Distributed Systems Security Protocols (Network-/Transport Layer)
PD Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck http://www.it...
Distributed Systems Security Protocols (Network-/Transport Layer)
PD Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck http://www.itm.uni-luebeck.de/people/pfisterer
Overview • Until now – Security on Different Layers – Security on Physical & Data-Link Layer • Mostly security in wireless networks • Bluetooth, GSM / GPRS / UMTS, Wireless LANs
• Today – Security on Network & Transport Layer – IPSec – Secure Sockets Layer (SSL) / Transport Layer Security (TLS) Security - 07c Network and Transport Layer
#2
Why is IP unsecure? Attack Security Objective Traffic-Analysis Anonymity Message Interception Confidentiality Modification of Messages Integrity Discard messages / Availability (Denial-of-Service attack) TTL-Field modification IP-address spoofing Authenticity Security - 07c Network and Transport Layer
#3
IPSec
IPSec • IPSec = IP security – Initiated 1994 by the Internet Architecture Board (IAB) – Reaction to increasing number of attacks on IP (IP Spoofing,…) – Addition to IPv6, integral part of IPv6
• Defined in numerous RFCs – Architecture, Authentication, Confidentiality, and Key Management/Distribution – – – – –
RFC 4301: Security Architecture for IP RFC 4302: IP Authentication Header RFC 4303: IP Encapsulating Security Payload (ESP) RFC 4306: Internet Key Exchange (IKEv2) Protocol ... Security - 07c Network and Transport Layer
#5
IPSec
HTTP
• Security service on Network Layer – Typically supplied by the OS – Transparent for applications (can remain unchanged)
FTP
SMTP
UDP / TCP IP / IPSec
• Often used for Virtual Private Networks (VPNs) – Secure data transmission over unsecure Internet links – Interconnection of different organization-internal networks – Cost-effective interconnection means Security - 07c Network and Transport Layer
#6
IPSec Application Examples
Security - 07c Network and Transport Layer
#7
IPSec Clients • Often IPSec clients are so-called „road warriors “ • Mobile clients that require secure access to company networks • Support exists in many operations systems – Windows, Linux, Mac OS, iOS, ... Security - 04 Cryptology
#8
Fundamentals & Concepts
Protocols
Algorithms
Architecture (RFC 4301)
ESP (RFC 4303)
AH (RFC 4302)
Encryption (RFC 2405)
Authentication (RFC 2404)
DOI (RFC 2407)
Key Management DOI: Domain of Interpretation
ISAKMP, IKE, others Security - 07c Network and Transport Layer #9
IPSec architecture • Security mechanisms implemented using IP Extension Header • Two types