Internet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho

Similar documents
IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

CSCE 715: Network Systems Security

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP,

Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München. ilab. Lab 8 SSL/TLS and IPSec

IPSec. Overview. Overview. Levente Buttyán

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1415/ Chapter 16: 1

Transport Level Security

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

Transport Layer Security

The IPsec protocols. Overview

Cryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption

CIS 6930/4930 Computer and Network Security. Topic 8.1 IPsec

CSCE 715: Network Systems Security

CSE543 Computer and Network Security Module: Network Security

IP Security. Have a range of application specific security mechanisms

Network Encryption 3 4/20/17

IP Security IK2218/EP2120

CSC 6575: Internet Security Fall 2017

CS 356 Internet Security Protocols. Fall 2013

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1516/ Chapter 16: 1

COSC4377. Chapter 8 roadmap

Protocol Architecture (2) Suguru Yamaguchi Nara Institute of Science and Technology Department of Information Science

IPsec and SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, /43

Security Engineering. Lecture 16 Network Security Fabio Massacci (with the courtesy of W. Stallings)

Internet security and privacy

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

IPsec (AH, ESP), IKE. Guevara Noubir CSG254: Network Security

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

Virtual Private Network

The Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME,

Secure RTP Library API Documentation. David A. McGrew Cisco Systems, Inc.

Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers

IP Security. Cunsheng Ding HKUST, Kong Kong, China

Firewalls, Tunnels, and Network Intrusion Detection

Lecture 13 Page 1. Lecture 13 Page 3

IPSec Transform Set Configuration Mode Commands

CSE509: (Intro to) Systems Security

INTERNET PROTOCOL SECURITY (IPSEC) GUIDE.

Application Layer. Presentation Layer. Session Layer. Transport Layer. Network Layer. Data Link Layer. Physical Layer

Chapter 4: Securing TCP connections

Secure channel, VPN and IPsec. stole some slides from Merike Kaeo

8. Network Layer Contents

E-commerce security: SSL/TLS, SET and others. 4.1

Cryptography and Network Security. Sixth Edition by William Stallings

Lecture 12 Page 1. Lecture 12 Page 3

CS 393 Network Security. Nasir Memon Polytechnic University Module 12 SSL

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

MTAT Applied Cryptography

VPN, IPsec and TLS. stole slides from Merike Kaeo apricot2017 1

Transport Layer Security

IPSec Transform Set Configuration Mode Commands

VPN and IPsec. Network Administration Using Linux. Virtual Private Network and IPSec 04/2009

SSL/TLS. How to send your credit card number securely over the internet

PROGRAMMING Kyriacou E. Frederick University Cyprus. Network communication examples

Configuring Security for VPNs with IPsec

INFS 766 Internet Security Protocols. Lectures 7 and 8 IPSEC. Prof. Ravi Sandhu IPSEC ROADMAP

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Lecture 10: Communications Security

Chapter 6. IP Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

Virtual Private Networks (VPN)

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

IBM i Version 7.2. Security Virtual Private Networking IBM

Lecture 9: Network Level Security IPSec

The IPSec Security Architecture for the Internet Protocol

Introduction. INF3510 Information Security. Lecture 10: Communications Security. Outline. Network Security Concepts. University of Oslo Spring 2018

Overview. SSL Cryptography Overview CHAPTER 1

TLS. RFC2246: The TLS Protocol. (c) A. Mariën -

Chapter 11 The IPSec Security Architecture for the Internet Protocol

VPN Overview. VPN Types

Information Security & Privacy

Virtual Tunnel Interface

Time Synchronization Security using IPsec and MACsec

Security and Lawful Intercept In VoIP Networks. Manohar Mahavadi Centillium Communications Inc. Fremont, California

Chapter 5: Network Layer Security

IKE and Load Balancing

Secure Socket Layer. Security Threat Classifications

Cryptography (Overview)

Internet security and privacy

Chapter 6/8. IP Security

Chapter 8 Web Security

AIT 682: Network and Systems Security

COSC 301 Network Management. Lecture 15: SSL/TLS and HTTPS

IPSec. Dr.Talal Alkharobi. IPsec (IP security)

Cryptography and Network Security

Chapter 8 Network Security

Configuration of an IPSec VPN Server on RV130 and RV130W

CloudBridge :31:07 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

Security for VPNs with IPsec Configuration Guide, Cisco IOS XE Release 3S

Security Protocols and Infrastructures. Winter Term 2010/2011

Introduction to IPsec. Charlie Kaufman

Outline. 0 Topic 4.1: Securing Real-Time Communications 0 Topic 4.2: Transport Layer Security 0 Topic 4.3: IPsec and IKE

Sample excerpt. Virtual Private Networks. Contents

CSC 4900 Computer Networks: Security Protocols (2)

IPSec implementation for SCTP

How to Create a TINA VPN Tunnel between F- Series Firewalls

Performance Study of COPS over TLS and IPsec Secure Session

IPSec Site-to-Site VPN (SVTI)

Reflections on Security Options for the Real-time Transport Protocol Framework. Colin Perkins

Transcription:

Internet Security - IPSec, SSL/TLS, SRTP - 29th. Oct. 2007 Lee, Choongho chlee@mmlab.snu.ac.kr

Contents Introduction IPSec SSL / TLS SRTP Conclusion 2/27

Introduction (1/2) Security Goals Confidentiality Data authentication Data integrity Internet Security Protocols Application SSL / TLS SRTP TCP UDP IP/ IPSec Data Link Physical 3/27

Introduction (2/2) Security Protocol Architecture Encapsulation * MAC : Message Authentication Code Session (Association) Establishment 4/27

