Security Protocols and Modes
The Encapsulating Security Payload protocol or ESP is a protocol within the IPSec that provides encryption (confidentiality) and authentication (connectionless integrity and data origin authentication). This is done by encrypting and authenticating each IP packet of a communication session.
The Authentication Header protocol or AH is a protocol within the IPSec which provides everything that ESP does like connectionless integrity and data origin authentication, but it does not encrypt to ensure confidentiality. Authentication Header protects an IP packet and also additional headers that AH adds.
These two protocols may be applied alone or together to provide the desired security services. The security they provide depends on the cryptographic algorithms that are applied. They are algorithm-independent, which lets new algorithms be added without affecting other parts of the implementation.
These protocols also support the two IPsec modes: transport and tunnel.
The Transport mode protects an IP load in upper layer protocols such as User Datagram Protocol and Transmission Control Protocol. AH and ESP intercept packets from the Transport layer that are intended for the network layer, protect the transport header, and provide the configured security. Transport mode provides end-to-end security where the communications endpoint is also the cryptographic endpoint.
Tunnel mode protects data by encapsulating entire packets that are de - capsulated by a security gateway.
Tunnel mode may be used with security gateways where the destination of the packet differs from the security endpoint.
The Opportunistic Encryption (OE) refers to any system that, when connecting to another system, attempts to encrypt the communications channel otherwise falling back to unencrypted communications. This method requires no pre-arrangement between the two systems.
The Message Authentication Code is a short piece of information that is used to authenticate a message, using an algorithm known as HMAC(keyed-hash message authentication code ). HMAC takes as input a portion of the message and a secret key and produces a MAC as output. This MAC value is stored in the Authentication Data field of the AH header. The calculation takes place over the entire enclosed TCP segment plus the authentication header. When this IP packet is received at the destination, the same calculation is performed using the same key. If the calculated MAC equals the value of the received MAC, then the packet is assumed to be authentic.
IPsec NAT-Traversal is an enhancement to IPsec and ISAKMP protocols that lets Virtual Private Network (VPN) clients communicate through NAT gateways over the Internet. For example, business travelers commonly use IPsec on their laptops to gain remote VPN access to the central office. When working off-site, these users sometimes need to connect to the Internet through a NAT gateway such as from a hotel. Network Address Translation (NAT) gateways are often part of a company’s firewall and let its Local Area Network (LAN) appear as one IP address to the world. For more information about NAT devices, refer to RFC 1631.
Security Associations: A key concept that appears in both the authentication and confidentiality mechanisms for IP is the Security Association (SA). An association is a one-way relationship between a sender and a receiver that affords security services to the traffic carried on it. If a peer relationship is needed, for two-way secure exchange, then two security associations are required.
Key Management: The key management portion of IPSec involves the determination and distribution of secret keys. The IP Security Architecture document mandates support for two types of key management:
- Manual: A system administrator manually configures each system with its own keys and with the keys of other communicating systems. This is practical for small, relatively static environments.
- Automated: An automated system enables the on-demand creation of keys for SAs and facilitates the use of keys in a large distributed system with an evolving configuration. An automated system is the most flexible but requires more effort to configure and requires more software, so smaller installations are likely to opt for manual key management.
Happy learning! We wish you good luck in your "CISM Training Program" journey!