Unit-5 - Network Security

Information Security (CE5006)
Unit-5
Network Security
Prof. Dipak Dabhi
dipak.dabhi@utu.ac.in
Unit-5 Weightage : 20% (12 Marks)
Unit-5 Network Security CGPIT 1

Outline
1. Secure Socket Layer(SSL) architecture and working
2. Transport Level Security(TLS)
3. Secure Shell SSH protocol
4. Electronic mail security - Email security enhancements,
5. Pretty Good Privacy(PGP)
6. S/MIME
7. IP Security
8. IPSec
 IPSec key management
 Intrusion detection

What Security Problem?
•
Today's Internet is primarily comprised of :
• Public
• Un-trusted
• Unreliable IP networks
•
Because of this inherent lack of security, the Internet is subject
to various types of threats…

Security at What Level?
Application Layer PGP, Kerberos, SSH, etc.
Transport Layer Secure Socket Layer/Transport Layer Security (TLS)
Network Layer IP Security
Data Link Layer Hardware encryption

IPsec
•
IPsec is a group of protocols that are used together to set up
encrypted connections between devices.
•
It helps keep data sent over public networks secure.
•
IPsec is often used to set up VPNs, and it works by encrypting IP
packets, along with authenticating the source where the packets
come from.
•
IPsec is used for protecting sensitive data, such as financial
transactions, medical records and corporate communications, as it's
transmitted across the network.

VPN
•
A virtual private network (VPN) is an encrypted
connection between two or more computers.
•
VPN connections take place over public networks, but the data
exchanged over the VPN is still private because it is encrypted.

IPSec Function Area
• IP-level security encompasses three functional areas:
• Authentication:
• The authentication mechanism assures that a received
packet was, in fact, transmitted by the party identified as
the source in the packet header.
• In addition, this mechanism assures that the packet has
not been altered in transit.
• Confidentiality:
• The confidentiality facility enables communicating nodes
to encrypt messages to prevent eavesdropping by third
parties.
• Key management.
Unit-5
7 Network Security CGPIT 7
Application of IPSec
•
Secure branch office connectivity over the Internet
•
Secure remote access over the Internet
•
Establishing extranet and intranet connectivity with partners
•
Enhancing electronic commerce security
Unit-5
IPSec Scenario

IPSec Scenario
•
An organisation maintains LANs at dispersed locations
•
Non secure IP traffic is conducted on each LAN.
•
IPSec protocols are used
•
These protocols operate in networking devices that connect
each LAN to the outside world. (router, firewall )
•
The IPSec networking device will typically encrypt and compress
all traffic going into the WAN, and decrypt and decompress
traffic coming from the WAN

Why not use IPSec?
•
Processor overhead to encrypt & verify each packet can be
great.
•
Added complexity in network design.

Benefits of IPSec
•
In a firewall/router provides strong security to all traffic crossing
the perimeter
•
In a firewall/router is resistant to bypass
•
Is below transport layer, hence transparent to applications
•
Can be transparent to end users
•
Can provide security for individual users
•
Secures routing architecture

IPSec Documentation
•
As per RFC 4301

IPSec Documentation
•
Architecture: Covers the general concepts, security requirements, definitions, and
mechanisms defining IPSec technology
•
Encapsulating Security Payload (ESP): Covers the packet format and general issues
related to the use of the ESP for packet encryption and, optionally, authentication.
•
Authentication Header (AH): Covers the packet format and general issues related to
the use of AH for packet authentication.
•
Encryption Algorithm: A set of documents that describe how various encryption
algorithms are used for ESP.
•
Authentication Algorithm: A set of documents that describe how various
authentication algorithms are used for AH and for the authentication option of ESP.
•
Key Management: Documents that describe key management schemes.
•
Domain of Interpretation (DOI): Contains values needed for the other documents to
relate to each other. These include identifiers for approved encryption and
authentication algorithms, as well as operational parameters such as key lifetime.

