IPSEC : KEY MANAGEMENT PRESENTATION BY: SNEHA A MITTAL(121427) NISHU RASTOGI (121418) BHOOMIKA...
-
Upload
sheila-hutchinson -
Category
Documents
-
view
222 -
download
2
Transcript of IPSEC : KEY MANAGEMENT PRESENTATION BY: SNEHA A MITTAL(121427) NISHU RASTOGI (121418) BHOOMIKA...
![Page 1: IPSEC : KEY MANAGEMENT PRESENTATION BY: SNEHA A MITTAL(121427) NISHU RASTOGI (121418) BHOOMIKA PARMAR (121406) MONIKA MITTAL (121414) ROHIT JAIN (121424)](https://reader036.fdocuments.us/reader036/viewer/2022062408/56649f145503460f94c28ea0/html5/thumbnails/1.jpg)
IPSEC : KEY MANAGEMENT
PRESENTATION BY:
SNEHA A MITTAL(121427)
NISHU RASTOGI (121418)
BHOOMIKA PARMAR (121406)
MONIKA MITTAL (121414)
ROHIT JAIN (121424)
SUBMITTED TO:
Dr. C. RAMAKRISHNA
(ASSOCIATE PROFESSOR)
(CSE DEPARTMENT)
NITTTR CHANDIGARH
![Page 2: IPSEC : KEY MANAGEMENT PRESENTATION BY: SNEHA A MITTAL(121427) NISHU RASTOGI (121418) BHOOMIKA PARMAR (121406) MONIKA MITTAL (121414) ROHIT JAIN (121424)](https://reader036.fdocuments.us/reader036/viewer/2022062408/56649f145503460f94c28ea0/html5/thumbnails/2.jpg)
2
OVERVIEW
KEY MANAGEMENT FOR IPSEC
TYPES OF KEY MANAGEMENT
ISAKMP/OAKLEY
OAKLEY KEY DETERMINATION PROTOCOL
DIFFIE HELLMAN KEY EXCHANGE
FEATURES
ISAKMP
PAYLOAD TYPES
CONCLUSION
![Page 3: IPSEC : KEY MANAGEMENT PRESENTATION BY: SNEHA A MITTAL(121427) NISHU RASTOGI (121418) BHOOMIKA PARMAR (121406) MONIKA MITTAL (121414) ROHIT JAIN (121424)](https://reader036.fdocuments.us/reader036/viewer/2022062408/56649f145503460f94c28ea0/html5/thumbnails/3.jpg)
3
The key management portion of
IPSec involves the determination and
distribution of secret keys.
A typical requirement is four keys
for communication between two
applications: transmit and receive
pairs for both AH and ESP.
KEY MANAGEMENT FOR IPSEC
![Page 4: IPSEC : KEY MANAGEMENT PRESENTATION BY: SNEHA A MITTAL(121427) NISHU RASTOGI (121418) BHOOMIKA PARMAR (121406) MONIKA MITTAL (121414) ROHIT JAIN (121424)](https://reader036.fdocuments.us/reader036/viewer/2022062408/56649f145503460f94c28ea0/html5/thumbnails/4.jpg)
4
Two types of key management
according to the IPSec
Architecture document :
Manual
Automated.
TYPES
![Page 5: IPSEC : KEY MANAGEMENT PRESENTATION BY: SNEHA A MITTAL(121427) NISHU RASTOGI (121418) BHOOMIKA PARMAR (121406) MONIKA MITTAL (121414) ROHIT JAIN (121424)](https://reader036.fdocuments.us/reader036/viewer/2022062408/56649f145503460f94c28ea0/html5/thumbnails/5.jpg)
5
A system administrator manually
configures each system with its own
keys and with the keys of other
communicating systems.
This is practical for small, relatively
static environments.
MANUAL
![Page 6: IPSEC : KEY MANAGEMENT PRESENTATION BY: SNEHA A MITTAL(121427) NISHU RASTOGI (121418) BHOOMIKA PARMAR (121406) MONIKA MITTAL (121414) ROHIT JAIN (121424)](https://reader036.fdocuments.us/reader036/viewer/2022062408/56649f145503460f94c28ea0/html5/thumbnails/6.jpg)
6
An automated system enables the
on-demand creation of keys for SAs
Facilitates the use of keys in a large
distributed system with an evolving
configuration.
