Network Encryption 3 4/20/17

Similar documents
Chapter 24 Wireless Network Security

Wireless Network Security

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP,

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

Internet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho

COSC4377. Chapter 8 roadmap

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Protocol Architecture (2) Suguru Yamaguchi Nara Institute of Science and Technology Department of Information Science

CSC 4900 Computer Networks: Security Protocols (2)

The Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME,

CSC 6575: Internet Security Fall 2017

Internet security and privacy

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1415/ Chapter 16: 1

CSCE 715: Network Systems Security

IP Security. Have a range of application specific security mechanisms

Chapter 17. Wireless Network Security

Cryptography and Network Security. Sixth Edition by William Stallings

Link & end-to-end protocols SSL/TLS WPA 2/25/07. Outline. Network Security. Networks. Link and End-to-End Protocols. Link vs. End-to-end protection

Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München. ilab. Lab 8 SSL/TLS and IPSec

VPN and IPsec. Network Administration Using Linux. Virtual Private Network and IPSec 04/2009

Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers

Wireless Network Security

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Wireless Network Security Spring 2016

IPSec. Overview. Overview. Levente Buttyán

IP Security. Cunsheng Ding HKUST, Kong Kong, China

Chapter 8 Network Security

IPSec Transform Set Configuration Mode Commands

Virtual Private Network

Firewalls, Tunnels, and Network Intrusion Detection

CIS 6930/4930 Computer and Network Security. Topic 8.1 IPsec

Virtual Private Networks (VPN)

Wireless Network Security Spring 2015

HW/Lab 4: IPSec and Wireless Security. CS 336/536: Computer Network Security DUE 11 am on 12/01/2014 (Monday)

Lecture 9: Network Level Security IPSec

Outline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.

The following chart provides the breakdown of exam as to the weight of each section of the exam.

Virtual Private Networks

WPA-GPG: Wireless authentication using GPG Key

Network Security: IPsec. Tuomas Aura

IPSec Transform Set Configuration Mode Commands

Sample excerpt. Virtual Private Networks. Contents

CSE543 Computer and Network Security Module: Network Security

Time Synchronization Security using IPsec and MACsec

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

Transport Layer Security

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

Virtual Tunnel Interface

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1516/ Chapter 16: 1

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

Wireless Attacks and Countermeasures

Network Security and Cryptography. December Sample Exam Marking Scheme

IPsec and SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, /43

Introduction and Overview. Why CSCI 454/554?

Transport Level Security

The IPsec protocols. Overview

Configuration of an IPSec VPN Server on RV130 and RV130W

Chapter 5: Network Layer Security

Network Encryption Methods

Chapter 6. IP Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

IPsec (AH, ESP), IKE. Guevara Noubir CSG254: Network Security

VPN Overview. VPN Types

Table of Contents 1 WLAN Security Configuration Commands 1-1

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

IP Security Part 1 04/02/06. Hofstra University Network Security Course, CSC290A

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

VPN Ports and LAN-to-LAN Tunnels

D. The bank s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

ECHONET Lite SPECIFICATION. ECHONET Lite System Design Guidelines 2011 (2012) ECHONET CONSORTIUM ALL RIGHTS RESERVED

School of Computer Sciences Universiti Sains Malaysia Pulau Pinang

IP Security IK2218/EP2120

Wireless LAN Security. Gabriel Clothier

Configuring Layer2 Security

8. Network Layer Contents

COMPUTER SECURITY. Computer Security Secure Communication Channels (2)

Physical and Link Layer Attacks

CSE509: (Intro to) Systems Security

1 FIVE STAGES OF I.

Cryptography and Network Security

Chapter 6/8. IP Security

IPSec VPN Setup with IKE Preshared Key and Manual Key on WRVS4400N Router

Lecture 12 Page 1. Lecture 12 Page 3

AIT 682: Network and Systems Security

Appendix E Wireless Networking Basics

Network Security. Thierry Sans

Expected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy

Prof. Shervin Shirmohammadi SITE, University of Ottawa. Security Architecture. Lecture 13: Prof. Shervin Shirmohammadi CEG

Security and Lawful Intercept In VoIP Networks. Manohar Mahavadi Centillium Communications Inc. Fremont, California

INTERNET PROTOCOL SECURITY (IPSEC) GUIDE.

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

4.4 IEEE MAC Layer Introduction Medium Access Control MAC Management Extensions

05 - WLAN Encryption and Data Integrity Protocols

The EN-4000 in Virtual Private Networks

CS 356 Internet Security Protocols. Fall 2013

Network Security: IPsec. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

Network Security Chapter 8

What is Eavedropping?

Transcription:

The Network Layer Network Encryption 3 CSC362, Information Security most of the security mechanisms we have surveyed were developed for application- specific needs electronic mail: PGP, S/MIME client/server applications: Kerberos HTTP, etc.: SSL/TLS but what about a network as a whole? implementing security at the IP layer could ensure secure networking for all applications and transparently The Network Layer two approaches for security at the network protocol layer: end- to- end security, or network link security The Network Layer end- to- end security is a minimalist strategy encryption/decryption is restricted exclusively to the endpoint hosts communicating payload data is encrypted header information for all PDUs must remain plaintext Pros? Cons? 1

