A technical comparison of ip sec and ssl 2005
Jan 18, 2015
- 1. A Technical Comparison of IPSecand SSL Computer and Network Security Course IUG of Gaza March 26th, 2013
2. Islamic University of Gaza Faculty of Engineering Computer DepartmentECOM 6321 :Computer and Network SecurityPrepared by: Eng.Nadeer Ataya A. Abu JrairSupervisor: Prof. Mohammad A. Mikki 3. AbdelNasir AlshamsiTakamichi SaitoTokyo University of Technology 4. Agenda Abstract Introduction IPSec SSL (Secure Socket Layer) Comparison of IPSec and SSL Conclusion Questions References 5. AbstractIPSec ( IP Security ) and SSL (Secure SocketLayer) have been the most robust and mostpotential tools available for securingcommunications over the Internet .Both IPSec and SSL have advantages and shortcomingsYet no paper has been found comparing the two protocols in terms of characteristic and functionality .Our objective is to present an analysis of security 6. Introduction Securing data over the network is hard and complicatedissue while the threat of data modification and datainterruption is rising . The goal of network security is to provide confidentialityintegrity and authenticity . confidentiality is keeping the data secret from theunintended listeners on the network . Integrity is ensuring that the received data is the data wasactually sent. Authenticity is proving the identity of the endpoint toensure that the endpoint is the intended entity tocommunicate with. 7. Introduction Using both strong authentication and encryptionalgorithm protects the data but it will decrease thetransmission rate and could induce CPUconsumption. With the recent development of the security tools somany protocols and powerful tools have beenproposed but the most famous secure and widelydeployed are IPSec IP Security and SSL SecureSocket Layer. In this paper we will provide a technical comparison ofIPSec and SSL the similarities and the differences ofthe cryptographic properties 8. IPSec IPSec :is an IP layer protocol that enables the sending and receiving of cryptographically protected packets of any kind ( TCP, UDP, ICMP , etc )without any modification. IPSec provides two kinds of cryptographic services Based on necessity IPSec can provide confidentiality and authenticity or it can provide authenticity only ESP (Encapsulated Security Payload) . AH (Authentication Header) . 9. IPSec ESP headerincludes the necessary information for decrypting and authenticating the data where AH headerincludes the necessary information required for authenticating the protected data. 10. IPSecEstablishing IPSec connection requires two phases : Phase 1 : has two modes Main Mode and Aggressive Mode. The differences between these two modes are the number of messages exchanged and the ID protection. Psk (Phase-shift keying). Phase 2 : has one mode Quick Mod. 11. SSL (Secure Socket Layer) SSL : is an Application layer protocol. SSL is mostly utilized to protect HTTP transactions , and has been used for other purposes like IMAP and POP ,etc . Internet message Access Protocol (IMAP), Post Office Protocol (POP). SSL is compatible with applications running only over TCP, but some modifications are required for the applications to run over SSL. 12. SSL (Secure Socket Layer) SSL is composed of the following protocols Handshake protocol. Change Cipher Spec protocol.Alert protocol. Application Data protocol. 13. SSL (Secure Socket Layer) Handshake protocol is used to perform authentication and key exchanges. Change Cipher Spec protocol is used to indicate that the chosen keys will now be used. Alert protocol is used for signaling errors and session closure. Application Data protocol transmits and receives encrypted data. 14. Comparison of IPSec and SSL1. Authentication Algorithm IPSec supports the use of Digital Signature and the use of a Secret Key Algorithm .SSL supports only the use of Digital Signature.The use of a random 2048 bit Secret Key is considered as strong as any other authentication methods 15. Comparison of IPSec and SSL2. Authentication MethodIPSec supports one type of authentication method, as Mutual Authentication . SSL supports a various types of authentication , as Server Authentication , Client Authentication. 16. Comparison of IPSec and SSL3. MAC (Message Authentication Code) is used for Authentication the exchangedmessages after the connection is established . The strength of the Hash Algorithm is based onthe length of the output . Hash Length of SSL is Longer than IPSec. 17. Comparison of IPSec and SSL4.Connection Mode IPSec has two connection modes Tunnel Mode This is established between Gateway to Gateway Gateway to Host and Host to Host. it requires adding a new IP header to the original packet. Transport Mode Transport Mode is Host to Host connection. The data between the two entities are encrypted. SSL is one connection per one session type. 18. Comparison of IPSec and SSL5.Cipher List Proposal Because IPSec is a two phase protocol, it has a unique function called bi-directional . SSL is a one direction protocol. 19. Comparison of IPSec and SSL6.Interoperability IPSec doesnt integrate well with other IPSec vendors. Some cases require some modification. SSL is trouble free and well integrated. 20. Comparison of IPSec and SSL7.Overhead Size One disadvantage of IPSec is the extra size added to the original packet. SSL needs less overhead than IPSec . 21. Comparison of IPSec and SSL8.Residing LayerIPSec resides in the IP layer which allows it to workwith the above layers smoothly. SSL resides in the Application layer and that is a problem for some application to work with SSL. 22. Comparison of IPSec and SSL9. Time of Handshake Process 23. Comparison of IPSec and SSL10. Perfect Forward Secrecy Both IPSec and SSL use PFS (Perfect ForwardSecrecy) in their resumption session. In the case of IPSec , the main goal for Phase 1beside authentication is producing the encryptionkey required to safe guard Phase 2 exchange. In the case of SSL, PFS is implemented in the samemanner as with IPSec when Ephemeral Diffie-Hellman is negotiated. The protocol allows two users to exchange a secretkey over an insecure medium without any priorsecrets. 24. Comparison of IPSec and SSL11. Order of Cryptographic Operations IPSec encrypts the data first then creates MACfor the encrypted data . If a modified data were inserted in the middle oftransaction IPSec would verify the MAC beforeperforming any decryption process. 25. Comparison of IPSec and SSL11. Order of Cryptographic Operations SSL is the opposite it creates the MAC for theplaintext first then encrypts the data.SSL on the other hand, is obligated to decrypt itfirst then verifies the MAC which could result inwasting CPU over decrypting modified packets. 26. ConclusionFunctionIPSec SSLConfiguration HardEasyClient Authentication MustOptionPre-Shared KeyYes NoInteroperabilityYes NoProblemTCP Application All SomeSupportUDP support Yes NoThroughput Rate HighHighCompression Support Yes OpenSSL onlyHandshake TimeSlowFast 27. Questions 28. References1. Sheila Frankel" Demystifying the IPSec Puzzle", Artec House Publisher,2001.2. Eric Rescorla "S SL and TLS Designing and Building Secure Systems" , Addison-Wesley , 3Rd Printing, Aug ,20013. www.freeswan.com4. www.stunnel.org 29. Thank you! Thank you for your attention!