IPSec Services
•
RFC 4301 lists following services:
• Access Control
• Connectionless integrity
• Data Origin Authentication
• Rejection of replayed packets
• Data Confidentiality
• Limited traffic flow confidentiality

Transport Mode and Tunnel mode

•
Transport Mode
• IPSec in the transport mode does not protect IP header, it
only protects the information coming from the transport
layer
• ESP in transport mode encrypts and optionally
authenticates the IP payload but not the IP header
• AH in transport mode authenticates the IP payload and
selected portions of the IP header.

•
Transport Mode in action

•
Tunnel Mode

•
Tunnel Mode
• IPSec in tunnel mode protects the original IP header
• To achieve this, after the AH or ESP fields are added to the IP packet,
the entire packet plus security fields is treated as the payload of new
outer IP packet with a new outer IP header.
• Tunnel mode is used when one or both ends of a security association
(SA) are a security gateway, such as a firewall or router that
implements IPsec
• With tunnel mode, a number of hosts on networks behind firewalls
may engage in secure communications without implementing IPsec.
• The unprotected packets generated by such hosts are tunnelled
through external networks

•
Tunnel Mode

Tunnel Mode vs Transport Mode
Parameters Transport Mode Tunnel Mode
Authenticates entire inner IP
packet (inner header plus
Authenticates IP payload and IP payload) plus selected
Authentication Header (AH) selected portions of IP portions of outer IP header
header and IPv6 extension and outer IPv6 extension
headers. headers.
Encrypts IP payload and

Encapsulating Security any IPv6 extension headers Encrypts entire inner
Payload (ESP) following the ESP header. IP packet.
Encrypts IP payload and

any IPv6 extension headers Encrypts entire inner IP
ESP with authentication following the ESP header. packet. Authenticates inner IP
Authenticates IP payload but packet.
not IP header.

IP SECURITY POLICY
•
Fundamental to the operation of IPsec is the concept of a
security policy applied to each IP packet that transits from a
source to a destination
•
It defines the type of policy applied to the packet when it is to
be sent or has arrived
•
IPsec policy is determined primarily by the interaction of two
databases:
• Security Association Database (SAD)
• Security Policy Database (SPD)

Security Association
•
A key concept that appears in both the authentication and
confidentiality mechanisms for IP is the security association
(SA).
• An association is a one-way logical connection between a
sender and a receiver that affords security services to the
traffic carried on it.
• If a peer relationship is needed for two-way secure
exchange, then two security associations are required.

Security Association Database (SAD)
•
When a host needs to send an IPSec enabled packet, host needs
to find the corresponding entry in outbound SAD
•
When a host needs to receive an IPSec enabled packet, host
needs to find the corresponding entry in inbound SAD
•
Each entry is uniquely selected using following triple index
•
<SPI, DA, P>

•
Security Parameter Index (SPI):
• A 32 bit number that defines the SA
• SPI is decided during the SA negotiation and included in all

IPSec packets that belongs to the same inbound SA
•
Destination Address (DA):
• A unicast IP address of destination host
• IPSec requires that the SA be unique for each destination

•
Protocol (P):
• Either AH or ESP

•
Security Association Parameters

Security Policy Database (SPD)
•
Each host using the IPSec, needs to keep a SPD
•
Like SAD, there is a need for both inbound and outbound SPD
•
Each entry in the SPD is access using a six tuple index:
•
<SAddress, DAddress, Name, P, SPort, DPort>
• Source and destination address can be unicast or multicast
• Name is a DNS entry
• Protocol is ether AH or ESP
• Source and destination port denotes were the process

running
•
Outbound SPD: The input to the Outbound SPD is the six tuple
index and output is one of the following case
• Drop: Packet cannot be sent
• Bypass: Bypass the security header
• Apply: Apply the SA if already established or consult Internet

Key Exchange (IKE) protocol to create an inbound and an
outbound SA for this traffic and then apply


•
Inbound SPD:
• Discard: Packet defined by the policy must be discarded
• Bypass: Don’t process the packet and give it to transport

layer
• Apply:
• If SA is already established, it will be applied and if

packet passes the security checks the AH or ESP header
will be removed
• If SA is not yet established, packet will be discarded


