Matakuliah
Tahun
Versi
: H0242 / Keamanan Jaringan
: 2006
:1
Pertemuan 11
IPSec dan SSL
1
Learning Outcomes
Pada akhir pertemuan ini, diharapkan
mahasiswa akan mampu :
– Mahasiswa dapat menjelaskan IP Security
dan SSL
2
Outline Materi
•
•
•
•
Konsep IP Security
Arsitecture IP security
Protokol dasar SSL
Arsitektur SSL
3
Security facilities in TCP/IP
4
IP Security Overview
• IPSec is not a single protocol.
• IPSec provides a set of security algorithms plus a
general framework that allows a pair of
communicating entities to use whichever
algorithms provide security appropriate for the
communication.
• General IP Security mechanisms provides
– Authentication
– Confidentiality
– Key management
• Applicable to use over LANs, across public and
private WANs, and for the Internet
5
IP Security Overview
• Applications of IPSec
– Secure branch office connectivity over the
Internet
– Secure remote access over the Internet
– Establsihing extranet and intranet connectivity
with partners
– Enhancing electronic commerce security
6
IP Security Overview
• Benefits of IPSec
– Transparent to applications (below transport
layer (TCP, UDP)
– Provide security for individual users
– IPSec can assure that:
• A router or neighbor advertisement comes
from an authorized router
• A redirect message comes from the router
to which the initial packet was sent
• A routing update is not forged
• provides strong security to all traffic
crossing the perimeter
7
IP Security Scenario
8
Authentication Header
• Authentication Header (AH) provides support for
data integrity & authentication of IP packets
– End system/router can authenticate user/app
– Prevents address spoofing attacks by tracking
sequence numbers
• Based on use of a MAC
– HMAC-MD5-96 or HMAC-SHA-1-96
• Parties must share a secret key
9
Authentication Header
• Provides support for data integrity and
authentication (MAC code) of IP packets.
• Guards against replay attacks.
10
AH Authentication
Tunnel Mode AH Authentication
11
Security Associations
• Security Association (SA) is a one-way
relationship between sender & receiver that
affords security for traffic flow
• Defined by 3 parameters:
– Security Parameters Index (SPI)
– IP Destination Address
– Security Protocol Identifier
• Has a number of other parameters
– seq no, AH & EH info, lifetime etc
• Have a database of Security Associations
12
ESP
• Encapsulating Security Payload (ESP) provides
message content confidentiality & limited traffic
flow confidentiality
• Can optionally provide the same authentication
services as AH
• Supports range of ciphers, modes, padding
– DES, Triple-DES, RC5, IDEA, CAST, etc
– CBC most common
– Pad to meet blocksize, for traffic flow
13
ESP
ESP Encryption and Authentication
14
Algorithms
Encryption & Authentication Algorithms
– Encryption:
• Three-key triple DES
• RC5
• IDEA
• Three-key triple IDEA
• CAST
• Blowfish
– Authentication:
• HMAC-MD5-96
• HMAC-SHA-1-96
15
Transport & Tunnel Modes
16
Transport & Tunnel Mode ESP
• Transport mode is used to encrypt & optionally
authenticate IP data
– Data protected but header left in clear
– Can do traffic analysis but is efficient
– Good for ESP host to host traffic
• Tunnel mode encrypts entire IP packet
– Add new header for next hop
– Good for VPNs, gateway to gateway security
17
SSL and TLS
• SSL was originated by Netscape
• TLS working group was formed within IETF
• First version of TLS can be viewed as an SSLv3.1
18
SSL Architecture
19
Handshake Protocol
• The most complex part of SSL.
• Allows the server and client to authenticate each
other.
• Negotiate encryption, MAC algorithm and
cryptographic keys.
• Used before any application data are transmitted.
20
Handshake Protocol Action
21