AUTOMATED
![Page 7: IPSEC : KEY MANAGEMENT PRESENTATION BY: SNEHA A MITTAL(121427) NISHU RASTOGI (121418) BHOOMIKA PARMAR (121406) MONIKA MITTAL (121414) ROHIT JAIN (121424)](https://reader036.fdocuments.us/reader036/viewer/2022062408/56649f145503460f94c28ea0/html5/thumbnails/7.jpg)
7
The default automated key management
protocol for IPSec is referred to as
ISAKMP/Oakley
Consists of the following elements:
Oakley Key Determination Protocol
Internet Security Association and Key
Management Protocol (ISAKMP)
ISAKMP/OAKLEY
![Page 8: IPSEC : KEY MANAGEMENT PRESENTATION BY: SNEHA A MITTAL(121427) NISHU RASTOGI (121418) BHOOMIKA PARMAR (121406) MONIKA MITTAL (121414) ROHIT JAIN (121424)](https://reader036.fdocuments.us/reader036/viewer/2022062408/56649f145503460f94c28ea0/html5/thumbnails/8.jpg)
OAKLEY KEY DETERMINATION PROTOCOL
Oakley is a refinement of the Diffie-
Hellman key exchange algorithm but
providing added security.
Oakley is generic in that it does not dictate
specific formats.
Oakley KDP = Diffie-Hellman Key Exchange
+ authentication & cookies 8
![Page 9: IPSEC : KEY MANAGEMENT PRESENTATION BY: SNEHA A MITTAL(121427) NISHU RASTOGI (121418) BHOOMIKA PARMAR (121406) MONIKA MITTAL (121414) ROHIT JAIN (121424)](https://reader036.fdocuments.us/reader036/viewer/2022062408/56649f145503460f94c28ea0/html5/thumbnails/9.jpg)
DIFFIE HELLMAN KEY EXCHANGE
A & B agree on 2 numbers n and g (g is
primitive relative mod (n))
A chooses a large random number x &
calculates
X = gx mod (n) {A Sends X, g, and n
to B}
B chooses a large random number y &
calculates
Y = gy mod (n) {Then B sends Y to A}
Finally A calculates k = Yx mod (n) & B
calculates k’ = Xy mod (n)
9
![Page 10: IPSEC : KEY MANAGEMENT PRESENTATION BY: SNEHA A MITTAL(121427) NISHU RASTOGI (121418) BHOOMIKA PARMAR (121406) MONIKA MITTAL (121414) ROHIT JAIN (121424)](https://reader036.fdocuments.us/reader036/viewer/2022062408/56649f145503460f94c28ea0/html5/thumbnails/10.jpg)
DIFFIE HELLMAN KEY EXCHANGE
Features: Secret keys are created only when
needed. Exchange requires no pre existing
infrastructure
Weaknesses: Don’t provide info about identities of
parties Man – in – the – middle attack can be
done.10
![Page 11: IPSEC : KEY MANAGEMENT PRESENTATION BY: SNEHA A MITTAL(121427) NISHU RASTOGI (121418) BHOOMIKA PARMAR (121406) MONIKA MITTAL (121414) ROHIT JAIN (121424)](https://reader036.fdocuments.us/reader036/viewer/2022062408/56649f145503460f94c28ea0/html5/thumbnails/11.jpg)
FEATURES Five main features of Oakley
Cookies help resist clogging attacks
Enables two parties to negotiate a group.
