1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

Click here to load reader

  • date post

    21-Dec-2015
  • Category

    Documents

  • view

    216
  • download

    1

Embed Size (px)

Transcript of 1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

  • Slide 1
  • 1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1
  • Slide 2
  • 2 Learning Outcomes Pada akhir pertemuan ini, diharapkan mahasiswa akan mampu : Mahasiswa dapat menjelaskan IP Security dan SSL
  • Slide 3
  • 3 Outline Materi Konsep IP Security Arsitecture IP security Protokol dasar SSL Arsitektur SSL
  • Slide 4
  • 4 Security facilities in TCP/IP
  • Slide 5
  • 5 IP Security Overview IPSec is not a single protocol. IPSec provides a set of security algorithms plus a general framework that allows a pair of communicating entities to use whichever algorithms provide security appropriate for the communication. General IP Security mechanisms provides Authentication Confidentiality Key management Applicable to use over LANs, across public and private WANs, and for the Internet
  • Slide 6
  • 6 IP Security Overview Applications of IPSec Secure branch office connectivity over the Internet Secure remote access over the Internet Establsihing extranet and intranet connectivity with partners Enhancing electronic commerce security
  • Slide 7
  • 7 IP Security Overview Benefits of IPSec Transparent to applications (below transport layer (TCP, UDP) Provide security for individual users IPSec can assure that: A router or neighbor advertisement comes from an authorized router A redirect message comes from the router to which the initial packet was sent A routing update is not forged provides strong security to all traffic crossing the perimeter
  • Slide 8
  • 8 IP Security Scenario
  • Slide 9
  • 9 Authentication Header Authentication Header (AH) provides support for data integrity & authentication of IP packets End system/router can authenticate user/app Prevents address spoofing attacks by tracking sequence numbers Based on use of a MAC HMAC-MD5-96 or HMAC-SHA-1-96 Parties must share a secret key
  • Slide 10
  • 10 Authentication Header Provides support for data integrity and authentication (MAC code) of IP packets. Guards against replay attacks.
  • Slide 11
  • 11 AH Authentication Tunnel Mode AH Authentication
  • Slide 12
  • 12 Security Associations Security Association (SA) is a one-way relationship between sender & receiver that affords security for traffic flow Defined by 3 parameters: Security Parameters Index (SPI) IP Destination Address Security Protocol Identifier Has a number of other parameters seq no, AH & EH info, lifetime etc Have a database of Security Associations
  • Slide 13
  • 13 ESP Encapsulating Security Payload (ESP) provides message content confidentiality & limited traffic flow confidentiality Can optionally provide the same authentication services as AH Supports range of ciphers, modes, padding DES, Triple-DES, RC5, IDEA, CAST, etc CBC most common Pad to meet blocksize, for traffic flow
  • Slide 14
  • 14 ESP ESP Encryption and Authentication
  • Slide 15
  • 15 Algorithms Encryption & Authentication Algorithms Encryption: Three-key triple DES RC5 IDEA Three-key triple IDEA CAST Blowfish Authentication: HMAC-MD5-96 HMAC-SHA-1-96
  • Slide 16
  • 16 Transport & Tunnel Modes
  • Slide 17
  • 17 Transport & Tunnel Mode ESP Transport mode is used to encrypt & optionally authenticate IP data Data protected but header left in clear Can do traffic analysis but is efficient Good for ESP host to host traffic Tunnel mode encrypts entire IP packet Add new header for next hop Good for VPNs, gateway to gateway security
  • Slide 18
  • 18 SSL and TLS SSL was originated by Netscape TLS working group was formed within IETF First version of TLS can be viewed as an SSLv3.1
  • Slide 19
  • 19 SSL Architecture
  • Slide 20
  • 20 Handshake Protocol The most complex part of SSL. Allows the server and client to authenticate each other. Negotiate encryption, MAC algorithm and cryptographic keys. Used before any application data are transmitted.
  • Slide 21
  • 21 Handshake Protocol Action