Security Protocols
•
Authentication Header (AH)
• The AH protocol is designed to authenticate the source host
and to ensure the integrity of the payload carried in the IP
packet.
• It uses a hash function and a symmetric key to create a
message digest; the digest is inserted in the authentication
header.
• The AH then place in the appropriate location, based on the
mode

Security Protocols
•
Authentication Header (AH) in transport mode

Security Protocols
•
Authentication Header (AH)
• An authentication header is added to the payload with the
authentication data field set to 0.
• Padding may be added to make the total length even for a particular
hashing algorithm
• Hashing is based on the total packet.
• Only those fields of the IP header are included that do not change
during transmission
• The authentication data are inserted in the authentication header.
• The IP Header is added after changing the value of the protocol field
to 51.

Security Protocols
•
Encapsulating Security Payload (ESP) in transport mode
• ESP provides authentication, integrity and privacy
• It adds header and trailer

Security Protocols
•
Encapsulating Security Payload (ESP) in transport mode

Security Protocols
•
Encapsulating Security Payload (ESP)
• An ESP trailer is added to the payload
• The payload and the trailer are encrypted
• The ESP header is added
• The ESP header, payload and ESP trailer are used to create the
authentication data
• The authentication data are added to the end of the ESP
trailer
• The IP header is added after changing the protocol value to
50.
ESP in Transport Mode and Tunnel
Mode

ESP in Tunnel Mode

IPSec Services

Internet Key Exchange (IKE)
•
The key management portion of IPsec involves the determination and
distribution of secret keys.
•
A typical requirement is four keys for communication between two
applications: transmit and receive pairs for both integrity and confidentiality.
•
The IPsec Architecture document mandates support for two types of key
management:
• Manual: A system administrator manually configures each system with its
own keys and with the keys of other communicating systems. This is
practical for small, relatively static environments.
• Automated: An automated system enables the on-demand creation of

keys for SAs and facilitates the use of keys in a large distributed system
with an evolving configuration.

Internet Key Exchange (IKE)
•
The default automated key management protocol for IPsec is
referred to as ISAKMP/Oakley and consists of the following
elements:
• Oakley Key Determination Protocol: Oakley is a key exchange
protocol based on the Diffie-Hellman algorithm but providing
added security. Oakley does not dictate specific formats.
• Internet Security Association and Key Management Protocol
(ISAKMP): ISAKMP provides a framework for Internet key
management and provides the specific protocol support,
including formats, for negotiation of security attributes.

Key Determination Protocol of IKE
•
IKE key determination is a refinement of the Diffie-Hellman key
exchange algorithm.
•
The Diffie-Hellman algorithm has two attractive features:
• Secret keys are created only when needed. There is no need
to store secret keys for a long period of time, exposing them
to increased vulnerability.
• The exchange requires no pre-existing infrastructure other
than an agreement on the global parameters.

Key Determination Protocol of IKE
•
However, there are a number of weaknesses to Diffie-Hellman, as
pointed out in [HUIT98].
• It does not provide any information about the identities of the
parties.
• It is subject to a man-in-the-middle attack, in which a third party
C impersonates B while communicating with A and impersonates
A while communicating with B. Both A and B end up negotiating
a key with C, which can then listen to and pass on traffic.
• It is computationally intensive. As a result, it is vulnerable to a
clogging attack, in which an opponent requests a high number of
keys. The victim spends considerable computing resources doing
useless modular exponentiation rather than real work.

