Professional Documents
Culture Documents
CNS 5
CNS 5
Following are the steps taken to show how PGP uses hashing
and a combination of three keys to generate the original
message:
● The receiver receives the combination of encrypted secret
key and message digest is received.
● The encrypted secret key is decrypted by using the
receiver's private key to get the one-time secret key.
● The secret key is then used to decrypt the combination of
message and digest.
● The digest is decrypted by using the sender's public key,
and the original message is hashed by using a hash
function to create a digest.
● Both the digests are compared if both of them are equal
means that all the aspects of security are preserved.
PGP at the Receiver site (B)
IPSec Architecture
IPSec (IP Security) architecture uses two protocols to secure the traffic or
data flow. These protocols are ESP (Encapsulation Security Payload) and
AH (Authentication Header). IPSec Architecture includes protocols,
algorithms, DOI, and Key Management. All these components are very
important in order to provide the three main services:
● Confidentiality
● Authentication
● Integrity
IP Security Architecture
1. Architecture: Architecture or IP Security Architecture
covers the general concepts, definitions, protocols,
Packet Format:
● Security Parameter Index(SPI): This parameter is
used by Security Association. It is used to give a
unique number to the connection built between the
Client and Server.
● Sequence Number: Unique Sequence numbers are
allotted to every packet so that on the receiver side
packets can be arranged properly.
● Payload Data: Payload data means the actual data or
the actual message. The Payload data is in an
encrypted format to achieve confidentiality.
● Padding: Extra bits of space are added to the original
message in order to ensure confidentiality. Padding
length is the size of the added bits of space in the
original message.
● Next Header: Next header means the next payload or
next actual data.
● Authentication Data This field is optional in ESP
protocol packet format.
3. Encryption algorithm: The encryption algorithm is the
document that describes various encryption algorithms used
for Encapsulation Security Payload.
essential to be protected.
1. Next Header – Next Header is 8-bit field that identifies type of header
value that increases by one for each packet sent. Every packet will
need sequence number. It will start from 0 and will go till – 1 and
there will be no wrap around. Say, if all sequence numbers are over
and none of it is left but we cannot wrap around as it is not allowed.
So, we will end connection and re-establish connection again to
resume transfer of remaining data from sequence number 0. Basically
sequence numbers are used to stop replay attack. In Replay attack, if
same message is sent twice or more, receiver won’t be able to know if
both messages are sent from a single source or not. Say, I am
requesting 100$ from receiver and Intruder in between asked for
another 100$. Receiver won’t be able to know that there is intruder in
between.
6. Authentication Data (Integrity Check Value) – Authentication data
is variable length field that contains Integrity Check Value (ICV) for
packet. Using hashing algorithm and secret key, sender will create
message digest which will be sent to receiver. Receiver on other hand
will use same hashing algorithm and secret key. If both message digest
matches then receiver will accept data. Otherwise, receiver will
discard it by saying that message has been modified in between. So
basically, authentication data is used to verify integrity of
transmission. Also length of Authentication data depends upon
hashing algorithm you choose.
Working of ESP:
1. Encapsulating Security Payload supports both main Network
layer protocols: IPv4 and IPv6 protocols.
2. It performs the functioning of encryption in headers of Internet
Protocol or in general say, it resides and performs functions in IP
Header.
3. One important thing to note here is that the insertion of ESP is
between Internet Protocol and other protocols such as UDP/
TCP/ ICMP.
Modes in ESP:
Encapsulating Security Payload supports two modes, i.e. Transport
mode, and tunnel mode.
Tunnel mode:
Transport mode:
Advantages:
Below listed are the advantages of Encapsulating Security Payload:
Disadvantages:
Below listed are the disadvantages of Encapsulating Security Payload:
Components of ESP:
An important point to note is that authentication and security are not
provided for the entire IP packet in transport mode. On the other hand
for the tunnel mode, the entire IP packet along with the new packet
header is encapsulated.
ESP Structure
1. Security Parameter :
2. Sequence Number:
3. Payload Data:
● Payload data don’t have fixed size and are variable in size to use
● It refers to the data/ content that is provided security by the
method of encryption
4. Padding:
5. Pad Length:
6. Next Header:
7. Authentication Data:
The keys will be created or generated based on the demand or requirement. This
method is suitable for large and distributed systems. Automated Key Exchange
has two main methods:
● Oakley Key Determination Protocol: Oakley key determination
protocol is based on the Diffie-Hellman key exchange protocol with
some added security. It is a generic protocol.
● ISAKMP(Internet Security Association and Key Management
Protocol): It provides a framework for key exchange and specific
support i.e the protocol can be either Authentication Header or
Encapsulation Security Protocol.
● SKEME Protocol: It is a key exchange technique that provides
anonymity, non-repudiation, and refreshment.
IKE Phase-2
There will be two devices i.e. sender and receiver. Once the sender and
receiver established the ISAKMP tunnel in phase-1 they move to phase-2.
phase-2 always operates in Quick mode. Here the security associations and
services between the two devices are negotiated. The devices will choose
which protocol(Authentication Header or Encapsulation Security Protocol)
and which algorithm to use.