1 CMPT 471 Networking II Authentication and Encryption © Janice Regan, 2006-2013

1

CMPT 471Networking II

Authentication and Encryption

© Janice Regan, 2006-2013

2© Janice Regan, 2006-2013


IPsec usage Host to host

May use transport mode May use tunnel mode

Security Gateway to Security Gateway Must use tunneling

Host to/from security gateway For traffic destined to security gateway (for example

SNMP message) the gateway is operating as a host and transport mode may be used

Otherwise, if the gateway is operating as a gateway tunneling mode must be used


IPv4 packet: Transport mode Authentication

IPv4 packet: Tunnel mode Authentication

IPv4 AH Authentication

authenticated

Partially authenticated

IPv4 header

TCP header

TCP dataAuthentication

header

IPv4tunnel header

authenticatedPartially authenticated

IPv4 header

TCP header

TCP dataAuthentication

header


AH authentication algorithms

HMAC with MD5 RFC 2403HMAC with SHA-1 RFC 2404


Transport Mode

Tunnel Mode

IPsec: ESP

New IP

header

TCP

header

TCP

data

IP

header

ESP

header

ESP

trailer

ESP

auth

encrypted

authenticated

Not encrypted or

authenticated

TCP

header

TCP

data

IP

header

ESP

header

ESP

trailer

ESP

auth


ESP authentication algorithms

HMAC with MD5 RFC 2403HMAC with SHA-1 RFC 2404

Null Authentication


ESP encryption algorithms

DES in CBC mode RFC 2405Null Encryption


Security Associations (1) An SA describes one simplex connection.

If you are using both AH and ESP you need one SA for each.

For two way communication you need one SA for each direction

Three parameters used to uniquely define a security association (SA). destination address security protocol (AH or ESP) Security parameters index (SPI)


Security Association (2) SAs are stored in a database The SAD

(Security Associations Database) also includes the following information: Mode of communication (transport or tunnel) Sequence Number Counter Anti-Replay Window: to determine whether an

inbound AH or ESP packet is a replay. AH Authentication algorithm type, keys, etc.

OR ESP Encryption algorithm and / or authentication, algorithm types, keys etc.

Lifetime of this Security Association


Encryption Source uses an encryption key and a particular

encryption algorithm to encrypt the data The data is inserted into a packet and sent to the

receiver The receiver uses a decryption key to decrypt the data.

If the keys match the decrypted data is readable otherwise it is not.

The keys may be secret or private keys, or public keys Private key encryption is often used for long messages

public key encryption for short messages. Short messages may include sending private keys in preparation for transmission of longer messages.


Secret or private keys

Private or secret keys are known only by the sender and receiver. The decryption key is the same as or derivable from the encryption key.

Secret key encryption may also be called symmetric encryption because the same key can be used in both directions

High security, difficult to decrypt without the key.


Secret or private keys

Requires many keys (one for each pair of users)

Uses an efficient encryption algorithm Popular example DES, data encryption

standard How do you distribute keys?

Use public key encryption A central distribution centre


Public keys (1)

Each user has a public key and a private key Fewer keys needed (pair for each user, not each

pairing of users). Public key is used to encrypt the message,

private key is used to decrypt the message. Private key is not easily derivable from the public key

Sender encrypts using the receiver’s public key Only receiver can decrypt using its own private

key RSA is an example of this approach.


Public keys (2)

Encryption/Decryption process is more computationally intensive than private key encryption

Must verify (authenticate) announced public key of a user

Verification may be done by a central authority (pairs users and keys and issues certificates)


Digital Signature

Used for authentication, integrity and non repudiation (anti replay)

Use private key encryption to sign (encrypt the document or digest) the packet.

Use public key to verify signature (decrypt the document). Since only the sender knows its private key this provides authentication


Digital Signature A message signed using a senders private

key (known only by that user) indicates that the message comes from that user

Changes to the message between the sender and the receiver require knowledge of the private key, or they will in all likelihood render the message unreadable at the destination

Signature alone does not provide confidentiality, anyone can decrypt using the senders public key


Digital Signature

Used for authentication, integrity and non repudiation

Can sign entire document or digest of the document. Algorithms such as SHA1 and MD5 are

used to make digests of the document Can sign the digest rather than the whole

document


Digital Signature To sign the digest rather than the whole

document The sender uses a hash function to produce

a digest of the document with a fixed size Usually use MD5 (message digest 5) or

SHA-1 (secure hash algorithm 1) The sender encrypts the digest with her

private key The sender sends the document including

the encrypted digest


Digital Signature To sign the digest rather than the whole

document The receiver creates a digest of the document

using the same algorithm as the sender The receiver decrypts the digest appended to

the document using the senders public key The receiver compares the calculated digest

to the decrypted digest from the received message. They must match for the signature to be valid


With VPN New encapsulation Shared keys (all users behind VPN use

same key) Dangerous (one user can hijack traffic, can

have man in the middle attack)

Documents

1 CMPT 471 Networking II Authentication and Encryption © Janice Regan, 2006-2013