Secure Socket Layer (SSL)
▪ Secure Socket Layer (SSL) provides security services between TCP
and applications that use TCP. The Internet standard version is
called Transport Layer Service (TLS).
▪ SSL/TLS provides confidentiality using symmetric encryption and
message integrity using a message authentication code.
▪ SSL/TLS includes protocol mechanisms to enable two TCP users to
determine the security mechanisms and services they will use.
▪ SSL is designed to make use of TCP to provide a reliable end-to-end
secure service.
Relative Location of Security Facilities in the TCP/IP Protocol Stack
Secure Socket Layer (SSL) Architecture
▪ Two important concepts are:
▪ SSL Connection:
▪ It is a transport entity that provides suitable type of service
▪ Such connections are peer-to-peer
▪ The connections are transient
▪ Every connection is associated with one session
▪ Two important concepts are:
▪ SSL Session:
▪ It is an association between a client and a server
▪ Sessions are created by the handshake protocols
▪ It defines the set of cryptographic parameters which
can be shared among multiple connections
▪ During the handshake protocol, pending read and write states
are created
▪ Upon successful conclusion, the pending state
become the current state
▪ Between any pair of parties there may be multiple
secure connections
▪ A session state is defined by the following parameters.
▪ Session identifier
▪ Peer certificate
▪ Compression method
▪ Cipher Spec
▪ Master Secret
▪ Is resumable
▪ A connection state is defined by the following parameters.
▪ Server and client random
▪ Server write MAC secret
▪ Client write MAC secret
▪ Server write key
▪ Client write key
▪ Initialisation vectors
▪ Sequence numbers
Four SSL Protocols
SSL Record Protocol
▪ It provides two services for SSL connections
▪ Confidentiality: The Handshake Protocol defines a shared
secret key that is used for conventional encryption of SSL
payloads.
▪ Message Integrity: The Handshake Protocol also defines a
shared secret key that is used to form a message
authentication code (MAC).
SSL Record Protocol – Cont…
▪ The Record Protocol takes an application message to be
transmitted, fragments the data into manageable blocks, optionally
compresses the data, applies a MAC, encrypts, adds a header, and
transmits the resulting unit in a TCP segment.
▪ Received data are decrypted, verified, decompressed, and
reassembled before being delivered to higher-level users.
▪ The first step is fragmentation. Each upper-layer message
is fragmented into blocks of 214 bytes (16384 bytes) or less.
▪ Compression is optionally applied. Compression must be
lossless and may not increase the content length by more than
1024 bytes.
▪ The next step is to compute a message authentication code
over the compressed data.
▪ For this purpose, a shared secret key is used. The calculation is
defined as
▪ hash(MAC_write_secret | pad_2| hash(MAC_write_secret |
pad_1|seq_num | SSLCompressed.type
| SSLCompressed.length |
SSLCompressed.fragment))
▪ where
▪ | = concatenation
▪ MAC_write_secret = shared secret key
▪ hash = cryptographic hash algorithm; either MD5 or SHA-1
▪ pad_1 = the byte 0x36 (0011 0110) repeated 48 times (384 bits) for MD5 and
40 times (320 bits) for SHA-1
▪ pad_2 = the byte 0x5C (0101 1100) repeated 48 times for MD5 and 40 times
for SHA-1
▪ seq_num = the sequence number for this message
▪ SSLCompressed.type = the higher-level protocol used to process this fragment
▪ SSLCompressed.length = the length of the compressed fragment
▪ SSLCompressed.fragment = the compressed fragment (if compression
is not used, this is the plaintext fragment)
▪ Next, the compressed message plus the MAC are encrypted
using symmetric encryption. Encryption may not increase the
content length by
more than 1024 bytes, so that the total length may not exceed 214 + 2048.
▪ The final step of SSL Record Protocol processing is to prepare a
header consisting of the following fields:
▪ Content Type (8 bits): The higher-layer protocol used to process
the enclosed fragment.
▪ Major Version (8 bits): Indicates major version of SSL in use. For SSLv3, the
value is 3.
▪ MinorVersion(8bits): Indicates minor version in use. For SSLv3, thevalue is 0.
▪ Compressed Length (16 bits): The length in bytes of the plaintext fragment
(orcompressed fragment if compression is used). The maximum value is 214
+ 2048.
Change Cipher Spec Protocol
▪ The Change Cipher Spec Protocol is one of the three SSL-specific
protocols that use the SSL Record Protocol, and it is the simplest.
▪ This protocol consists of a single message which consists of a single
byte with the value 1.
▪ The sole purpose of this message is to cause the pending state to
be copied into the current state, which updates the cipher suite to
be used on this connection.
Change Cipher Spec Protocol – Cont…
Alert Protocol
▪ The Alert Protocol is used to convey SSL-related alerts to the peer
entity. As with other applications that use SSL, alert messages are
compressed and encrypted, as specified by the current state.
▪ Each message in this protocol consists of two bytes.

