UNIT-IV

User Authentication: Remote User Authentication Principles, Kerberos.

Electronic Mail Security: Pretty Good Privacy (PGP) And S/MIME.

IP Security: IP Security Overview, IP Security Architecture, Authentication Header, Encapsulating

Security Payload, Combining Security Associations and Key Management.

REMOTE USER-AUTHENTICATION PRINCIPLES

In most computer security contexts, user authentication is the fundamental building block and the primary
line of defense. User authentication is the basis for most types of access control and for user
accountability

An Authentication process consists of two steps

Identification is the means by which a user provides a claimed identity to the system; user authentication
is the means of establishing the validity of the claim. Note that user authentication is distinct from
message authentication.

There are four general means of authenticating a user’s identity, which can be used alone or in
combination:

Something the individual knows: Examples include a password, a personal identification number
(PIN), or answers to a prearranged set of questions.

Something the individual possesses: Examples include cryptographic keys, electronic keycards, smart
cards, and physical keys. This type of authenticator is referred to as a token.

Something the individual is (static biometrics): Examples include recognition by fingerprint, retina, and
face.

Something the individual does (dynamic biometrics): Examples include recognition by voice pattern,
handwriting characteristics, and typing rhythm.

Mr.P.SOLMON, Assist.Professor, NIT Page 1

KERBEROS

INTRODUCTION:

Kerberos is a computer network authentication protocol which works on the basis of “tickets” to allow
nodes communication over a non secure network.

(Or) It is a secure method (service) to authenticate a request for a service in a computer network. It was
developed in “Athena Project” at MIT.

It provide authentication by using Secret-Key cryptography.

Use of Kerberos:

Kerberos is used for decreasing the burden for server, means; Kerberos will takes responsibility of
authentication.

It is designed for providing for strong authentication for client/server applications by using secret- key.

Versions: Kerberos Version4 Kerberos Version5

Characteristics of KERBEROS:

It is secure: it never sends a password unless it is encrypted.

Only a single login is required per session. Credentials defined at login are then passed between
resources without the need for additional logins.

The concept depends on a trusted third party – a Key Distribution Center (KDC). The KDC is aware
of all systems in the network and is trusted by all of them.

It performs mutual authentication, where a client proves its identity to a server and a server proves its
identity to the client.

Requirements Kerberos:

Secure: Kerberos should be strong enough that a potential opponent does not find it to bethe weak link.

Reliable: Kerberos should be highly reliable and should employ distributed server architecture with one
system able to back up another.

Transparent: Ideally, the user should not be aware that authentication is taking place beyond the
requirement to enter a password.

Scalable: The system should be capable of supporting large numbers of clients and servers.

Kerberos Version 4

Version 4 of Kerberos makes use of DES

Mr.P.SOLMON, Assist.Professor, NIT Page 2

A Simple Authentication Dialogue

In an unprotected network environment, any client can apply to any server for service. The obvious
security risk is that of impersonation. An opponent can pretend to be another client and obtain
unauthorized privileges on server machines. To counter this threat, servers must be able to confirm the
identities of clients who request service. Each server can be required to undertake this task for each
client/server interaction, but in an open environment, this places a substantial burden on each server.

An alternative is to use an Authentication server (AS) that knows the passwords of all users and stores
these in a centralized database. In addition, the AS shares a unique secret key with each server. These
keys have been distributed physically or in some other secure manner. Consider the following
hypothetical dialogue:

The user logs on to a workstation and requests access to server V. The client module C in the user’s
workstation requests the user’s password and then sends a message to the AS that includes the user’s ID,
the server’s ID, and the user’s password.

The AS checks its database to see if the user has supplied the proper password for this user ID and
whether this user is permitted access to server V. If both tests are passed, the AS accepts the user as
authentic and must now convince the server that this user is authentic. To do so, the AS creates a ticket
that contains the user’s ID and network address and the server’s ID. This ticket is encrypted using the
secret key shared by the AS and this server. This ticket is then sent back to C.

With this ticket, C can now apply to V for service. C sends a message to V containing C‟s ID and the
ticket. V decrypts the ticket and verifies that the user ID in the ticket is the same as the unencrypted
user ID in the message.

Problems:

The first problem is that the earlier scenario involved a plaintext transmission of the password [message
(1)]. An eavesdropper could capture the password and use any services accessible to the victim

An opponent could capture the ticket transmitted in message (2), then use the name IDC and transmit a
message of form (3) another workstation. The server would receive a valid ticket that matches the user ID

Mr.P.SOLMON, Assist.Professor, NIT Page 3

and grant access to the user on that other workstation. To prevent this attack, the AS includes in the ticket
the network address from which the original request came.

