密码学基础11.1 P Security 復大辱软件学院
1 密码学基础 11.1 IP Security
Review Cryptography Authentication techniques PKL CA cert 復大辱软件学院
2 Review • Cryptography • Authentication techniques • PKI, CA, cert
IP Security have a range of application specific security mechanisms eg. S/mime, Pgp, Kerberos, Ssl/Https however there are security concerns that cut across protocol layers would like security implemented by the network for all applications Q: If security mechanisms in app layer have implemented. Security is needed in network level? Or vice versa? 復大辱软件学院
3 IP Security • have a range of application specific security mechanisms – eg. S/MIME, PGP, Kerberos, SSL/HTTPS • however there are security concerns that cut across protocol layers • would like security implemented by the network for all applications • Q: If security mechanisms in app layer have implemented. Security is needed in network level? Or vice versa?
ota Security facilities in TCP/IP HttpfTpsmTp S/MIME PGP SET Http Ftp SmtP SSL or tls Kerberos SMTP Http TCP TCP UDP TCP IP/IPSec IP IP (a) Network Level (b)Transport Level (c)Application Level 復大辱软件学院
4 Security facilities in TCP/IP
IPSec general IP Security mechanisms ° provides authentication confidentiality key management applicable to use over LANs, across public private WANs,& for the Internet 復大辱软件学院
5 IPSec • general IP Security mechanisms • provides – authentication – confidentiality – key management • applicable to use over LANs, across public & private WANs, & for the Internet
IPSec Uses User system with IPSec Public(Internet) or Private Network Networking device with IPSec Networking device with IPSe 復大辱软件学院
6 IPSec Uses
Benefits of iPsec in a firewall/router provides strong security to all traffic crossing the perimeter in a firewall router is resistant to bypass is below transport layer, hence transparent to applications can be transparent to end users can provide security for individual users secures routing architecture 復大辱软件学院
7 Benefits of IPSec • in a firewall/router provides strong security to all traffic crossing the perimeter • in a firewall/router is resistant to bypass • is below transport layer, hence transparent to applications • can be transparent to end users • can provide security for individual users • secures routing architecture
o IP Security Architecture specification is quite complex defined in numerous rfCs -inc|.RFC2401/2402/2406/2408 many others, grouped by category mandatory in IPv6, optional in IPv4 have two security header extensions Authentication Header(ah) Encapsulating Security payload(EsP) 復大辱软件学院
8 IP Security Architecture • specification is quite complex • defined in numerous RFC’s – incl. RFC 2401/2402/2406/2408 – many others, grouped by category • mandatory in IPv6, optional in IPv4 • have two security header extensions: – Authentication Header (AH) – Encapsulating Security Payload (ESP)
PSec Services AH ESP (encryption ESP (encryption plus only) authentication) Access control Connectionless integrity Data origin authentication Rejection of replayed ackets Confidentiality Limited traffic flow confidentiality 復大辱软件学院
9 IPSec Services
IPSec Services Access control Connectionless integrity Data origin authentication Rejection of replayed packets a form of partial sequence integrity Confidentiality(encryption) Limited traffic flow confidentiality 復大辱软件学院
10 IPSec Services • Access control • Connectionless integrity • Data origin authentication • Rejection of replayed packets – a form of partial sequence integrity • Confidentiality (encryption) • Limited traffic flow confidentiality