▪ The first byte takes the value warning (1) or fatal (2) to convey the severity
of the message.
▪ If the level is fatal, SSL immediately terminates the connection. Other
connections on the same session may continue, but no new connections
on this session may be established.
▪ The second byte contains a code that indicates the specific alert.
Alert Protocol
▪ First, we list those alerts that are always fatal (definitions from the
SSL specification):
▪ unexpected_message: An inappropriate message was received.
▪ bad_record_mac: An incorrect MAC was received.
▪ decompression_failure: The decompression function received
improper input (e.g., unable to decompress or decompress to
greater than maximum allowable length).
▪ handshake_failure: Sender was unable to negotiate an acceptable
set of security parameters given the options available.
▪ illegal_parameter: A field in a handshake message was out of
range or inconsistent with other fields.
Alert Protocol
▪ The remaining alerts are the following.
▪ close_notify: Notifies the recipient that the sender will not send any more
messages on this connection. Each party is required to send a close_notify
alert before closing the write side of a connection.
▪ no_certificate: May be sent in response to a certificate request if no
appropriate certificate is available.
▪ bad_certificate: A received certificate was corrupt (e.g., contained a
signature that did not verify).
▪ unsupported_certificate: The type of the received certificate is not
supported.
▪ certificate_revoked: A certificate has been revoked by its signer.
▪ certificate_expired: A certificate has expired.
▪ certificate_unknown: Some other unspecified issue arose in processing the
certificate, rendering it unacceptable.
Handshake Protocol
Handshake Protocol – Phase I
Connection Establishment

Handshake Protocol – Phase I
After Phase I, the client and server know the following:
▪ The version of SSL
▪ The algorithms for key exchange, message authentication,
and encryption
▪ The compression method
▪ The two random numbers for key generation
Handshake Protocol – Phase II
Server Authentication & Key

Exchange
Handshake Protocol – Phase II
After Phase II
▪ The server is authenticated to the client.
▪ The client knows the public key of the server if required.
Handshake Protocol – Phase III
Client Authentication & Key

Exchange
Handshake Protocol – Phase IV
Change Cipher Spec and finish

SSL Handshake
Protocol Phases
TRANSPORT LAYER SECURITY
•
TLS is an IETF(Internet Engineering task force) standardization
initiative whose goal is to produce an Internet standard version
of SSL.
•
TLS is defined as a Proposed Internet Standard in RFC 5246.
•
TLS is cryptographic protocol that provides end to end
communications security over networks and is widely used for
internet communications and online transactions.

•
Version Number
• The TLS Record Format is the same as that of the SSL Record
Format and the fields in the header have the same
meanings.
• The one difference is in version values.
• For the current version of TLS, the major version is 3 and the
minor version is 3.

•
Message Authentication Code
TLS SSL
TLS makes use of the HMAC algorithm SSLv3 uses the same algorithm, except that
defined in RFC 2104. the padding bytes are concatenated with
the secret key rather than being XORed
HMACK(M)= H[(K+ opad)|H[(K+ ipad)|M]] with the secret key padded to the block
length.
The MAC calculation covers all of the fields

covered by the SSLv3 calculation, plus the
field TLSCompressed.version, which is the This field is not present
version of the protocol being employed.

•
Pseudorandom Function
•
TLS makes use of a pseudorandom function (PRF) to expand
secrets into blocks of data for purposes of key generation or
validation.
•
The objective is to make use of a relatively small shared secret
value but to generate longer blocks of data in a way that is secure
from the kinds of attacks made on hash functions and MACs.
•
The data expansion function makes use of the HMAC algorithm
with either MD5 or SHA-1 as the underlying hash function.
•
P_hash can be iterated as many times as necessary to produce the
required quantity of data

•

•
• Each iteration involves two executions of HMAC—each of
which in turn involves two executions of the underlying hash
algorithm.
• To make PRF as secure as possible, it uses two hash
algorithms in a way that should guarantee its security if
either algorithm remains secure. PRF is defined as
• PRF(secret, label, seed) = P_hash(S1,label | seed)

•
Alert Codes
•
TLS supports all of the alert codes defined in SSLv3 with the
exception of no_certificate.
•
A number of additional codes are defined in TLS

•
Cipher Suites
•
There are several small differences between the cipher suites
available under SSLv3 and under TLS:
• Key Exchange: TLS supports all of the key exchange

techniques of SSLv3 with the exception of Fortezza.
• Symmetric Encryption Algorithms: TLS includes all of the

symmetric encryption algorithms found in SSLv3, with the
exception of Fortezza.

