402, IP Authentication Header
RFC 2406, IP Encapsulating Security Payload (ESP)
RFC 2408, Internet Security Association and Key
Management Protocol (ISAKMP)
RFC 2409, The Internet Key Exchange(IKE)
Web??
RSA??,http//www.rsasecurity.com/