The second problem is we would like to minimize the number of times that a user has to enter a password.
Suppose each ticket can be used only once. If user C logs on to a workstation in the morning and wishes
to check his or her mail at a mail server, C must supply a password to get a ticket for the mail server. If C
wishes to check the mail several times during the day, each attempt requires reentering the password. We
can improve matters by saying that tickets are reusable. For a single logon session, the workstation can
store the mail server ticket after it is received and use it on behalf of the user.

A MORE SECURE AUTHENTICATION DIALOGUE

The main problem in A SIMPLE AUTHENTICATION DIALOGUE, the user must enter password for
every individual service.

Kerberos overcome this by using a new server, known as Ticket granting server (TGS). Now in Kerberos
we have two servers; AS and TGS.

The new service, TGS, issues tickets to users who have been authenticated to AS. Thus, the user first
requests a ticket-granting ticket ( ) from the AS.

The client module in the user workstation saves this ticket. Each time the user requires access to a new
service, the client applies to the TGS, using the ticket to authenticate itself. The TGS then grants a ticket
for the particular service. The client saves each service-granting ticket and uses it to authenticate its user to
a server each time a particular service is requested. Let us look at the details of this scheme:

The client requests a ticket-granting ticket on behalf of the user by sending its user’s ID to the AS,
together with the TGS ID, indicating a request to use the TGS service.

The AS responds with a ticket that is encrypted with a key that is derived from the user’s password ( ),
which is already stored at the AS. When this response arrives at the client, the client prompts the user
for his or her password, generates the key, and attempts to decrypt the incoming message. If the correct
password is supplied, the ticket is successfully recovered.

The client requests a service-granting ticket on behalf of the user. For this purpose, the client transmits a
message to the TGS containing the user’s ID, the ID of the desired service, and the ticket-granting ticket.

Mr.P.SOLMON, Assist.Professor, NIT Page 4

The TGS decrypts the incoming ticket using a key shared only by the AS and the TGS and
verifies the success of the decryption by the presence of its ID. It checks to make sure that the lifetime
has not expired. Then it compares the user ID and network address

with the incoming information to authenticate the user. If the user is permitted access to

the server V, the TGS issues a ticket to grant access to the requested service.

The client requests access to a service on behalf of the user. For this purpose, the client transmits a
message to the server containing the user’s ID and the service-granting ticket. The server authenticates by
using the contents of the ticket.

Mr.P.SOLMON, Assist.Professor, NIT Page 5

ELECTRONIC MAIL SECURITY

The protection of email from unauthorized access and inspection is known as electronic privacy. There
are mainly two methods for proving security for electronic mails

 Pretty Good Privacy

 S/MIME

Pretty Good Privacy:

In virtually all distributed environments, electronic mail is the most heavily used network based
application.

Introduction:

PGP is data encryption and decryption computer program that provides privacy (Confidentiality) and
authentication for data communication.

It was created by Phil Zimmermann in 1991

Use of PGP:

It is used in Electronic mail

File storage applications.

PGP is an open-source, freely available software package for e-mail security. It provides authentication
through the use of digital signature, confidentiality through the use of symmetric block encryption,
compression using the ZIP algorithm, and e-mail compatibility using the radix-64 encoding scheme.

PGP incorporates tools for developing a public-key trust model and public-key certificate management

PGP has grown explosively and is now widely used, because of following reasons:

It is available free worldwide in versions that run on a variety of platforms, including Windows, UNIX,
Macintosh, and many more. In addition, the commercial version satisfies users who want a product that
comes with vendor support.

It is based on algorithms that have survived extensive public review and are considered extremely secure.
Specifically, the package includes RSA, DSS, and Diffie-Hellman for public-key encryption; CAST-128,
IDEA, and 3DES for symmetric encryption; andSHA-1 for hash coding.

It has a wide range of applicability, from corporations that wish to select and enforce a standardized
scheme for encrypting files and messages to individuals who wish to communicate securely with others
worldwide over the Internet and other networks.

It was not developed by, nor is it controlled by, any governmental or standards organization. For those
with an instinctive distrust of “the establishment,” this makes PGP attractive.

Mr.P.SOLMON, Assist.Professor, NIT Page 6

 NOTATIONS

The following symbols are used in PGP

PGP SERVICES

 authentication

 confidentiality

 compression

 e-mail compatibility

Function Algorithms Used Description

Digital DSS/SHA or A hash code of a message is created using SHA-1.This message

signature RSA/SHA digest is encrypted using DSS or RSA with the sender’s private
key and included with the message.

