Matakuliah Tahun Versi : H0242 / Keamanan Jaringan : 2006 :1 Pertemuan 11 IPSec dan SSL 1 Learning Outcomes Pada akhir pertemuan ini, diharapkan mahasiswa akan mampu : – Mahasiswa dapat menjelaskan IP Security dan SSL 2 Outline Materi • • • • Konsep IP Security Arsitecture IP security Protokol dasar SSL Arsitektur SSL 3 Security facilities in TCP/IP 4 IP Security Overview • IPSec is not a single protocol. • IPSec provides a set of security algorithms plus a general framework that allows a pair of communicating entities to use whichever algorithms provide security appropriate for the communication. • General IP Security mechanisms provides – Authentication – Confidentiality – Key management • Applicable to use over LANs, across public and private WANs, and for the Internet 5 IP Security Overview • Applications of IPSec – Secure branch office connectivity over the Internet – Secure remote access over the Internet – Establsihing extranet and intranet connectivity with partners – Enhancing electronic commerce security 6 IP Security Overview • Benefits of IPSec – Transparent to applications (below transport layer (TCP, UDP) – Provide security for individual users – IPSec can assure that: • A router or neighbor advertisement comes from an authorized router • A redirect message comes from the router to which the initial packet was sent • A routing update is not forged • provides strong security to all traffic crossing the perimeter 7 IP Security Scenario 8 Authentication Header • Authentication Header (AH) provides support for data integrity & authentication of IP packets – End system/router can authenticate user/app – Prevents address spoofing attacks by tracking sequence numbers • Based on use of a MAC – HMAC-MD5-96 or HMAC-SHA-1-96 • Parties must share a secret key 9 Authentication Header • Provides support for data integrity and authentication (MAC code) of IP packets. • Guards against replay attacks. 10 AH Authentication Tunnel Mode AH Authentication 11 Security Associations • Security Association (SA) is a one-way relationship between sender & receiver that affords security for traffic flow • Defined by 3 parameters: – Security Parameters Index (SPI) – IP Destination Address – Security Protocol Identifier • Has a number of other parameters – seq no, AH & EH info, lifetime etc • Have a database of Security Associations 12 ESP • Encapsulating Security Payload (ESP) provides message content confidentiality & limited traffic flow confidentiality • Can optionally provide the same authentication services as AH • Supports range of ciphers, modes, padding – DES, Triple-DES, RC5, IDEA, CAST, etc – CBC most common – Pad to meet blocksize, for traffic flow 13 ESP ESP Encryption and Authentication 14 Algorithms Encryption & Authentication Algorithms – Encryption: • Three-key triple DES • RC5 • IDEA • Three-key triple IDEA • CAST • Blowfish – Authentication: • HMAC-MD5-96 • HMAC-SHA-1-96 15 Transport & Tunnel Modes 16 Transport & Tunnel Mode ESP • Transport mode is used to encrypt & optionally authenticate IP data – Data protected but header left in clear – Can do traffic analysis but is efficient – Good for ESP host to host traffic • Tunnel mode encrypts entire IP packet – Add new header for next hop – Good for VPNs, gateway to gateway security 17 SSL and TLS • SSL was originated by Netscape • TLS working group was formed within IETF • First version of TLS can be viewed as an SSLv3.1 18 SSL Architecture 19 Handshake Protocol • The most complex part of SSL. • Allows the server and client to authenticate each other. • Negotiate encryption, MAC algorithm and cryptographic keys. • Used before any application data are transmitted. 20 Handshake Protocol Action 21