CNS Chapter 4
CNS Chapter 4
CNS Chapter 4
Chapter - 4
IP Security:
They are
Confidentiality:
It deals with user’s privacy data it ensures that unauthorized persons cannot access the
data.
Authentication:
It verifies user’s identity then only receiver believes that message or data is come
from original source.
Integrity:
IP Security Architecture
Components of IP Security:
It provides data integrity, encryption, authentication and anti replay. But it mainly
It also provides data integrity, authentication and anti replay by using Authentication
4. Key Management:
It deals with Key. If it is symmetric encryption how the key will be exchanged
between the sender and receiver. If it is asymmetric how the key are used these are te
If client wants to communicate with server must and should client can have Security
2) IP Destination Address:
3) Protocol Identifier:
o AH Information:
Authentication Header in this we will get all types of signature algorithms like
o ESP Information:
Every SA will have life time; if the life time is expired then we have to recreate the
SA.
It specifies SA will use either Transport Mode or Tunnel Mode can be implemented
IP Security Protocols
Next Header:
Payload Length:
Reserved Bits:
Sequence Number:
Authentication Data:
After applying authentication algorithms, result of all these algorithms will produce
“authentication data”.
IPV4:
IPV6:
After implementing Authentication header the general format of IPV4 and IPV6 is:
IPV4:
IPV6:
In the above format general format of IPV4 treated as “inner packet”. We can include new ip
header and AH into that then we can called it as “Tunnel mode Packet”.
IPV6:
In the above format general format of IPV6 treated as “inner packet”. We can include new ip
header, Extension Header and AH into that then we can called it as “Tunnel mode Packet”.
Next Header:
Payload Length:
Sequence Number:
Padding:
Padding Length:
Authentication Data:
Here it is an optional field because ESP implemented by 2 ways. If users can choose
with authentication mechanism then only this field is mandatory. Otherwise it is optional
field.
Note: In order to achieve Confidentiality we can use some Cryptographic Algorithms like if
it is symmetric use DES, 3DES etc., if is Asymmetric then use RES, CAST, IDEA etc
algorithms.
IPV4:
IPV6:
After implementing ESP header the general format of IPV4 and IPV6 is:
IPV4:
IPV6:
In the above format general format after implementing ESP protocol of IPV4 treated as
“inner packet”. We can include new ip header into that then we can called it as “Tunnel mode
Packet”.
IPV6:
In the above format general format after implementing ESP protocol of IPV6 treated as
“inner packet”. We can include new ip header into that then we can called it as “Tunnel mode
Packet”.
Replay Attack is a type of security attack to the data sent over a network.
In this attack, the hacker or any person with unauthorized access, captures the traffic and
sends communication to its original destination, acting as the original sender. The receiver
feels that it is an authenticated message but it is actually the message sent by the attacker.
The main feature of the Replay Attack is that the receiver would receive the message twice,
1. Timestamp method –
Prevention from such attackers is possible, if timestamp is used along with the data.
Supposedly, the timestamp on a data is more than a certain limit, it can be discarded,
Another way of prevention, is by using session key. This key can be used only once (by
3. Acknowledgement-
Here receiver sends 2 types of acknowledgements they are positive and another one is
negative.
4. Sender initializes sequence number to 0 when a new SA is established, increment for each
packet.
5. If receiver receives duplicate packet then it checks the packet sequence number if it is
Key Management
Key Management is related to determination and distribution of secret keys.
Manual:
Automated :
It enables the on demand creation of keys for Security Associations and use of keys. It can be
Oakley is a refinement of the diffie-Hellman key exchange algorithm but providing added
security.
Here secret keys created only when need. Exchange does not require any pre existing
infrastructure.
IKE defines payload for exchanging key generation and authentication data.
Initiator Cookie:
and SA deletion.
Responder Cookie:
Next Payload:
Major Version:
Minor Version:
Exchange Type:
Flags:
Message ID:
Length:
ISAKMP Payload
Types of Payloads
o SA Payload:
o Proposal Payload:
o Transform Payload:
o Identification Payload:
o Certification Payload:
o Hash Payload:
o Signature Payload:
o None Payload:
ISAKMP Exchanges
Base Exchange:
Identity Protection:
Aggressive exchange:
Information exchange:
Security Policy
Another important aspect of IP Security is the Security Policy, which defines the type of
Each SPD entry is defined by a set of IP and upper layer protocol field values, called
selectors.
o Remote IP Address:
o Source IP Address:
o User ID:
protocol numbers.
Outbound SPD:
In bound SPD:
******************