Contents Introduction IPSec SSL / TLS SRTP Conclusion 5/27

IPSec Overview IP Security Protocol (IPSec IPSec) To provide IP packet security at network layer Designed by IETF Optional for IPv4 Mandatory for IPv6 Security service Confidentiality - Encrypting traffic Integrity Authenticating the peers Anti- replay Application Transport Layer IP/ IPSec 6/27

IPSec Parts (1/2) Connection Setup Internet Key Exchange (IKE) Initial negotiation to agree upon the encryption mechanism, keys, etc. Security Association (SA) A one- directional relationship between sender and receiver Two- way secure exchange of IP packets requires two (or more) SAs SA parameters Lifetime of this SA AH/ESP Information : authentication/encryption encryption algorithm, keys, lifetime Protocol Mode Sequence number counter The actual choice of encryption and authentication algorithms is left to the IPSec administrator 7/27

IPSec Parts (2/2) 2) Data transfer Extension headers that follow the main IP header Authentication Header (AH) Data integrity & authentication Protecting the IP payload and all header fields of an IP datagram except for mutable fields Encapsulating Security Payload (ESP) ESP Header + ESP Trailer Data confidentiality Integrity & Authentication (Optional) Not protect IP header 8/27

IPSec - Protocol Mode (1/ 2) Transport mode Protection for upper- layer protocols Only the payload is encrypted Host- to- host Tunnel mode Protection of entire IP packet New outer IP packet for routing Network- to- network (secure tunnels b/ w routers), host- tonetwork, host- to- host Used for Virtual Private Network (VPN) 9/27

IPSec - Protocol Mode (2/ 2) 10/27

IPSec AH + Two mode * ICV : Integrity Check Value Transport Mode Tunnel Mode 11/27

IPSec ESP + Two mode * ICV : Integrity Check Value Transport Mode Tunnel Mode 12/27

Contents Introduction IPSec SSL / TLS SRTP Conclusion 13/27

SSL / TLS Secure Sockets Layer (SSL) / Transport Layer Security (TLS) SSL v3.0 with minor change - > TLS 1.0 Connection- oriented data confidentiality and integrity, and optional client and server authentication Applications Web browsing, e- mail, Internet faxing, instant messaging and other data transfers 14/27

SSL / TLS 구조 (1/3) 15/27

SSL / TLS 구조 (2/3) Record Layer Protocol Record : exchanging unit Encapsulates the data to be exchanged Each record has a content type field, a length field, a TLS version field 16/27 * MAC : Message Authentication Code

SSL / TLS 구조 (3/3) Handshake Protocol (content type 22) Client and server authentication Establish cryptographic keys (for encryption and MAC) Negotiation of cryptographic algorithms ChangeCiperSpec Protocol (content type 20) The Client tells The server Everything I tell you from now on will be encrypted Alert Protocol (content type 21) Warning, Fatal Error Application Protocol (content type 23) Application Data 17/27

SSL / TLS Handshake (1/ 3) Optional 18/27

SSL / TLS Handshake (2/ 3) ClientHello The highest TLS protocol version a client supports, a random number, a list of suggested cipher suites and compression methods ServerHello The chosen protocol version, a random number, cipher suite, and compression method from the choices offered by the client Server Certificate (optional) The Server sends its Certificate Server Key Exchange (optional) The Server sends this when Server Certificate is not enough for the client to generate premaster secret. CertificateRequest (optional) The server requests the client s Certificate Server Hello Done Indicating it is done with handshake negotiation 19/27

SSL / TLS Handshake (3/ 3) Client Certificate (optional) The Client sends its Certificate Client Key Exchange PreMasterSecret, public key, or nothing Certificate Verify (optional) The Client sends its certificate verification ChangeCipherSpec The Client tells The server Finished Everything I tell you from now on will be encrypted Encrypted message The Server attempts to decrypt the Client s Finished message and verify If this is fails, the handshake is considered to have failed and the connection should be torn down 20/27

Contents Introduction IPSec SSL / TLS SRTP Conclusion 21/27

RTP Real- time Transport Protocol (RTP) Standardized packet format for Transporting the multimedia datastream Sending packets via UDP RTP packet fields Payload- type identification Sequence number Time stamp Position in the protocol stack Transport protocol that is implemented in the application layer Used for VoIP RTP Application RTP Socket Transport Layer IP RTP Control Protocol (RTCP) Is used to monitor QoS 22/27

SRTP (1/3) Secure Real- time Transport Protocol (SRTP) An extension to RTP Profile for Audio and Video Conferences Security services Confidentiality of the RTP payload Message authentication and integrity Replay protection All provided features (encryption, authentication) Optional Separately enabled/ disabled RTP Application SRTP Socket Transport Layer IP Secure RTCP (SRTCP) Provides Security for RTCP 23/27

SRTP (2/3) SRTP needs an external key management protocol For exchange a master key Multimedia Internet KEYing (MIKEY) : Rely on certificates ZRTP : Not require certificates or alike Key Derivation One single master key Key derivation function All other necessary session keys are generated from master key Periodically regenerate session keys Reduce key management overhead Data Encryption Advanced Encryption Standard (AES) Only a single cipher for SRTP NULL cipher Does not perform any encryption 24/27

SRTP (3/3) Authentication, integrity Over packet payload and the packet header Replay protection Maintain the indices of previously received message Compare them with the index of each new received message Admit the new message only if it has not been played before 25/27

Contents Introduction IPSec SSL / TLS SRTP Conclusion 26/27

Conclusion Security Protocol at different layers IPSec SSL / TLS SRTP / SRTCP Providing Security Service Where? Which service? How? Other Considering Points Reduce overhead Reduce Handshake time Throughput Rate Etc. 27/27

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback