DOC PREVIEW
SJSU CS 265 - ESP

This preview shows page 1-2 out of 6 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 6 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 6 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 6 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

IP ENCAPSULATION SECURITY PAYLOAD PROTOCOLCS 265 - Security EngineeringProfessor: Dr. Mark StampComputer Science DepartmentSan Jose State UniversityTerm Project written by Lan VuTABLE OF CONTENTSI. INTRODUCTION……………………………………………………………………2II. ENCAPSULATION SECURITY PAYLOAD ………………………………………21. ESP PACKET FORMAT………………………………………………………....22. DESCRIPTION OF ESP MODES.……………………………………………….33. SECURITY FEATURES OFFER BY ESP PROTOCOL………………………..44. ALGORITHM FOR PACKET ENCRYPTION………………………………….45. ALGORITHM FOR PACKET DECRYPTION………………………………….4III. SECURITY CONSIDERATIONS…………………………………………………...5IV.PERFORMANCE IMPACT OF ESP ………………………………………………..6V. CONCLUSION…………………………………………………………………….…6VI. REFERENCE…………………………………………………………………………6I. INTRODUCTION1Rapid advances in communication technology have promoted the need for security in the Internet. Many mechanisms are developed to provide cryptographic security services that will flexibly support combinations of authentication, integrity, access control, and confidentiality.The Internet Security Association and Key Management Protocol (ISAKMP) define procedures and packet formats to establish, negotiate, modify and delete Security Associations (SA). SAs contain all the information required for execution of various network security services, such as the IP layer services (such as header authentication,HA, and payload encapsulation, ESP), transport or application layer services, or self-protection of negotiation traffic. ISAKMP defines payloads for exchanging key generation and authentication data. These formats provide a consistent framework fortransferring key and authentication data which is independent of the key generation technique, encryption algorithm and authentication mechanism.Encapsulation security payload (ESP) is a cryptographic security mechanism that is used to ensure the security services for network-level (IP) communications in a set of security information relating to a given network connection or set of connections. II. ENCAPSULATION SECURITY PAYLOADThe ESP protocol provides several features such as data integrity and data origin authentication with keyed MACs via ICV, confidentiality through encryption, and anti-replay service with sequence numbers. The details on how these features explore by ESP will be discussed below. In general,it does these by encapsulating either an entire IP datagram or only the upper-layer protocol (e.g, TCP, UDP, ICMP) data inside the ESP, encrypting most of the ESP contents, and then appending a new IP header to the encrypted Encapsulating SecurityPayload. The new IP header is now used to carry the protected data through the network. 1. ESP Packet Format2Security Parameters Index is an arbitrary 32-bit value, which in combination with the destination IP address and security protocol uniquely identifies the Security Association for this datagram. Sequence Number is 32-bit field containsa monotonically increasing counter value. This help in anti-replay protection. Payload Data is variable length field, which can be used to carry cryptographic synchronization data. Padding is used when the encryption algorithm requires theplain text to be a multiple of some number of bytes. Pad Length is an 8-bit field indicates the number of pad bytes preceding it. Next Header is an 8-bit field that identifies the type of data contained in the Payload Data field. Authentication Data is a variable length field containing an Integrity Check Value computed overthe ESP packet (accept the authentication data). The length of this field is specified by the authentication function selected. 2. Description of ESP Modes There are 2 modes within ESP: tunnel mode and transport mode. The use of a mode is decided at the time of SA establishment and depends on the nature of the network topology. In general, the transport mode is used between the endpoints ofa connection, and tunnel mode is used between two machines when at least one ofthem is a gateway.a. In the tunnel mode, the entire IP packet is encrypted and becomes the data portion of a new, larger IP packet that has a new IP header. Tunnel mode is primarily used by gateways and proxies because of its capable to mask true source-destination patterns. Hence, it ensures the security of information through the encryption of the entire packet. The diagram below will show a typical IPv4 packet in tunnel mode before and after applying ESP.b. In transport mode, the upper-layer protocol is encapsulated inside ESP. It is preferable in networks behind a security gateway because it encrypts only the upper layer protocol data. Thereby avoid the performance and monetary costs of encryption, while still providing confidentiality for traffic transiting untrustworthy network segments. This mode reduces both the bandwidth consumed and the protocol processing costs for users that don't need to keep the entire IP datagram confidential. The following diagram illustrates ESP transport mode positioning for a typical IPv4 packet. 33. Security Features Offer by ESP protocolThe encryption algorithm employed to create an ESP packet is specified by the SA. These encryption algorithms are used in ESP implementation to provide the data origin authentication and data integrity, data confidentiality and traffic flow confidentiality, and anti-replay.a. Data origin authentication-Data origin authentication is a security service that verifies the identity of the claimed source of data. -It uses an Integrity Check Value (ICV) that is computed over the entire IP packet, except for header field values that may change during transmission (for example, time to live). The ICV can be a one-way hash value, a keyed message authentication code (such as MACs), or a digital signature. The ICV algorithm is specified in the SA. -In general, a simple or keyed hash is used for point-to-point communications.Data origin authentication is done through verification of a keyed MACs computed with a shared secret key or a digital signature. b. Data and Traffic-flow Confidentiality:-Confidentiality is the security service that


View Full Document

SJSU CS 265 - ESP

Documents in this Course
Stem

Stem

9 pages

WinZip

WinZip

6 pages

Rsync

Rsync

7 pages

Hunter

Hunter

11 pages

SSH

SSH

16 pages

RSA

RSA

7 pages

Akenti

Akenti

17 pages

Blunders

Blunders

51 pages

Captcha

Captcha

6 pages

Radius

Radius

8 pages

Firewall

Firewall

10 pages

SAP

SAP

6 pages

SECURITY

SECURITY

19 pages

Rsync

Rsync

18 pages

MDSD

MDSD

9 pages

honeypots

honeypots

15 pages

VPN

VPN

6 pages

Wang

Wang

18 pages

TKIP

TKIP

6 pages

Dai

Dai

5 pages

Load more
Download ESP
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view ESP and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view ESP 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?