Message CAST or IDEA or A message is encrypted using CAST-128 or IDEA or 3DES with
encryption Three-key Triple a one-time session keygenerated by the sender. The session key is
DES with Diffie- encrypted using Diffie-Hellman or RSA with the recipient’s public
Hellman or RSA key and included with the message.

Compression ZIP A message may be compressed for storage or transmission using

ZIP.

E-mail Radix-64 conversion To provide transparency for e-mail applications, an encrypted

compatibility message may be converted to an ASCII string using radix-64
conversion.

Providing authentication by using PGP:

The sequence steps for providing authentication by using PGP

The sender creates a message.

SHA-1 is used to generate a 160-bit hash code of the message.

Mr.P.SOLMON, Assist.Professor, NIT Page 7

The hash code is encrypted with RSA using the sender’s private key, and the result ispretended to the
message.

The receiver uses RSA with the sender’s public key to decrypt and recover the hash code.

The receiver generates a new hash code for the message and compares it with the decrypted hash
code. If the two match, the message is accepted as authentic.

Confidentiality by using PGP

Steps for providing confidentiality:

 The sender generates a message and a random 128-bit number to be used as a session key for this
message only.

 The message is encrypted using CAST-128 (or IDEA or 3DES) with the session key.

 The session key is encrypted with RSA using the recipient’s public key and is prepended to the
message.

 The receiver uses RSA with its private key to decrypt and recover the session key.

 The session key is used to decrypt the message.

PGP for both authentication and confidentiality:

Mr.P.SOLMON, Assist.Professor, NIT Page 8

COMPRESSION

As a default, PGP compresses the message after applying the signature but before Encryption. This has
the benefit of saving space both for e-mail transmission and for file storage.

The signature is generated before compression for two reasons

So can store uncompressed message & signature for later verification

Message encryption is applied after compression to strengthen cryptographic security.

Because the compressed message has less redundancy than the original plaintext, cryptanalysis is more
difficult.

PGP uses ZIP compression algorithmE-MAIL COMPATIBILITY

When PGP is used, at least part of the block to be transmitted is encrypted. If only the signature service is
used, then the message digest is encrypted (with the sender’s private key). If the confidentiality service is
used, the message plus signature (if present) are encrypted (with a one- time symmetric key).Thus, part or
the entire resulting block consists of a stream of arbitrary 8-bit octets.

However, many electronic mail systems only permit the use of blocks consisting of ASCII text. To
accommodate this restriction, PGP provides the service of converting the raw 8-bit binary stream to a
stream of printable ASCII characters.

The scheme used for this purpose is radix-64 algorithm

 It maps 3 bytes to 4 printable chars

 It also appends a CRC to detect transmission errors PGP also segments messages if too big

 PGP Operation – Summary

Mr.P.SOLMON, Assist.Professor, NIT Page 9

S/MIME

Secure/Multipurpose Internet Mail Extension is a security enhancement to the MIME internet email
standard.

S/MIME is for industry standard for commercial and organizational use.

It defined in number of documents that is RFC 2630, RFC 2632, RFC 2633

E-mail format standard, RFC 822, which is still in common use. The most recent version of this format
specification is RFC 5322 (Internet Message Format).

RFC 5322 (Internet Message Format).

RFC 5322 defines a format for text messages that are sent using electronic mail. It has been the standard
for Internet-based text mail messages and remains in common use.

Message Structure

A message consists of some number of header lines (the header) followed by unrestrictedtext (the body).

A header line usually consists of a keyword, followed by a colon, followed by the keyword’s arguments

Example

Date: October 8, 2009 2:15:49 PM EDT From: William Stallings <ws@shore.net> Subject: The Syntax in
RFC 5322

To: Smith@Other-host.com

Cc: Jones@Yet-Another-Host.com

Hello. This section begins the actual message body, which is delimited from the message heading by a
blank line.

Multipurpose Internet Mail Extensions:

Multipurpose Internet Mail Extension (MIME) is an extension to the RFC 5322 framework that is
intended to address some of the problems and limitations of the use of Simple Mail Transfer Protocol
(SMTP).

The following are limitations of the SMTP/5322 scheme.

SMTP cannot transmit executable files or other binary objects. A number of schemes are in use

for converting binary files into a text form that can be used by SMTP mail systems.

SMTP cannot transmit text data that includes national language characters, because theseare

Represented by 8-bit codes, and SMTP is limited to 7-bit ASCII.

SMTP servers may reject mail message over a certain size.

Mr.P.SOLMON, Assist.Professor, NIT Page 10

SMTP gateways that translate between ASCII and the character code EBCDIC do not usea

Consistent set of mappings, resulting in translation problems.

SMTP gateways to X.400 electronic mail networks cannot handle non-textual data included in

X.400 messages.

Some SMTP implementations do not adhere completely to the SMTP standards defined in RFC

821. Common problems include:

Deletion, addition, or reordering of carriage return and linefeed

Truncating or wrapping lines longer than 76 characters

Removal of trailing white space (tab and space characters)

Padding of lines in a message to the same length

Conversion of tab characters into multiple space characters

MIME is intended to resolve these problems in a manner that is compatible with existing RFC 5322
implementations. The specification is provided in RFCs 2045 through 2049.

MIME has 5 header fields

The five header fields defined in MIME are

MIME-Version: Must have the parameter value 1.0.

Content-Type: Describes the data contained in the body with sufficient detail that the receiving

user agent can pick an appropriate agent or mechanism to represent the data to the user

Content-Transfer-Encoding: Indicates the type of transformation that has been used to represent

the body of the message in a way that is acceptable for mail transport.

Content-ID: Used to identify MIME entities uniquely in multiple contexts.

Content-Description: A text description of the object with the body; this is useful whenthe

object is not readable (e.g., audio data).

Mr.P.SOLMON, Assist.Professor, NIT Page 11

Mime Content Types

Describes the data contained in the body with sufficient detail

Example

Here is a simple example of a multipart message containing two parts--both consisting of simple
text

From: Nathaniel Borenstein nsb@bellcore.com>To: Ned Freed <ned@innosoft.com>

Subject: Sample messageMIME-Version: 1.0

Content-type: multipart/mixed; boundary="simple boundary“

This is the preamble. It is to be ignored, though it is a handy place for mail composers to include an

explanatory note to non-MIME conformant readers.

—simple boundary

Content-type: text/plain; charset=us-ascii

This is explicitly typed plain ASCII text. It DOES end with a line break.

S/MIME Functionality

In terms of general functionality, S/MIME is very similar to PGP. Both offer the ability to sign and/or
encrypt messages. In this subsection, we briefly summarize S/MIME capability.

S/MIME provides the following functions.

Enveloped data: This consists of encrypted content of any type and encrypted-content encryption keys for
one or more recipients.

Mr.P.SOLMON, Assist.Professor, NIT Page 12

Signed data: A digital signature is formed by taking the message digest of the content to be signed and
then encrypting that with the private key of the signer. The content plus signature are then encoded using
base64 encoding. A signed data message can only be viewed by a recipient with S/MIME capability.

1 e n c o d e d (message + signed digest)

Clear-signed data: As with signed data, a digital signature of the content is formed. However, in this case,
only the digital signature is encoded using base64.As a result, recipients without S/MIME capability can
view the message content, although theycannot verify the signature.

1 clear text message + encoded (signed digest)

Signed and enveloped data: Signed-only and encrypted-only entities may be nested, so that encrypted data
may be signed and signed data or clear-signed data may be encrypted.

o nesting of signed & encrypted entities

CRYPTOGRAPHIC ALGORITHMS

S/MIME uses the following terminology taken from RFC 2119 (Key Words for use in RFCs to Indicate
Requirement Levels) to specify the requirement level:

MUST: The definition is an absolute requirement of the specification. An implementation must include
this feature or function to be in conformance with the specification.

SHOULD: There may exist valid reasons in particular circumstances to ignore this feature or function,
but it is recommended that an implementation include the feature or function.

S/MIME incorporates three public-key algorithms. The Digital Signature Standard (DSS) is the preferred
algorithm for digital signature.

Mr.P.SOLMON, Assist.Professor, NIT Page 13

CRYPTOGRAPHY AND NETWORK SECURITY

IP SECURITY OVERVIEW

IPSec is an Internet Engineering Task Force (IETF) standard suite of protocols that provides data
authentication, integrity, and confidentiality as data is transferred between communication points across
IP networks. IPSec provides data security at the IP packet level. A packet is a data bundle that is
organized for transmission across a network, and it includes a header and payload (the data in the packet).
IPSec emerged as a viable network security standard because enterprises wanted to ensure that data could
be securely transmitted over the Internet. IPSec protects against possible security exposures by protecting
data while in transit.

IPSEC SECURITY FEATURES

IPSec is the most secure method commercially available for connecting network sites. IPSec was
designed to provide the following security features when transferring packets across networks:

Authentication: Verifies that the packet received is actually from the claimed sender.

Integrity: Ensures that the contents of the packet did not change in transit.

Confidentiality: Conceals the message content through encryption.

IPSEC ELEMENTS

IPSec contains the following elements:

Encapsulating Security Payload (ESP): Provides confidentiality, authentication, and integrity.

Authentication Header (AH): Provides authentication and integrity.

Internet Key Exchange (IKE): Provides key management and Security Association (SA) management.

APPLICATIONS OF IPSEC

IPSec provides the capability to secure communications across a LAN, across private and public WANs,
and across the Internet. Examples of its use include the following:

Secure branch office connectivity over the Internet

Secure remote access over the Internet

Establishing extranet and intranet connectivity with partners: IPSec can be used to secure
communication with other organizations, ensuring authentication and confidentiality and providing a key
exchange mechanism.

Enhancing electronic commerce security: Even though some Web and electronic commerce
applications have built-in security protocols, the use of IPSec enhances that security.

Mr.P.SOLMON, Assist.Professor, NIT Page 14

 Figure: An IP Security Scenario

BENEFITS OF IPSEC

IPSec provides strong security within and across the LANs.

Firewall uses IPSec to restrict all those incoming packets which are not using IP. Since firewall is the
only way to enter into an organization, restricted packets cannot enter.

IPSec is below the transport layer (TCP, UDP) and so is transparent to applications.

There is no need to change software on a user or server system when IPSec is implemented in the firewall
or router. Even if IPSec is implemented in end systems, upper- layer software, including applications, is not
affected.

IPSec can be transparent to end users.

IPSec can provide security for individual users if needed.

IP SECURITY ARCHITECTURE

Mainly the IPSec is constituted by three major components.

 IPSec Documents

 IPSec Services

 Security Associations (SA)

IP Sec Documents:

The IPSec specification consists of numerous documents. The most important of these, issued in
November of 1998, are RFCs 2401, 2402, 2406, and 2408:

RFC 2401: An overview of security architecture

RFC 2402: Description of a packet authentication extension to IPv4 and IPv6

RFC 2406: Description of a packet encryption extension to IPv4 and IPv6

Mr.P.SOLMON, Assist.Professor, NIT Page 15

RFC 2408: Specification of key management capabilities

The header for authentication is known as the Authentication header (AH); that for encryption is known as
the Encapsulating Security Payload (ESP) header.

The documents are divided into seven groups, as depicted in Figure

Figure: IPSec Document Overview

Architecture: Covers the general concepts, security requirements, definitions, and mechanisms defining
IPSec technology.

Encapsulating Security Payload (ESP): Covers the packet format and general issues related to the use of
the ESP for packet encryption and, optionally, authentication.

Authentication Header (AH): Covers the packet format and general issues related to the use of AH for
packet authentication.

Encryption Algorithm: A set of documents that describe how various encryption algorithms are used for
ESP.

Authentication Algorithm: A set of documents that describe how various authentication algorithms are
used for AH and for the authentication option of ESP.

Key Management: Documents that describe key management schemes.

Domain of Interpretation (DOI): Contains values needed for the other documents to relate to each
other. These include identifiers for approved encryption and authentication algorithms, as well as
operational parameters such as key lifetime.

IPSec Services:

IPSec provides security services at the IP layer by selecting required security protocols, algorithms and
cryptographic keys as per the services requested.

Two protocols are used to provide security:

An authentication protocol designated by the header of the protocol, Authentication Header (AH)

Mr.P.SOLMON, Assist.Professor, NIT Page 16

and a combined encryption/authentication protocol designated by the format of the packet for that
protocol, Encapsulating Security Payload (ESP).

These services are

 Access control

 Connectionless integrity

 Data origin authentication

 Rejection of replayed packets

 Confidentiality

 Limited traffic flow confidentiality

Security Associations

A key concept that appears in both the authentication and confidentiality mechanisms for IP is the
security association (SA). An association is a one-way relationship between a sender and a receiver that
affords security services to the traffic carried on it. If a peer relationship is needed, for two-way secure
exchange, then two security associations are required. Security services are afforded to an SA for the use
of AH or ESP, but not both.

A security association is uniquely identified by three parameters:

Security Parameters Index (SPI): A bit string assigned to this SA and having local significance only.
SPI is located in AH and ESP headers. SPI enables the receiving system under which the packet is to
process.

IP Destination Address: It is the end point address of SA which can be end user system or a network
system.

Security Protocol Identifier: security protocol identifier indicates whether the associationsis an AH or
ESP.

Mr.P.SOLMON, Assist.Professor, NIT Page 17

SA Parameters

The implementation of IPSec contain SA database which identifies the parameters related to SA.

Sequence Number Counter: A 32-bit value used to generate the Sequence Number field in AH or ESP
headers.

Sequence Counter Overflow: A flag indicating whether overflow of the Sequence Number Counter
should generate an auditable event and prevent further transmission of packets on this SA.

Anti-Replay Window: Used to determine whether an inbound AH or ESP packet is a replay

AH Information: Authentication algorithm, keys, key lifetimes, and related parameters being used with
AH.

ESP Information: Encryption and authentication algorithm, keys, initialization values, key lifetimes,
and related parameters being used with ESP (required for ESP implementations).

Lifetime of This Security Association: A time interval or byte count after which an SA must be replaced
with a new SA or terminated.

IPSec Protocol Mode: This parameter represents the type of mode used for IPSec implementation.
The mode may be a Tunnel or transport.

Path MTU: Any observed path maximum transmission unit (maximum size of a packet that can be
transmitted).

SA Selectors

IPSec provides flexibility in providing services to the users according to their needs. For this purpose,
SA’s are used. Different combinations of SA’s can give different user configurations. IPSec is also
capable of differentiating traffic i.e., which traffic is allowed to pass and which traffic should be
forwarded the IPSec protection. The property of IPSec requires the traffic to be associated with a security
association. To associate a particular SA to IP traffic IPSec maintains a database called Security Policy
Database (SPD).

SPD is table entries which maps a set of IP traffic to a single or more SAs.

Selectors are basically used to define policy that specifies which packet should be forwarded and which
packet should be rejected to filter outgoing traffic.

A sequence of steps is performed on the outgoing traffic,

Compare the values of the appropriate fields in the packet (the selector fields) against the SPD to find a
matching SPD entry, which will point to zero or more SAs.

Determine the SA if any for this packet and its associated SPI. Security Parameter Index(SPI) is one of
the fields of IPSec header which is a unique identifier to identify a security association.

Mr.P.SOLMON, Assist.Professor, NIT Page 18

Do the required IPSec processing (i.e., AH or ESP processing). The following selectors determine an SPD
entry:

Destination IP Address: This may be a single IP address, an enumerated list or range ofaddresses.

Source IP Address: This may be a single IP address, an enumerated list or range of addresses.

User ID: A user identifier from the operating system. This is not a field in the IP or upper-layer headers
but is available if IPSec is running on the same operating system as the user.

Data Sensitivity Level: Used for systems providing information flow security (e.g., Secret or
Unclassified).

Transport Layer Protocol: Obtained from the IPv4 Protocol or IPv6 Next Header field. This may be an
individual protocol number, a list of protocol numbers, or a range of protocol numbers.

Source and Destination Ports: These may be individual TCP or UDP port values, an enumerated list of
ports, or a wildcard port.

Transport and Tunnel Modes

Both AH and ESP support two modes of use: transport and tunnel mode.

The operation of these two modes is best understood in the context of a description of AH and ESP.

Transport Mode:

Transport mode provides protection primarily for upper-layer protocols. That is, transport mode
protection extends to the payload of an IP packet. Transport mode is used for end-to-end communication
between two hosts. ESP in transport mode encrypts and optionally authenticates the IP payload but not the
IP header. AH in transport mode authenticates the IP payload and selected portions of the IP header.

Tunnel Mode:

Tunnel mode provides protection to the entire IP packet. To achieve this, after the AH or ESP fields are
added to the IP packet, the entire packet plus security fields is treated as the payload of new "outer" IP
packet with a new outer IP header. The entire original, or inner, packet travels through a "tunnel" from
one point of an IP network to another; no routers along the way are able to examine the inner IP header.
Because the original packet is encapsulated, the new, larger packet may have totally different source and
destination addresses, adding to the security.

Tunnel mode is used when one or both ends of an SA are a security gateway, such as a firewall or router
that implements IPSec. ESP in tunnel mode encrypts and optionally authenticates the entire inner IP
packet, including the inner IP header. AH in tunnel mode authenticates the entire inner IP packet and
selected portions of the outer IP header.

Mr.P.SOLMON, Assist.Professor, NIT Page 19

AUTHENTICATION HEADER (AH):

The Authentication Header provides support for data integrity and authentication of IP packets. Data
integrity service insures that data inside IP packets is not altered during the transit. The authentication
feature enables an end system to authenticate the user or application and filter traffic accordingly. It also
prevents the address spoofing attacks (A technique used to gain unauthorized access to computers,
whereby the intruder sends messages to a computer with an IP address indicating that the message is
coming from a trusted host).Authentication is based on the use of a message authentication code
(MAC)i.e.; two communication parties must share a secret key.

Figure: IPSec Authentication Header

The Authentication Header consists of the following fields

Next Header (8 bits): Identifies the type of header that immediately following the AH.

Payload Length: Length of Authentication Header in 32-bit words.

Reserved (16 bits): For future use.

Security Parameters Index (32 bits): Identifies a security association.

Sequence Number (32 bits): A monotonically increasing counter value.

Authentication Data (variable): A variable-length field (must be an integral number of 32-bit words)
that contains the Integrity Check Value (ICV), or MAC, for this packet.

Anti-Replay Service:

A replay attack is one in which an attacker obtains a copy of an authenticated packet and later transmits it
to the intended destination. The receipt of duplicate, authenticated IP packets may disrupt service in some
way or may have some other undesired consequence. The Sequence Number field is designed to stop such
attacks.

Figure: Antireplay Mechanism

Mr.P.SOLMON, Assist.Professor, NIT Page 20

When a new SA is established, the sender initializes a sequence number counter to 0. Each time that a
packet is sent on this SA, the sender increments the counter and places the value in the Sequence Number
field. Thus, the first value to be used is 1. If anti-replay is enabled (the default), the sender must not allow
the sequence number to cycle past 232-1 back to zero. Otherwise, there would be multiple valid packets
with the same sequence number. If the limit of 232-1 is reached, the sender should terminate this SA and
negotiate a new SA with a new key. IP is a connectionless, unreliable service, the protocol does not
guarantee that packets will be delivered in order and does not guarantee that all packets will be delivered.
Therefore, the IPSec authentication document dictates that the receiver should implement a window of
size W, with a default of W = 64. The right edge of the window represents the highest sequence number,
N, so far received for a valid packet. For any packet with a sequence number in the range from N-W+ 1 to
N that has been correctly received (i.e., properly authenticated), the corresponding slot in the window is
marked (Figure).

Inbound processing proceeds as follows when a packet is received:

If the received packet falls within the window and is new, the MAC is checked. If the packet is
authenticated, the corresponding slot in the window is marked.

If the received packet is to the right of the window and is new, the MAC is checked. If the packet is
authenticated, the window is advanced so that this sequence number is the right edge of the window, and
the corresponding slot in the window is marked.

If the received packet is to the left of the window, or if authentication fails, the packet is discarded;
this is an auditable event.

Integrity Check Value:

The Authentication Data field holds a value referred to as the Integrity Check Value. The ICV is a
message authentication code or a truncated version of a code produced by a MAC algorithm.

Transport and Tunnel Modes:

There are two ways in which the IPSec authentication service can be used. In one case, authentication is
provided directly between a server and client workstations; the workstation can be either on the same
network as the server or on an external network. As long as the workstation and the server share a protected
secret key, the authentication process is secure. This case uses a transport mode SA. In the other case, a
remote workstation authenticates itself to the corporate firewall, either for access to the entire internal
network or because the requested server does not support the authentication feature. This case uses a
tunnel mode SA.

Mr.P.SOLMON, Assist.Professor, NIT Page 21

 Figure: End-to-End versus End-to-Intermediate Authentication

Encapsulating Security Payload (ESP):

The Encapsulating Security Payload provides confidentiality services, including confidentiality of

message contents and limited traffic flow confidentiality. As an optional feature, ESP can also provide an
authentication service.

ESP Format:

It contains the following fields:

Security Parameters Index (32 bits): Identifies a security association.

Sequence Number (32 bits): A monotonically increasing counter value; this provides an anti- replay
function, as discussed for AH.

Payload Data (variable): This is a transport-level segment (transport mode) or IP packet (tunnel mode)
that is protected by encryption.

Padding (0-255 bytes): The purpose of this field is discussed later.

Pad Length (8 bits): Indicates the number of pad bytes immediately preceding this field.

Next Header (8 bits): Identifies the type of data contained in the payload data field by identifying the
first header in that.

Authentication Data (variable): A variable-length field (must be an integral number of 32-bit words)
that contains the Integrity Check Value computed over the ESP packet minus the Authentication Data
field.

Mr.P.SOLMON, Assist.Professor, NIT Page 22

Encryption and Authentication Algorithms:

The Payload Data, Padding, Pad Length, and Next Header fields are encrypted by the ESP.

Various algorithms used for encryption are: Three-key triple DES, RC5, IDEA, Three-key triple IDEA,
CAST, and Blowfish

Padding:

The Padding field serves several purposes:

If an encryption algorithm requires the plaintext to be a multiple of some number of bytes. The Padding
field is used to expand the plaintext to the required length.

The ESP format requires that the Pad Length and Next Header fields be right aligned within a 32-bit word.
Equivalently, the ciphertext must be an integer multiple of 32 bits. The Padding field is used to assure this
alignment.

Additional padding may be added to provide partial traffic flow confidentiality by concealing the actual
length of the payload.

Transport and Tunnel Modes:

Figure shows two ways in which the IPSec ESP service can be used. In the upper part of the figure,
encryption (and optionally authentication) is provided directly between two hosts. Figure( b) shows how
tunnel mode operation can be used to set up a virtual private network. In this example, an organization
has four private networks interconnected across the Internet. Hosts on the internal networks use the
Internet for transport of data but do not interact with other Internet-based hosts. By terminating the
tunnels at the security gateway to each internal network, the configuration allows the hosts to avoid
implementing the security capability. The former technique is support by a transport mode SA, while the
latter technique uses a tunnel mode SA.

Mr.P.SOLMON, Assist.Professor, NIT Page 23

COMBINING SECURITY ASSOCIATIONS:

An individual SA can implement either the AH or ESP protocol but not both. Sometimes a particular
traffic flow will call for the services provided by both AH and ESP. Further, a particular traffic flow may
require IPSec services between hosts and, for that same flow, separate services between security
gateways, such as firewalls. In all of these cases, multiple SAs must be employed for the same traffic flow
to achieve the desired IPSec services. The term security association bundle refers to a sequence of SAs
through which traffic must be processed to provide a desired set of IPSec services.

Security associations may be combined into bundles in two ways:

Transport adjacency: Refers to applying more than one security protocol to the same IP packet,
without invoking tunneling. Iterated tunneling: Refers to the application of multiple layers of security
protocols affected through IP tunneling.

KEY MANAGEMENT:

The key management portion of IPSec involves the determination and distribution of secret keys. A
typical requirement is four keys for communication between two applications: transmit and receive pairs
for both AH and ESP.

The IPSec Architecture document mandates support for two types of key management:

Manual: A system administrator manually configures each system with its own keys and with the keys of
other communicating systems. This is suitable for small, relatively static environments.

Automated: An automated system enables the on-demand creation of keys for SAs and facilitates the use
of keys in a large distributed system.

The default automated key management protocol for IPSec is referred to as ISAKMP/Oakley and consists
of the following elements:

Oakley Key Determination Protocol

Internet Security Association and Key Management Protocol (ISAKMP) Oakley Key Determination
Protocol:

Oakley is a key exchange protocol based on the Diffie-Hellman algorithm but providing added security.
Oakley is generic in that it does not dictate specific formats.

The Diffie-Hellman algorithm has two attractive features:

 Secret keys are created only when needed.

 The exchange requires no preexisting infrastructure other than an agreement on the global
parameters.

 However, there are a number of weaknesses to Diffie-Hellman, as pointed out in

 It does not provide any information about the identities of the parties.

Mr.P.SOLMON, Assist.Professor, NIT Page 24

  It is subject to a man-in-the-middle attack

It is computationally intensive. As a result, it is vulnerable to a clogging attack, in which an opponent

requests a high number of keys.

Oakley is designed to retain the advantages of Diffie-Hellman while countering its weaknesses.

Features of Oakley:

The Oakley algorithm is characterized by five important features:

 It employs a mechanism known as cookies to thwart clogging attacks.

 It enables the two parties to negotiate a group; this, in essence, specifies the global parameters of
the Diffie-Hellman key exchange.

 It uses nonce’s to ensure against replay attacks.

 It enables the exchange of Diffie-Hellman public key values.

 It authenticates the Diffie-Hellman exchange to thwart man-in-the-middle attacks.

Internet Security Association and Key Management Protocol (ISAKMP):

ISAKMP provides a framework for Internet key management and provides the specific protocol support,
including formats, for negotiation of security attributes.

ISAKMP Header Format:

An ISAKMP message consists of an ISAKMP header followed by one or more payloads. All of this is
carried in a transport protocol. The specification dictates that implementations must support the use of
UDP for the transport protocol.

Mr.P.SOLMON, Assist.Professor, NIT Page 25

It consists of the following fields:

Initiator Cookie (64 bits): Cookie of entity that initiated SA establishment, SA notification, or SA
deletion.

Responder Cookie (64 bits): Cookie of responding entity; null in first message from initiator.

Next Payload (8 bits): Indicates the type of the first payload in the message

Major Version (4 bits): Indicates major version of ISAKMP in use.

Minor Version (4 bits): Indicates minor version in use.

Exchange Type (8 bits): Indicates the type of exchange.

Flags (8 bits): Indicates specific options set for this ISAKMP exchange.

Message ID (32 bits): Unique ID for this message.

Length (32 bits): Length of total message (header plus all payloads) in octets.

Mr.P.SOLMON, Assist.Professor, NIT Page 26