Nonce helps resist message replay attacks
Enables exchange of Diffie Helman Public key
values
Authentication helps resist man-in-the-middle
attacks 11
![Page 12: IPSEC : KEY MANAGEMENT PRESENTATION BY: SNEHA A MITTAL(121427) NISHU RASTOGI (121418) BHOOMIKA PARMAR (121406) MONIKA MITTAL (121414) ROHIT JAIN (121424)](https://reader036.fdocuments.us/reader036/viewer/2022062408/56649f145503460f94c28ea0/html5/thumbnails/12.jpg)
CLOGGING ATTACKS
A form of denial of service attacks
Attacker sends a large number of
public key Yi in crafted IP packets,
forcing the victim’s computer to
compute secret keys Ki = YiX mod p over
and over again
Diffie-Hellman is computationally
intensive because of modular
exponentiations
12
![Page 13: IPSEC : KEY MANAGEMENT PRESENTATION BY: SNEHA A MITTAL(121427) NISHU RASTOGI (121418) BHOOMIKA PARMAR (121406) MONIKA MITTAL (121414) ROHIT JAIN (121424)](https://reader036.fdocuments.us/reader036/viewer/2022062408/56649f145503460f94c28ea0/html5/thumbnails/13.jpg)
PREVENTING CLOGGING ATTACKS USING COOKIES
13
Cookies helpBefore doing computation, recipient
sends a cookie (a random number) back to source and waits for a confirmation including that cookie
This prevents attackers from making DH requests using crafted packets with crafted source addresses
![Page 14: IPSEC : KEY MANAGEMENT PRESENTATION BY: SNEHA A MITTAL(121427) NISHU RASTOGI (121418) BHOOMIKA PARMAR (121406) MONIKA MITTAL (121414) ROHIT JAIN (121424)](https://reader036.fdocuments.us/reader036/viewer/2022062408/56649f145503460f94c28ea0/html5/thumbnails/14.jpg)
GROUPS
14
o GROUPS SUPPORTED:
• Modular exponentiation with a 768-bit
modulus
• Modular exponentiation with a 1024-bit
modulus
• Modular exponentiation with a 1536-bit
modulus
• Elliptic curve group over 2155
• Elliptic curve group over 2185
![Page 15: IPSEC : KEY MANAGEMENT PRESENTATION BY: SNEHA A MITTAL(121427) NISHU RASTOGI (121418) BHOOMIKA PARMAR (121406) MONIKA MITTAL (121414) ROHIT JAIN (121424)](https://reader036.fdocuments.us/reader036/viewer/2022062408/56649f145503460f94c28ea0/html5/thumbnails/15.jpg)
NONCES
15
o NONCES:
• NONCE is a locally generated pseudo
random numbers
• Nonces appear in responses & are
encrypted during certain portions of
key exchange to secure their user
![Page 16: IPSEC : KEY MANAGEMENT PRESENTATION BY: SNEHA A MITTAL(121427) NISHU RASTOGI (121418) BHOOMIKA PARMAR (121406) MONIKA MITTAL (121414) ROHIT JAIN (121424)](https://reader036.fdocuments.us/reader036/viewer/2022062408/56649f145503460f94c28ea0/html5/thumbnails/16.jpg)
AUTHENTICATION METHODS USED IN OAKLEY
16
Digital SignaturesPublic Key EncryptionSecret Key Encryption
![Page 17: IPSEC : KEY MANAGEMENT PRESENTATION BY: SNEHA A MITTAL(121427) NISHU RASTOGI (121418) BHOOMIKA PARMAR (121406) MONIKA MITTAL (121414) ROHIT JAIN (121424)](https://reader036.fdocuments.us/reader036/viewer/2022062408/56649f145503460f94c28ea0/html5/thumbnails/17.jpg)
17
![Page 18: IPSEC : KEY MANAGEMENT PRESENTATION BY: SNEHA A MITTAL(121427) NISHU RASTOGI (121418) BHOOMIKA PARMAR (121406) MONIKA MITTAL (121414) ROHIT JAIN (121424)](https://reader036.fdocuments.us/reader036/viewer/2022062408/56649f145503460f94c28ea0/html5/thumbnails/18.jpg)
ISAKMP ISAKMP provides
A framework for Internet key management
The specific protocol support, including
formats, for negotiation of security attributes.
ISAKMP by itself does not dictate a specific
key exchange algorithm rather, ISAKMP
consists of a set of message types that
enable the18
![Page 19: IPSEC : KEY MANAGEMENT PRESENTATION BY: SNEHA A MITTAL(121427) NISHU RASTOGI (121418) BHOOMIKA PARMAR (121406) MONIKA MITTAL (121414) ROHIT JAIN (121424)](https://reader036.fdocuments.us/reader036/viewer/2022062408/56649f145503460f94c28ea0/html5/thumbnails/19.jpg)
Rather
ISAKMP consists of a set of message
types that enable the use of a variety of
key exchange algorithms.
Oakley is the specific key exchange
algorithm mandated for use with the
initial version of ISAKMP. 19
ISAKMP
![Page 20: IPSEC : KEY MANAGEMENT PRESENTATION BY: SNEHA A MITTAL(121427) NISHU RASTOGI (121418) BHOOMIKA PARMAR (121406) MONIKA MITTAL (121414) ROHIT JAIN (121424)](https://reader036.fdocuments.us/reader036/viewer/2022062408/56649f145503460f94c28ea0/html5/thumbnails/20.jpg)
ISAKMP ISAKMP: Internet Security Association and
Key Management Protocol Specifies key exchange formats Each type of payload has the same form of a payload
header
ISAKMP header20
![Page 21: IPSEC : KEY MANAGEMENT PRESENTATION BY: SNEHA A MITTAL(121427) NISHU RASTOGI (121418) BHOOMIKA PARMAR (121406) MONIKA MITTAL (121414) ROHIT JAIN (121424)](https://reader036.fdocuments.us/reader036/viewer/2022062408/56649f145503460f94c28ea0/html5/thumbnails/21.jpg)
ISAKMP PAYLOAD TYPES
SA: for establishing a security associationProposal: for negotiating an SATransform: for specifying encryption and
authentication algorithmsKey-exchange: for specifying a key-
exchange algorithm Identification: for carrying info and
identifying peersCertificate-request: for requesting a public-
key certificate 21
![Page 22: IPSEC : KEY MANAGEMENT PRESENTATION BY: SNEHA A MITTAL(121427) NISHU RASTOGI (121418) BHOOMIKA PARMAR (121406) MONIKA MITTAL (121414) ROHIT JAIN (121424)](https://reader036.fdocuments.us/reader036/viewer/2022062408/56649f145503460f94c28ea0/html5/thumbnails/22.jpg)
ISAKMP PAYLOAD TYPES
Certificate: contain a public-key certificateHash: contain the hash value of a hash
functionSignature: contain the output of a digital
signature functionNonce: contain a nonceNotification: notify the status of the other
types of payloadsDelete: notify the receiver that the sender
has deleted an SA or SAs 8-bit
Next payload8-bit
Reserved 16-bit
Payload length
22
![Page 23: IPSEC : KEY MANAGEMENT PRESENTATION BY: SNEHA A MITTAL(121427) NISHU RASTOGI (121418) BHOOMIKA PARMAR (121406) MONIKA MITTAL (121414) ROHIT JAIN (121424)](https://reader036.fdocuments.us/reader036/viewer/2022062408/56649f145503460f94c28ea0/html5/thumbnails/23.jpg)
CONCLUSION
23
The default automated key management
protocol for IPsec is referred to as
ISAKMP/Oakley
Oakley is a refinement of the Diffie-
Hellman key exchange algorithm but
providing added security.
ISAKMP provides a framework for Internet
key management
![Page 24: IPSEC : KEY MANAGEMENT PRESENTATION BY: SNEHA A MITTAL(121427) NISHU RASTOGI (121418) BHOOMIKA PARMAR (121406) MONIKA MITTAL (121414) ROHIT JAIN (121424)](https://reader036.fdocuments.us/reader036/viewer/2022062408/56649f145503460f94c28ea0/html5/thumbnails/24.jpg)
REFERENCES
24
Cryptography And Network Security - Principles And Practice, Fourth Edition, “William Stallings”
![Page 25: IPSEC : KEY MANAGEMENT PRESENTATION BY: SNEHA A MITTAL(121427) NISHU RASTOGI (121418) BHOOMIKA PARMAR (121406) MONIKA MITTAL (121414) ROHIT JAIN (121424)](https://reader036.fdocuments.us/reader036/viewer/2022062408/56649f145503460f94c28ea0/html5/thumbnails/25.jpg)
25
THANK YOU