•
Client Certificate Types
•
In addition, SSLv3 includes:
• Ephemeral Diffie-Hellman involves signing the Diffie-Hellman
parameters with either RSA or DSS as rsa_ephemeral_dh or
dss_ephemeral_dh
• fortezza_kea
•
TLS defines the following certificate types to be requested in a
certificate_request message:
• For TLS, the rsa_sign and dss_sign types are used for that
function
• rsh_fixed_dh
Unit-5 • dss_fixed_dh
Secure Shell SSH protocol
•
It is a cryptographic network protocol for operating network
services securely over an unsecured network.
•
It is a secure alternative to the non protected login
protocols(like telnet) and insecure file transfer
methods(like FTP)
•
It uses client server architecture.
•
SSH is used for accessing remote servers

Secure Shell SSH protocol
•
Conceptually the SSH protocol can be
partitioned into four layers:
•
Transport Protocol
The SSH Transport Protocol is a secure, low level

transport. It provides strong encryption, cryptographic
host authentication and integrity protection.
Currently, only a minimum of MAC- (message
authentication code, a short piece of information used
to authenticate a message) and encryption algorithms
are supported
•
Authentication Protocol
The SSH authentication protocol is a general-purpose

user authentication protocol run over the SSH
transport protocol.

SSH continue..
•
Connection Protocol
The SSH Connection Protocol provides application-support

services over the transport pipe, such as channel multiplexing,
flow control, remote program execution, signal propagation,
connection forwarding, etc.
•
Channels
All terminal sessions, forwarded connections etc., are channels.

Multiple channels are multiplexed into a single connection, and all
channels are flow-controlled.

SSH continue..
•
Channels comes in three flavors:
•
Subsystem - named services that can be run as part of an SSH
server such as SFTP ssh_sftpd, that is built in to the SSH daemon
(server) by default but may be disabled.
•
Shell - It is possible to customize the shell by providing your own
read-eval-print loop.
•
Exec - one-time remote execution of commands.

Electronic mail security
•
Pretty Good Privacy(PGP)
•
S/MIME

Pretty Good Privacy (PGP)
•
Pretty Good Privacy (PGP) is an encryption system used for both
sending encrypted emails and encrypting sensitive files.
•
The popularity of PGP is based on two factors.
• The first is that the system was originally available as
freeware, and so spread rapidly among users who wanted an
extra level of security for their email messages.
• The second is that since PGP uses both symmetric encryption
and public-key encryption, it allows users who have never
met to send encrypted messages to each other without
exchanging private encryption keys.
•
PGP encryption uses a combination of two forms of encryption:
symmetric key encryption, and public-key encryption.

Pretty Good Privacy (PGP)

Working of PGP
•
this is how PGP encryption works:
•
First, PGP generates a random session key using one of two
(main) algorithms. This key is a huge number that cannot be
guessed, and is only used once.
•
Next, this session key is encrypted. This is done using the public
key of the intended recipient of the message. The public key is
tied to a particular person’s identity, and anyone can use it to
send them a message.
•
The sender sends their encrypted PGP session key to the
recipient, and they are able to decrypt it using their private key.
Using this session key, the recipient is now able to decrypt the
actual message.

S/MIME
•
S/MIME is an acronym for Secure/Multipurpose Internet Mail
Extensions.
•
It references a type of public encryption and signing of MIME
data (a.k.a. email messages) to verify a sender’s identity.
•
With S/MIME, it is possible to send and receive encrypted
emails.
•
S/MIME is a type of “end-to-end” encryption solution used for
email messages. To be more specific, it uses asymmetric
cryptography to protect emails from being read by a third party.

