• Aucun résultat trouvé

IP SEC

N/A
N/A
Info
Télécharger
Protected

Academic year: 2022

Partager "IP SEC"

Copied!
1
0
0

Chargement.... (Voir le texte intégral maintenant)

Texte intégral

(1)

packetlife.net

by Jeremy Stretch v2.0

IP SEC

Protocols Encryption Algorithms

DES Symmetric 56

Type Key Length (Bits)

AES Symmetric

3DES Symmetric 168

Weak Strength

Medium

RSA Asymmetric

128/192/256 1024+

Strong Strong

Hashing Algorithms

MD5 128

Length (Bits)

SHA-1 160

Medium Strength

Strong Internet Security Association and Key Management

Protocol (ISAKMP)

A framework for the negotiation and management of security associations between peers (traverses UDP/500) Internet Key Exchange (IKE)

Responsible for key agreement using asymmetric cryptography

Encapsulating Security Payload (ESP)

Provides data encryption, data integrity, and peer authentication; IP protocol 50

Authentication Header (AH)

Provides data integrity and peer authentication, but not data encryption; IP protocol 51

IPsec Modes

IKE Phases Phase 1

A bidirectional ISAKMP SA is established

between peers to provide a secure management channel (IKE in main or aggressive mode)

Phase 1.5 (optional)

Xauth can optionally be implemented to enforce user authentication

Phase 2

Two unidirectional IPsec SAs are established for data transfer using separate keys (IKE quick mode)

Transport Mode

The ESP or AH header is inserted behind the IP header; the IP header can be authenticated but not encrypted

Tunnel Mode

A new IP header is created in place of the original; this allows for encryption of the entire original packet

Configuration

crypto isakmp policy 10 encryption aes 256 hash sha

authentication pre-share group 2

lifetime 3600

ISAKMP Policy

crypto isakmp key 1 MySecretKey address 10.0.0.2

ISAKMP Pre-Shared Key

crypto ipsec transform-set MyTS esp-aes 256 esp-sha-hmac mode tunnel

IPsec Transform Set

crypto ipsec profile MyProfile set transform-set MyTS

IPsec Profile

interface Tunnel0

ip address 172.16.0.1 255.255.255.252 tunnel source 10.0.0.1

tunnel destination 10.0.0.2 tunnel mode ipsec ipv4

tunnel protection ipsec profile MyProfile

Virtual Tunnel Interface

Troubleshooting

show crypto isakmp sa show crypto isakmp policy show crypto ipsec sa

show crypto ipsec transform-set debug crypto {isakmp | ipsec}

Terminology

Data Origin Authentication Authentication of the SA peer Data Integrity

Secure hashing (HMAC) is used to ensure data has not been altered in transit

Data Confidentiality

Encryption is used to ensure data cannot be intercepted by a third party

Anti-replay

Sequence numbers are used to detect and discard duplicate packets

Hash Message Authentication Code (HMAC) A hash of the data and secret key used to provide message authenticity

Diffie-Hellman Exchange

A shared secret key is established over an insecure path using public and private keys

L2 IP TCP/UDP

L2 IP TCP/UDP

L2 IP TCP/UDP

ESP/AH

ESP/AH New IP

Original Packet Transport Mode Tunnel Mode

Références

Télécharger maintenant ( PDF - 1 Page - 57.62 KB )

Documents relatifs

The Keyed-Hash Message Authentication Code (HMAC)

Mechanisms that provide such integrity checks based on a secret key are usually called message authentication codes (MACs). Typically, message authentication codes are used

Matrix Analogues of the Diffie-Hellman Protocol

This paper presents a comparative analysis of several matrix analogs of the Diffie-Hellman algorithm, namely, Yerosh-Skuratov and Megrelishvili protocols, as well as

Hash functions

• A Cryptographic hash function is an lagorithm that maps data of arbitrarily size (messages) to fixed-size values (called hash values, digests or hashes).. • It is a

A tight bound for exhaustive key search attacks against Message Authentication Codes

By reproducing the same reasoning as in Section 3, we observe that the expected number of seed/digest pairs before the attack is successful is here again Θ ( k/a ), where k is

The cryptographic strength of HMAC depends on the properties of the underlying hash function

The security of the message authentication mechanism presented here depends on cryptographic properties of the hash function H: the resistance to collision finding (limited to

In sections 2 and 3 test cases for HMAC-RIPEMD160 and HMAC-RIPEMD128, respectively are provided

HMAC-RIPEMD160 and HMAC-RIPEMD128 are two constructs of the HMAC [HMAC] message authentication function using the RIPEMD-160 and RIPEMD-128 [RIPE] hash functions.. The test

Abstract The IPsec protocol suite is used to provide privacy and authentication services at the IP layer

encryption algorithms are used for ESP, the DOI document has to indicate certain values, such as an encryption algorithm identifier, so these documents provide input to the

Abstract This document defines two methods for wrapping an HMAC (Hashed Message Authentication Code) key

Wrapping a Hashed Message Authentication Code (HMAC) key with a Triple-Data Encryption Standard (DES) Key or an Advanced Encryption Standard (AES) Key Status of