版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领
文档简介
1、Cryptography and Network SecurityChapter 16Fourth Editionby William StallingsLecture slides by Lawrie BrownChapter 16 IP SecurityIf a secret piece of news is divulged by a spy before the time is ripe, he must be put to death, together with the man to whom the secret was told.The Art of War, Sun TzuI
2、P Securityhave a range of application specific security mechanismseg. S/MIME, PGP, Kerberos, SSL/HTTPShowever there are security concerns that cut across protocol layerswould like security implemented by the network for all applicationsIPSecgeneral IP Security mechanismsprovidesauthenticationconfide
3、ntialitykey managementapplicable to use over LANs, across public & private WANs, & for the InternetIPSec UsesBenefits of IPSecin a firewall/router provides strong security to all traffic crossing the perimeterin a firewall/router is resistant to bypassis below transport layer, hence transparent to a
4、pplicationscan be transparent to end userscan provide security for individual userssecures routing architectureIP Security Architecturespecification is quite complexdefined in numerous RFCsincl. RFC 2401/2402/2406/2408many others, grouped by categorymandatory in IPv6, optional in IPv4have two securi
5、ty header extensions:Authentication Header (AH)Encapsulating Security Payload (ESP)IPSec ServicesAccess controlConnectionless integrityData origin authenticationRejection of replayed packetsa form of partial sequence integrityConfidentiality (encryption)Limited traffic flow confidentialitySecurity A
6、ssociationsa one-way relationship between sender & receiver that affords security for traffic flowdefined by 3 parameters:Security Parameters Index (SPI)IP Destination AddressSecurity Protocol Identifierhas a number of other parametersseq no, AH & EH info, lifetime etchave a database of Security Ass
7、ociationsAuthentication Header (AH)provides support for data integrity & authentication of IP packetsend system/router can authenticate user/appprevents address spoofing attacks by tracking sequence numbersbased on use of a MACHMAC-MD5-96 or HMAC-SHA-1-96parties must share a secret keyAuthentication
8、 HeaderTransport & Tunnel ModesEncapsulating Security Payload (ESP)provides message content confidentiality & limited traffic flow confidentialitycan optionally provide the same authentication services as AHsupports range of ciphers, modes, paddingincl. DES, Triple-DES, RC5, IDEA, CAST etcCBC & othe
9、r modespadding needed to fill blocksize, fields, for traffic flowEncapsulating Security PayloadTransport vs Tunnel Mode ESPtransport mode is used to encrypt & optionally authenticate IP datadata protected but header left in clearcan do traffic analysis but is efficientgood for ESP host to host traff
10、ictunnel mode encrypts entire IP packetadd new header for next hopgood for VPNs, gateway to gateway securityCombining Security AssociationsSAs can implement either AH or ESPto implement both need to combine SAsform a security association bundlemay terminate at different or same endpointscombined byt
11、ransport adjacencyiterated tunnelingissue of authentication & encryption order Combining Security AssociationsKey Managementhandles key generation & distributiontypically need 2 pairs of keys2 per direction for AH & ESPmanual key managementsysadmin manually configures every systemautomated key manag
12、ementautomated system for on demand creation of keys for SAs in large systemshas Oakley & ISAKMP elementsOakleya key exchange protocolbased on Diffie-Hellman key exchangeadds features to address weaknessescookies, groups (global params), nonces, DH key exchange with authenticationcan use arithmetic
13、in prime fields or elliptic curve fieldsISAKMPInternet Security Association and Key Management Protocolprovides framework for key managementdefines procedures and packet formats to establish, negotiate, modify, & delete SAsindependent of key exchange protocol, encryption alg, & authentication methodISAKMPISAKMP Payloads & Exchangeshave a number of ISAKMP payload types:Security, Proposal, Transform, Key, Identification, Certificate, Certificate, Hash, Signature, Nonce, Notification, D
温馨提示
- 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
- 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
- 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
- 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
- 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
- 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
- 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
最新文档
- 2024年天文测量仪器项目发展计划
- 2024年恶唑禾草灵项目发展计划
- 2024年血管栓塞剂及栓塞材料项目合作计划书
- 2024年化工新材料项目合作计划书
- 2024年喷枪及类似器具合作协议书
- 北师大版小学数学五年级下册模拟考卷含参考答案
- 春运介绍-英文
- 视网膜色素变性的药物治疗研究进展
- 10 吃饭有讲究 (教学设计) 部编版道德与法治一年级上册
- 钢琴买卖合同协议书范本2024年
- 计算与人工智能概论智慧树知到课后章节答案2023年下湖南大学
- 纸的世界 单元作业设计
- 2023年广东省中考作文《这一次-我全力以赴》写作指导(共15张PPT)
- 小班安全《不能乱吃东西》
- 学校劳动教育课程手册
- 疲劳驾驶安全教育内容
- 充电桩场地租赁协议
- 可爱的四川八年级教案自然之美
- 【高中语文】文言文文化常识+课件+高考一轮复习之文言文通关宝典(新高考版)
- 小学数学-《认识速度》教学课件设计
- 妇产科-羊水胎儿异常-课件
评论
0/150
提交评论