IPSec Architecture

Components of IPSec Architecture

IPSec architecture defines the concepts and mechanisms required for securing the data transmission at IP layer, which include the following:

1. Security Association
   
2. Security Protocols - AH and ESP
   
3. Key Management Protocol - IKE
4. Databases - SPD and SAD

Figure: IPSec Architecture

Here is a video introducing IPSec Protocol

Security Associations

• An association is a one-way relationship between a sender and a receiver that affords security services to the traffic carried on it
• If a peer relationship is needed, for two-way secure exchange, then two security associations are required
• A security Association is uniquely identified by three parameters:
• Security Parameter Index (SPI)
• IP Destination Address
• Security Protocol Identifier
• SA parameters are defined as follows:
  
• SPI is a bit string assigned to SA which will be carried in AH or ESP headers to enable the receiving system to identify the corresponding SA that will process the packet further
• IP Destination Address identifies the destination endpoint of the SA, which may be an end user system or a network system such as a firewall or router
• Security Protocol Identifier indicates the protocol used for securing the data transmission in the SA
  

Security Association Database (SAD):

SAD defines the each SA with the following set of parameters:

• Sequence Number Counter:  A 32-bit value used to generate the Sequence Number field in AH or ESP headers
• Sequence Counter Overflow:  A flag indicating whether overflow of the Sequence Number Counter should generate an auditable event and prevent further transmission of packets on this SA
• Anti-Replay Windows:  Used to determine whether an inbound AH or ESP packet is a replay or not
• AH Information:  Consists of details about authentication algorithm, keys, key lifetimes, and related parameters being used with AH 
• ESP Information:  Consists of details about encryption and authentication algorithm, keys, initialization values, key lifetimes, and related parameters
• Lifetime of This Security Association:  A time interval or byte count after which an SA must be replaced with a new SA or terminated
• IPSec Protocol Mode:  Indicates the mode of operation used - Tunnel, Transport or Wildcard
• Path MTU:  Any observed path maximum transmission unit (maximum size of a packet that can be transmitted without fragmentation) and aging variables

Security Policy Database (SPD):

• SPD contains entries, each of which defines a subset of IP traffic and points to an SA for that traffic
• Each SPD entry is defined by a set of IP and upper-layer protocol field values, called selectors (SA Selectors) 
• These selectors are used to filter outgoing traffic in order to map it into a particular SA
• Selectors that determine an SPD entry are as follows:
• Destination IP Address:  This may be a single IP address, an enumerated list or range of addresses
• Source IP Address:  This may be a single IP address, an enumerated list or range of addresses
• UserID:  A user identifier from the operating system.  This is an ID available in the operating system if IPSec is running on the same OS as the user
  
• Data Sensitivity Level:  Used for systems providing information flow security
• Transport Layer Protocol:  Obtained from the IPv4 protocol or IPv6 Next Header field.
• Source and Destination Ports:  These may be individual TCP or UPD port values, an enumerated list of ports, or a wildcard port

Authentication Header (AH):

• AH is a security protocol used within the IPSec suite
• It confirms that the data originates from the expected source
• Its primary function is to ensure that the data remains unmodified during the transmission from the source to the destination
• AH achieves authentication by adding a header to IP packets, containing a checksum and a digital signature

Figure: Format of the AH Header

Encapsulating Security Payload (ESP):

• ESP consists of an encapsulating header and trailer used to provide encryption or combined encryption/authentication

Two Modes of Operation in IPSec

• Both AH and ESP support two modes of operation: transport and tunnel mode.  
• Transport mode provide protection primarily for upper layer protocols by protecting the payload of an IP packet.  Whereas, Tunnel mode provides protection for the entire IP packet. 
  

Transport Mode:

• Transport mode is used for end-to-end communication between two hosts (e.g., a client and a server, or two workstations)
• Transport mode encrypts only the data packet's payload and leaves the IP header in its original form. 
• The unencrypted packet header allows routers to identify the destination address of each data packet. Therefore, IPSec transport mode is used in a close and trusted network, such as securing a direct connection between two computers.
• ESP in the transport mode encrypts and optionally authenticates the IP payload but no the IP header
• AH in transport mode authenticates the IP payload and selected portions of the IP header
  

Tunnel Mode:

• The IPSec tunnel mode is suitable for transferring data on public networks as it enhances data protection from unauthorized parties. 
• The computer encrypts all data, including the payload and header, and appends a new header to it.

Video Presentations on IPSec:

 

Video on IPSec Protcols - AH and ESP

Continue reading →

IP Security (IPSec) Protocol

IP Security (IPSec)

• One of the key areas identified by Internet Architecture Board (IAB) in securing Internet communication is securing the network infrastructure from unauthorized users.
• Securing the network infrastructure can be done by implementing the following:
1. Monitoring and controlling the network traffic
2. Securing end-user-to-end-user traffic using authentication and encryption techniques

• An enterprise can run a secure, private IP network by doing the following:
• Disallowing links to untrusted  sites
• Encrypting packets that leave the premises and
• Authenticating packets that enter the premises

 

 

• IPSec provides the capability to secure communications across a LAN, across private and public WANs, and across the Internet
• Implementing security at the IP level can help an organization secure networking through which applications can communicate with the external world
• IPv6 is the next-generation IP that fully implements IPSec by including the security features such as authentication and encryption.

 

IP Vs IPSec

• Internet Protocol (IP) is the common standard that determines how data travels over the internet. 
• IPsec (IP Security) on the other hand, is a suite of security protocols added as an extension to the IP layer by performing the following:
  
• IPSec adds encryption and authentication to make IP more secure. For example, it scrambles the data at its source and unscrambles it at its destination. It also authenticates the source of the data. 
• IPsec can ensure a secure connection between two computing devices over unprotected IP networks, such as the Internet.
• IPsec is a capability built over IP (IPv4 and IPv6) by means of additional headers.   It consists of three distinct functions – authentication, confidentiality and key management
• IPSec is a capability that can be added to the current version of the Internet Protocol (IPv4) by means of additional headers

 

Here is a link to have an Animated Video on IPSec

Key Functions of IPSec

IP-level security encompasses three functional areas namely:

1. Authentication
2. Confidentiality
3. Key Management

Authentication:

• The authentication mechanism assures that a received packet was, in fact, transmitted by the party identified as the source in the packet header
• It also assures that the packet has not been altered in transit.

Confidentiality:

• The confidentiality facility enables communicating nodes to encrypt messages to prevent eavesdropping by third parties.

Key Management:

• The key management facility is concerned with the secure exchange of keys among two communicating parties

 

 

Figure: An IP Security Scenario

 

• When IPSec is implemented in a firewall or router, it provides strong security that can be applied to all traffic crossing the perimeter. 
• Some of the applications of IPSec are as follows:
• Secure branch office connectivity over the Internet
• Secure remote access over the Internet
• Establish extranet and intranet connectivity with partners
• Enhance electronic commerce security

 

How does IPSec work?

Computers exchange data with the IPSec protocol through the following steps. 

1. The sender computer determines if the data transmission requires IPSec protection by verifying against its security policy. If it does, the computer initiates secure IPSec transmission with the recipient computer.
2. Both computers negotiate the requirements to establish a secure connection. This includes mutually agreeing on the encryption, authentication, and other security association (SA) parameters. 
3. The computer sends and receives encrypted data, validating that it came from trusted sources. It performs checks to ensure the underlying content is reliable. 
4. Once the transmission is complete or the session has timed out, the computer ends the IPSec connection.
   

 

 

 

Figure: IPSec Architecture

• IPSec protocols send data packets securely.  A data packet is a specific structure that formats and prepares information for network transmission. 
• A data packet in IPSec consists of a header, payload, and trailer:
• A header is a preceding section that contains instructional information for routing the data packet to the correct destination. 
• Payload is a term that describes the actual information contained within a data packet.
• The trailer is additional data appended to the tail of the payload to indicate the end of the data packet. 

 

The three protocols defined in IPSec

IPsec is a suite of three transport-level protocols used for authenticating the origin and content of IP packets and optionally for data payload encryption.

Authentication header (AH):

• The authentication header (AH) protocol adds a header that contains sender authentication data and protects the packet contents from modification by unauthorized parties.  It alerts the recipient of possible manipulations of the original data packet. 
• When receiving the data packet, the computer compares the cryptographic hash calculation from the payload with the header to ensure both values match.  A cryptographic hash is a mathematical function that summarizes data into a unique value. 

Encapsulating security payload (ESP):

• The encapsulating security payload (ESP) protocol performs encryption on the entire IP packet or only the payload. 
• ESP adds a header and trailer to the data packet upon encryption. 

Internet key exchange (IKE):

• Internet key exchange (IKE) is a protocol that establishes a secure connection between two devices on the internet. 
• Both devices set up security association (SA), which involves negotiating encryption keys and algorithms to transmit and receive subsequent data packets. 

Continue reading →

Ex-2: Implementing Play-fair Cipher for Encryption/Decryption

Implementation in C:

#include<stdio.h>
void main()
{
    char ch, msg[250];
    char crypt[9][9] = {{'a','e','i','o','u','b','c','d','.'},{'f','g','h','j','k','l','m','n',','},{'p','q','r','s','t','v','w','x','/'},{'y','z','0','1','2','3','4','5','-'},{'6','7','8','9','A','E','I','O','+'},{'U','B','C','D','F','G','H','J','?'},{'K','L','M','N','P','Q','R','S',':'},{'T','V','W','X','Y','Z',' ','!',';'},{'`','~','@','#','$','%','^','&','*'}};
    char ctxt[250];
    char dtxt[250];
    int i=0,j,k,l=0,m,n;
    printf("Enter Your Message\n");
    do
    {
        scanf("%c", &ch);
        if (ch==10)
        {
            msg[i]='\0';
            ctxt[i]='\0';
            break;
        }
        else
        {
            if(ch==' ')
                l=0;
            l++;
           
            msg[i]=ch;
            for(j=0;j<9;j++)
                for(k=0;k<9;k++)
                    if(ch==crypt[j][k])
                    {
                        m = j;
                        n = k;
                        n = n+l;
                        if(n>=9)
                        {
                            n=n-9;
                            m++;
                        }
                        if(m>=9)
                        {
                            m=m-9;
                        }       
                        ctxt[i]=crypt[m][n];
                    }
        }
        i++;
    }
    while(1);
    printf("\nYour Input Message is: %s\n", msg);
    printf("\nThe Cipher Text is : %s\n", ctxt);
    i=0,l=0;
    while(ctxt[i]!='\0')
    {
        ch=ctxt[i];
        if(ch=='!')
            l=0;       
            l++;
           
            for(j=0;j<9;j++)
                for(k=0;k<9;k++)
                    if(ch==crypt[j][k])
                    {
                        m = j;
                        n = k;
                        n = n-l;
                        if(n<0)
                        {
                            n=n+9;
                            m--;
                        }
                        if(m<0)
                            m=m+9;
                        dtxt[i]=crypt[m][n];
                    }
            i++;
    }
    dtxt[i]='\0';
    printf("\nThe Original Text is : %s", dtxt);
}

Continue reading →

Ex-1: Encryption and Decryption using Ceaser Cipher

 Java Program:

package ceasercipher;

/**

 *

 * @author MAXHUB

 */

import java.io.BufferedReader;

import java.io.IOException; 

import java.io.InputStreamReader; 

import java.util.Scanner;

public class CeaserCipher {

static Scanner sc=new Scanner(System.in);

static BufferedReader br=new BufferedReader(new InputStreamReader(System.in)); 

public static void main(String[] args) throws IOException{

// TODO code application logic here 

System.out.print("Enter any String:"); 

String str =br.readLine(); 

System.out.print("\nEntertheKey:"); int 

key =sc.nextInt();

String encrypted = encrypt(str, key); 

System.out.println("\nEncryptedString is:"+encrypted);

String decrypted = decrypt(encrypted, key); 

System.out.println("\nDecryptedString is:"+decrypted);

System.out.println("\n");

}

public static String encrypt(String str,int key)

{

String encrypted ="";

for(int i = 0; i < str.length(); i++)

{

int c=str.charAt(i);

if (Character.isUpperCase(c)) { 

c = c + (key % 26);if (c > 'Z') 

c = c - 26;

}

else if (Character.isLowerCase(c))

{

c = c + (key % 26); 

if (c > 'z')

c = c - 26;

}

encrypted += (char) c;

}

return encrypted;

}

public static String decrypt(String str,int key)

{ 

String decrypted ="";

for(int i = 0; i<str.length(); i++)

{

int c = str.charAt(i);

if (Character.isUpperCase(c)) 

{

c = c - (key % 26);

if (c < 'A')

c = c + 26;

}

else if (Character.isLowerCase(c))

{

c = c - (key % 26); 

if(c < 'a')

c= c+26;

}f

decrypted += (char) c;

}

return decrypted;

}

}

Sample Run:

Continue reading →