•
Secure/Multipurpose Internet Mail Extensions.
•
Provides security for conventional emails.
•
Extension of MIME protocol.
•
It is a widely accepted method(or more precisely, a protocol) for
sending digitally signed and encrypted messages.
•
i.e. allows us to digitally sign our email to verify ourselves as the
legitimate sender(and also encryption and encryption of mails).
•
S/MIME is based on asymmetric

Reference Questions !!
1. What is IP security? Explain application and benefits of IPsec.
2. What are the three functional area used for IP security? Explain IPsec services.
3. What is S/MIME? How does it work? Explain the functions provided by S/MIME.
4. Explain Security association database with diagram.
5. Explain architecture of Secure socket Layer with its neat diagram.
6. Draw and explain SSL Handshake protocol.
7. Write a short note on PGP.
8. Explain Internet Key Exchange (IKE) in detail.
9. Explain Transport Layer security with diagram.
10. Explain SSL Alert protocol with diagram.
11. Explain transport mode and tunnel mode with diagram.
12. Explain Authentication header (AH) protocol of IPsec with diagram.
13. Explain PGP message generation and reception process. Assume that message is
going from user A to user B.
14. Explain Encapsulating security payload (ESP) protocol of IPsec with diagram
15. Explain Security association database with diagram.

Thank You
End of Unit-5

Unit-5 - Network Security

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Unit-5 - Network Security

Uploaded by

Copyright:

Available Formats

Information Security (CE5006)

Prof. Dipak Dabhi

Unit-5 Weightage : 20% (12 Marks)

Unit-5 Network Security CGPIT 1

Unit-5 Network Security CGPIT 2

Unit-5 Network Security CGPIT 3

Application Layer PGP, Kerberos, SSH, etc.

Transport Layer Secure Socket Layer/Transport Layer Security (TLS)

Network Layer IP Security

Data Link Layer Hardware encryption

Unit-5 Network Security CGPIT 4

Unit-5 Network Security CGPIT 5

Unit-5 Network Security CGPIT 6

Unit-5 Network Security CGPIT 10

Unit-5 Network Security CGPIT 11

Unit-5 Network Security CGPIT 12

Unit-5 Network Security CGPIT 13

Unit-5 Network Security CGPIT 14

Unit-5 Network Security CGPIT 15

• Data Origin Authentication

• Rejection of replayed packets

• Limited traffic flow confidentiality

Unit-5 Network Security CGPIT 16

Unit-5 Network Security CGPIT 17

Unit-5 Network Security CGPIT 18

Unit-5 Network Security CGPIT 19

Unit-5 Network Security CGPIT 20

Unit-5 Network Security CGPIT 21

Unit-5 Network Security CGPIT 22

Encrypts IP payload and

Encrypts IP payload and

Unit-5 Network Security CGPIT 23

• Security Policy Database (SPD)

Unit-5 Network Security CGPIT 24

Unit-5 Network Security CGPIT 25

Unit-5 Network Security CGPIT 26

• SPI is decided during the SA negotiation and included in all

• IPSec requires that the SA be unique for each destination

Unit-5 Network Security CGPIT 27

Unit-5 Network Security CGPIT 28

• Source and destination port denotes were the process

• Bypass: Bypass the security header

• Apply: Apply the SA if already established or consult Internet

Unit-5 Network Security CGPIT 30

Unit-5 Network Security CGPIT 31

• Bypass: Don’t process the packet and give it to transport

• If SA is already established, it will be applied and if

Unit-5 Network Security CGPIT 32

Unit-5 Network Security CGPIT 33

Unit-5 Network Security CGPIT 34

Unit-5 Network Security CGPIT 35

Unit-5 Network Security CGPIT 36

• It adds header and trailer

Unit-5 Network Security CGPIT 37

Unit-5 Network Security CGPIT 38

• The payload and the trailer are encrypted

• The ESP header is added

Unit-5 Network Security CGPIT 40

Unit-5 Network Security CGPIT 41

Unit-5 Network Security CGPIT 42

• Automated: An automated system enables the on-demand creation of

Unit-5 Network Security CGPIT 43

Unit-5 Network Security CGPIT 44