The Network Layer network link security implies that network layer devices (routers) manage encryption/decryption duties when a packet arrives at a link, it is decrypted, checked, encrypted again and transmitted to the next link each pair of routers must be equipped with encryption technology and must manage encryption keys Pros? Cons? The Network Layer: IPSec IPSec (for Internet Protocol Security ) is a hybrid model that attempts to provide more security over an insecure network layer (IPv4 or IPv6) a suite of protocols instead of Internet router implementation, IPSec creates a virtual secure network that is managed by servers that establish a secure connection between hosts all packets transmitted through this connection receive same security services The Network Layer: IPSec Security Services confidentiality. privacy of communications message integrity. can detect whether messages have been tampered with or altered authentication. can provide source authentication to prevent IP spoofing and related attacks access control. only authorized agents can send and receive packets over a network connection anti- replay. can detect and prevent playback attacks The Network Layer: IPSec commonly used for establishing Virtual Private Networks (VPNs) 2

The Network Layer: IPSec Transfer Modes Two standard modes of operation: transport used for end- to- end communications, for example, encrypted telnet or Remote Desktop sessions provides protection of the data or IP payload tunnel the default mode: the entire packet is protected by IPSec the entire packet is encrypted and wrapped with a new IP header the datagram is then sent to the other side of the VPN tunnel The Network Layer: IPSec the IPSec protocol suite can be divided into three basic groups Authentication Header (AH), RFC 4302 Encapsulating Security Payload (ESP), RFC 4303 Internet Key Exchange protocols, which generates and distributes keys for both AH and ESP The Network Layer: IPSec Authentication Header IPSec Authentication Header (AH) a protocol that provides authentication of all or part of the contents of a datagram the AH does not provide privacy The Network Layer: IPSec Authentication Header in the transport mode, the AH header is inserted after the IP header IP data and header are used to calculate the authentication value 3

The Network Layer: IPSec Authentication Header in the tunnel mode, the original IP datagram is encapsulated within a new IP packet all of the original IP datagram is authenticated The Network Layer: Encapsulating Security Payload Encapsulated Security Payload (ESP) uses shared key encryption for data privacy also supports its own authentication or can be used in conjunction with AH ESP divides its fields into three components ESP Header ESP Trailer ESP Authentication Data The Network Layer: Encapsulating Security Payload in transport mode, ESP Header is inserted after the original IP header ESP trailer and authentication are added to the end of the packet each host must be aware that IPSec is operating The Network Layer: Encapsulating Security Payload in tunnel mode, the original IP packet is encapsulated, which secures both IP header and payload ESP header follows the new IP header ESP trailer and authentication are again added to the end of the packet 4

The Network Layer: Internet Key Exchange Internet Key Exchange (IKE) is a composite of several protocols that automatically negotiate IPSec Security Associations (SA) and enable secure communications authenticates hosts as IPSec peers and manages shared key generation uses Diffie- Hellman so that hosts without previous communication can establish a common shared secret The Network Layer: Internet Key Exchange In Phase 1, peers lay groundwork for an IPSec Security Association (SA) i.e., establishing what traffic to protect and how to protect it The Network Layer: Internet Key Exchange In Phase 2, peers specify parameters for security levels and are ready to exchange data Phase 2 can also serve as a quick mode for creating the SAs The Link Layer: Wireless LANs ANSI/IEEE Standard 802.11 is the dominant technology for wireless LANs topology: the basic service set (BSS) is the fundamental component of the 802.11 wireless LAN there are two types: BSS with an Access Point ( AP ), which serves as the central base station connecting a collection of wireless hosts ad hoc network (no AP), hosts form temporary network without the aid of an AP 5

The Link Layer: Wireless LANs we will focus on the former, wireless LANs with an AP as the central base they are connected (eventually) to wired networks and the Internet it is also typical for several BSS to be connected The Link Layer: BSS Membership How does a host join an associated BSS? SSID. each AP is assigned a one- or two- word Service Set Identifier (SSID) channel. the AP is designated a specific channel or sub- frequency for communication beacon frames. each AP sends short messages to identify the AP s SSID and MAC address The Link Layer: BSS Membership How does a host join an associated BSS? passive scanning. any host within range will receive beacon frames the host is free to choose any BSS that identifies itself active scanning. the host broadcasts probe request frames. An AP within range may respond with a probe response frame The Link Layer: BSS Membership How does a host join an associated BSS? regardless of the method, the last step is the handshake protocol association request frames association response frames membership may require authentication in these instances, the AP consults an authentication server 6

The Link Layer: Common Attacks on Wireless LANs packet sniffing. easy and risk of detection is low rogue APs. unauthorized wireless devices that extend the range of a local network serve as pivot points for attacks evil twin attack. a device that masquerades as the BSS AP used for MITM attacks The Link Layer: Wireless LAN Security IEEE 802.11i provides protocols for Robust Security Networks (RSN) authentication. prescribes the exchange between a wireless host and the authentication server provide mutual authentication, generates temporary keys access control. enforces the use of authentication, routes messages, and facilitates the key exchange. privacy with message integrity. data are encrypted along with message integrity code The Link Layer: Wireless LAN Security The Link Layer: Wireless LAN Security the Discovery phase includes: network & security discovery system association in the Authentication phase, the host joins the AS, receives master session key from AS via AP in the key management phase, there is usually a four- way handshake nonce is sent to STA from AP STA sends a separate nonce with a Message Integrity Code (MIC) the AP sends a Group Temporal Key (GTK) and MIC the STA acknowledges The Pairwise Transient Key (PTK) insures the STA that there is no MITM attack 7

The Link Layer: Wireless LAN Security confidentiality is ensured by Wireless Protected Access 2 (WPA2) uses AES encryption/decryption with Cipher Block Chaining- MAC or CCM integrity is ensured by the CCM, which uses the last code block as the MIC 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback