What’s the IPsec?
The IPsec (Internet Protocol Security) Protocol Suite is a set of network security protocols, developed to secure the network traffic by establishing encrypted tunnels between two or more end points across the public network.
IPsec provides the core benefits of confidentiality through encryption, data integrity through hashing and HMAC, and authentication using digital signatures or using a pre-shared key (PSK).
The goals can be described as follows:
■ Confidentiality: provided through encryption changing clear text into cipher text.
■ Data integrity: provided through hashing and/or through Hashed Message Authentication Code (HMAC) to verify that data has not been manipulated during its transit across the network.
■ Authentication: provided through authenticating the VPN peers near the beginning of a VPN session using pre-shared keys (PSK) or digital signatures (leveraging digital certificates). Authentication can also be done continuously through the use of an HMAC, which includes a secret known only to two ends of the VPN.
■ Antireplay protection: when VPNs are established, the peers can sequentially number the packets, and if a packet is attempted to be replayed again (perhaps by an attacker), the packet will not be accepted because the VPN device believes it has already processed that packet.
Internet Key Exchange (IKE) Protocol
IPsec uses the Internet Key Exchange (IKE) protocol to negotiate and establish secured site-to-site or remote access VPN tunnels.
Internet Key Exchange (IKE) is a protocol used to set up a IPSec Security Associations (SAs) by define security attributes like encryption key, encryption algorithm, and mode, between IPSec peers.
Security Association (SA) is an one-way virtual tunnel between the two endpoints peers. Thus, for full communication to occur, two SA’s must be established, one for each direction.
The establishment of an IPsec connection takes place in two phases, called IKE phases:
■ IKE Phase 1: The two endpoints authenticate one another and negotiate keying material. This results in an encrypted tunnel used by Phase 2 for negotiating the ESP security associations.
■ IKE Phase 2: The two endpoints use the secure tunnel created in Phase 1 to establishes the IPsec tunnel (IPsec SA), which used to secure the actual user data that is passed between the two endpoints.
IKE relies on ISAKMP to establish an initial secure channel over which the IPsec tunnel can be negotiated. An IKE policy determines the attributes of the ISAKMP session (typically called an IKE SA), including the encryption type and hashing methods.
At IKE Phase 1, There are five basic items need to be agreed upon between the two VPN endpoints peers as below:
■ Encryption algorithm: This could be AES, DES or 3DES.
■ Hash algorithm: This could be MD5 or SHA.
■ Diffie-Hellman (DH) group to use: for creating and sharing keys.
■ Authentication method: This could be pre-shared key (PSK) or RSA signatures.
■ The SA Lifetime: How long until this IKE Phase 1 tunnel should be torn down.
IKE Phase 1 negotiation can happen in two modes,either using Main Mode which be slower, but more secure or using Aggressive Mode which faster, but less secure.
There are a two primary methods for implementing the encapsulation of IPsec header as below:
■ Authentication Header (AH)
■ Encapsulating Security Payload (ESP)
Authentication Header (AH)
– While IPsec uses Authentication Header (AH) to provide Data Integrity, Authentication, and Anti-Replay functions for IPsec VPN. Authentication Header (AH) DOES NOT provide any Data Encryption at all.
– AH uses a hash algorithm to compute a hash value on both the payload and header of a packet which cause AH is incompatible with NAT which changes the IP header of a packet during translation which reflect on the receiving device will believe the packet has been altered in transit, and reject the packet.
Encapsulation Security Payload (ESP)
– While IPsec uses ESP (Encapsulating Security Payload) to provide Data Integrity, Encryption, Authentication, and Anti-Replay functions for IPsec VPN.
– ESP uses a hash algorithm to compute a hash value on the payload only and not include the header of a packet which enable it to be compatible with NAT.
ESP is more widely deployed than AH, because ESP provides all the benefits of IPsec, that is, Confidentiality, Integrity, Authentication and Re-Play attack protection….
IPsec uses two methods for encryption tunnel and transport mode.
– If IPsec tunnel mode is used, the both of IP header and payload are encrypted in addition a new header be injected.
– But When transport mode is used, only the packet payload is encrypted and the original IP header is left intact.
First let’s have a look at AH and ESP and how they tread original IP packet
And now about how those IP protocols fit in the two modes.
In the next lecture we will go deeply into the IPsec configuration and troubleshooting, See you !
By: Hatem Farag | CCIE#54446
Following what we started at the previous lecture about the main guidelines of cryptography, We are about discuss all about Hashing and Authentication Techniques and Algorithms.
As mentioned before Hashing is a function to achieve Data Integrity which can be defined as how to insure that data is not tampered or altered while transmission.
The main idea of Hashing is a process that takes a block of data and run the a defined algorithm to create a small fixed-sized hash value, then attach that value to the block of data and transmit it.
Which meaning if we have a two different computers (Transmitter & Receiver) take the same data and run the same hash function, they should get the same fixed-sized hash value.
Using a hash to verify integrity is the sender running a hash algorithm on each packet and attaching that hash to the packet. The receiver runs the same hash against the packet and compares his results against the results the sender had (which were attached to the packet, as well). If the hash generated matches the hash that was sent, we know that
the entire packet is intact. If a single bit of the hashed portion of the packet is modified, the hash calculated by the receiver will not match, and the receiver will know that the packet had a problem, specifically with the integrity of the packet.
The three most popular types of hashes are as follows:
■ Message digest 5 (MD5): This creates a 128-bit digest.
■ Secure Hash Algorithm 1 (SHA-1): This creates a 160-bit digest.
■ Secure Hash Algorithm 2 (SHA-2): Options include a digest between 224 bits and 512 bits.
Hashed Message Authentication Code (HMAC)
Hashed Message Authentication Code (HMAC) uses the mechanism of hashing, Instead of using a hash that anyone can calculate, it includes in its calculation a secret key of some type. Then only the other party who also knows the secret key and can calculate the resulting hash can correctly verify the hash. When this mechanism is used, an attacker who is eavesdropping and intercepting packets cannot inject or remove data from those packets without being noticed because he cannot recalculate the correct hash for the modified packet because he does not have the key or keys used for the calculation.
It is about how to confirm the identity of the host sending data, using pre-shared keys or RSA Digital signatures to can authenticate the peer at the other end of the VPN tunnel.
■ Pre-shared key
Pre-shared key is an agreed character string in advance between both parties as the authentication key of the session; A pre-shared key is an example of symmetric cryptography as the key is a same on both sides.
The 0 before the Pre-Shared key specifies that the key is not encrypted.
■ RSA Digital Signatures
As a matter of fact, signature scheme consists of three related operations as below:
• Key pair generation produces a public/private key pair.
• Signature operation produces a signature for a message with a private key.
• Verification operation checks a signature with a public key.
As cleared on our long discussion about world of cryptography, The key is the one of the most important player here, as We have symmetric keys that can be used with symmetric algorithms such as hashing and encryption. We have asymmetric keys such as public-private key pairs that can be used with asymmetric algorithms such as digital signatures, among other things.
A key pair is a set of two keys that work in combination with each other as a team. In a typical key pair, you have one public key and one private key. The public key may be shared with everyone, and the private key is not shared with anyone.
For example, If we use the public key to encrypt data using an asymmetric encryption algorithm, the corresponding private key is used to decrypt the data.
Diffie-Hellman key exchange is a cryptographic protocol for securely exchanging encryption keys over an insecure communications channel, it can be used to dynamically generate symmetrical keys to be used by symmetrical algorithms.
Diffie-Hellman Groups are used to determine the strength of the key used in the Diffie-Hellman key exchange process; Higher Diffie-Hellman Group numbers are more secure, but Higher Diffie-Hellman Groups require additional processing resources to compute the key. at below an examples from DH groups.
Group 1 – 768 bits
Group 2 – 1024 bits
Group 5 – 1536 bits
Group 14 – 2048 bits
Group 16 – 4096 bits
By: Hatem Farag | CCIE#54446