1 Pertemuan 11 IPSec dan SSL Matakuliah : H0242 / Keamanan Jaringan Tahun : 2006 Versi : 1
1
Pertemuan 11IPSec dan SSL
Matakuliah : H0242 / Keamanan Jaringan
Tahun : 2006
Versi : 1
2
Learning Outcomes
Pada akhir pertemuan ini, diharapkan mahasiswa akan mampu :
–Mahasiswa dapat menjelaskan IP Security dan SSL
3
Outline Materi
• Konsep IP Security• Arsitecture IP security• Protokol dasar SSL• Arsitektur SSL
4
Security facilities in TCP/IP
5
IP Security Overview
• IPSec is not a single protocol.• IPSec provides a set of security algorithms plus a
general framework that allows a pair of communicating entities to use whichever algorithms provide security appropriate for the communication.• General IP Security mechanisms provides– Authentication– Confidentiality– Key management
• Applicable to use over LANs, across public and private WANs, and for the Internet
6
IP Security Overview
• Applications of IPSec– Secure branch office connectivity over the
Internet– Secure remote access over the Internet– Establsihing extranet and intranet connectivity
with partners– Enhancing electronic commerce security
7
IP Security Overview
• Benefits of IPSec– Transparent to applications (below transport
layer (TCP, UDP)– Provide security for individual users– IPSec can assure that:• A router or neighbor advertisement comes
from an authorized router• A redirect message comes from the router
to which the initial packet was sent• A routing update is not forged• provides strong security to all traffic
crossing the perimeter
8
IP Security Scenario
9
Authentication Header
• Authentication Header (AH) provides support for data integrity & authentication of IP packets– End system/router can authenticate user/app– Prevents address spoofing attacks by tracking
sequence numbers• Based on use of a MAC– HMAC-MD5-96 or HMAC-SHA-1-96
• Parties must share a secret key
10
Authentication Header
• Provides support for data integrity and authentication (MAC code) of IP packets.
• Guards against replay attacks.
11
AH Authentication
Tunnel Mode AH Authentication
12
Security Associations
• Security Association (SA) is a one-way relationship between sender & receiver that affords security for traffic flow
• Defined by 3 parameters:– Security Parameters Index (SPI)– IP Destination Address– Security Protocol Identifier
• Has a number of other parameters– seq no, AH & EH info, lifetime etc
• Have a database of Security Associations
13
ESP
• Encapsulating Security Payload (ESP) provides message content confidentiality & limited traffic flow confidentiality
• Can optionally provide the same authentication services as AH
• Supports range of ciphers, modes, padding– DES, Triple-DES, RC5, IDEA, CAST, etc– CBC most common– Pad to meet blocksize, for traffic flow
14
ESP
ESP Encryption and Authentication
15
Algorithms
Encryption & Authentication Algorithms
– Encryption:• Three-key triple DES• RC5• IDEA• Three-key triple IDEA• CAST• Blowfish
– Authentication:• HMAC-MD5-96• HMAC-SHA-1-96
16
Transport & Tunnel Modes
17
Transport & Tunnel Mode ESP
• Transport mode is used to encrypt & optionally authenticate IP data– Data protected but header left in clear– Can do traffic analysis but is efficient– Good for ESP host to host traffic
• Tunnel mode encrypts entire IP packet– Add new header for next hop– Good for VPNs, gateway to gateway security
18
SSL and TLS
• SSL was originated by Netscape• TLS working group was formed within IETF• First version of TLS can be viewed as an SSLv3.1
19
SSL Architecture
20
Handshake Protocol
• The most complex part of SSL.• Allows the server and client to authenticate each
other.• Negotiate encryption, MAC algorithm and
cryptographic keys.• Used before any application data are transmitted.
21
Handshake Protocol Action