1

Pertemuan 11IPSec dan SSL

Matakuliah : H0242 / Keamanan Jaringan

Tahun : 2006

Versi : 1

2

Learning Outcomes

Pada akhir pertemuan ini, diharapkan mahasiswa akan mampu :

–Mahasiswa dapat menjelaskan IP Security dan SSL

3

Outline Materi

• Konsep IP Security• Arsitecture IP security• Protokol dasar SSL• Arsitektur SSL

4

Security facilities in TCP/IP

5

IP Security Overview

• IPSec is not a single protocol.• IPSec provides a set of security algorithms plus a

general framework that allows a pair of communicating entities to use whichever algorithms provide security appropriate for the communication.• General IP Security mechanisms provides– Authentication– Confidentiality– Key management

• Applicable to use over LANs, across public and private WANs, and for the Internet

6

IP Security Overview

• Applications of IPSec– Secure branch office connectivity over the

Internet– Secure remote access over the Internet– Establsihing extranet and intranet connectivity

with partners– Enhancing electronic commerce security

7

IP Security Overview

• Benefits of IPSec– Transparent to applications (below transport

layer (TCP, UDP)– Provide security for individual users– IPSec can assure that:• A router or neighbor advertisement comes

from an authorized router• A redirect message comes from the router

to which the initial packet was sent• A routing update is not forged• provides strong security to all traffic

crossing the perimeter

8

IP Security Scenario

9

Authentication Header

• Authentication Header (AH) provides support for data integrity & authentication of IP packets– End system/router can authenticate user/app– Prevents address spoofing attacks by tracking

sequence numbers• Based on use of a MAC– HMAC-MD5-96 or HMAC-SHA-1-96

• Parties must share a secret key

10

Authentication Header

• Provides support for data integrity and authentication (MAC code) of IP packets.

• Guards against replay attacks.

11

AH Authentication

Tunnel Mode AH Authentication

12

Security Associations

• Security Association (SA) is a one-way relationship between sender & receiver that affords security for traffic flow

• Defined by 3 parameters:– Security Parameters Index (SPI)– IP Destination Address– Security Protocol Identifier

• Has a number of other parameters– seq no, AH & EH info, lifetime etc

• Have a database of Security Associations

13

ESP

• Encapsulating Security Payload (ESP) provides message content confidentiality & limited traffic flow confidentiality

• Can optionally provide the same authentication services as AH

• Supports range of ciphers, modes, padding– DES, Triple-DES, RC5, IDEA, CAST, etc– CBC most common– Pad to meet blocksize, for traffic flow

14

ESP

ESP Encryption and Authentication

15

Algorithms

Encryption & Authentication Algorithms

– Encryption:• Three-key triple DES• RC5• IDEA• Three-key triple IDEA• CAST• Blowfish

– Authentication:• HMAC-MD5-96• HMAC-SHA-1-96

16

Transport & Tunnel Modes

17

Transport & Tunnel Mode ESP

• Transport mode is used to encrypt & optionally authenticate IP data– Data protected but header left in clear– Can do traffic analysis but is efficient– Good for ESP host to host traffic

• Tunnel mode encrypts entire IP packet– Add new header for next hop– Good for VPNs, gateway to gateway security

18

SSL and TLS

• SSL was originated by Netscape• TLS working group was formed within IETF• First version of TLS can be viewed as an SSLv3.1

19

SSL Architecture

20

Handshake Protocol

• The most complex part of SSL.• Allows the server and client to authenticate each

other.• Negotiate encryption, MAC algorithm and

cryptographic keys.• Used before any application data are transmitted.

21

Handshake Protocol Action