UNIT-V

Network Security-I: Security at Application Layer: Pretty Good Privacy (PGP) and S/MIME. Security

at Transport Layer: Secure Socket Layer (SSL) and Transport Layer Security (TLS), Network

Security-II: Security at the Network Layer: IPSec, System Security.

ELECTRONIC MAIL SECURITY

The protection of email from unauthorized access and inspection is known as electronic privacy.
There are mainly two methods for proving security for electronic mails

 Pretty Good Privacy

 S/MIME

Pretty Good Privacy:

In virtually all distributed environments, electronic mail is the most heavily used network based
application.

Introduction:

PGP is data encryption and decryption computer program that provides privacy(Confidentiality) and
authentication for data communication.

It was created by Phil Zimmermann in 1991

Use of PGP:

It is used in Electronic mailFile storage applications.

PGP is an open-source, freely available software package for e-mail security. It provides authentication
through the use of digital signature, confidentiality through the use of symmetric block encryption,
compression using the ZIP algorithm, and e-mail compatibility using the radix-64 encoding scheme.

PGP incorporates tools for developing a public-key trust model and public-key certificate management

PGP has grown explosively and is now widely used, because of following reasons:

It is available free worldwide in versions that run on a variety of platforms, including Windows, UNIX,
Macintosh, and many more. In addition, the commercial version satisfies users who want a product that
comes with vendor support.

It is based on algorithms that have survived extensive public review and are considered extremely
secure. Specifically, the package includes RSA, DSS, and Diffie-Hellman for public-key encryption;
CAST-128, IDEA, and 3DES for symmetric encryption; andSHA-1 for hash coding.

P.SOLMON CSE DEPT, NIT. Page 1

 It has a wide range of applicability, from corporations that wish to select and enforce a standardized
scheme for encrypting files and messages to individuals who wish to communicate securely with others
worldwide over the Internet and other networks.

It was not developed by, nor is it controlled by, any governmental or standards organization. For those
with an instinctive distrust of “the establishment,” this makes PGP attractive.
NOTATIONS

The following symbols are used in PGP

PGP SERVICES

 Authentication

 Confidentiality

 Compression

 E-Mail Compatibility

 Segmentation

Function Algorithms Used Description

Digital DSS/SHA or A hash code of a message is created using SHA-1.This

signature RSA/SHA message digest is encrypted using DSS or RSA with the
sender’s private key and included with the message.

Message CAST or IDEA or A message is encrypted using CAST-128 or IDEA or 3DES

encryption Three-key Triple with a one-time session key generated by the sender. The
DES with Diffie- session key is encrypted using Diffie-Hellman or RSA with
Hellman or RSA the recipient’s public key and included with the message.

Compression ZIP A message may be compressed for storage or transmission

usingZIP.

E-mail Radix-64 To provide transparency for e-mail applications, an

compatibility conversion encrypted message may be converted to an ASCII string
using radix-64 conversion.

P.SOLMON CSE DEPT, NIT. Page 2

 Providing authentication by using PGP:

The sequence steps for providing authentication by using PGP the sender creates a message.

SHA-1 is used to generate a 160-bit hash code of the message.

The hash code is encrypted with RSA using the sender’s private key, and the result is pretended to
the message.

The receiver uses RSA with the sender’s public key to decrypt and recover the hash code.

The receiver generates a new hash code for the message and compares it with the decrypted hash
code. If the two match, the message is accepted as authentic.

Confidentiality by using PGP

Steps for providing confidentiality:

 The sender generates a message and a random 128-bit number to be used as a session key for
this message only.

 The message is encrypted using CAST-128 (or IDEA or 3DES) with the session key.

 The session key is encrypted with RSA using the recipient’s public key and is prepended to

The message.

 The receiver uses RSA with its private key to decrypt and recover the session key.

 The session key is used to decrypt the message.

P.SOLMON CSE DEPT, NIT. Page 3

 PGP for both authentication and confidentiality:

COMPRESSION

As a default, PGP compresses the message after applying the signature but before Encryption. This has
the benefit of saving space both for e-mail transmission and for file storage.

The signature is generated before compression for two reasons

So can store uncompressed message & signature for later verification

Message encryption is applied after compression to strengthen cryptographic security.

Because the compressed message has less redundancy than the original plaintext, cryptanalysis is more
difficult.

PGP uses ZIP compression algorithm E-MAIL COMPATIBILITY

When PGP is used, at least part of the block to be transmitted is encrypted. If only the signature service
is used, then the message digest is encrypted (with the sender’s private key). If the confidentiality
service is used, the message plus signature (if present) are encrypted (with a one- time symmetric
key).Thus, part orthe entire resulting block consists of a stream of arbitrary 8-bitoctets.

However, many electronic mail systems only permit the use of blocks consisting of ASCII text. To
accommodate this restriction, PGP provides the service of converting the raw 8-bit binary stream to a
stream of printable ASCII characters.

The scheme used for this purpose is radix-64 algorithm

 It maps 3 bytes to 4 printable chars

 It also appends a CRC to detect transmission errors PGP also segments messages if too big

 PGP Operation – Summary

P.SOLMON CSE DEPT, NIT. Page 4

SEGMENTATION

 The length of E-mail is usually restricted to 50,000 octecks. Longer messages are broken-up
into smaller segments and mailed separately.
 PGP provides subdivision of messages and reassembly at the receiving end.

S/MIME
Secure/Multipurpose Internet Mail Extension is a security enhancement to the MIME internet email
standard.

S/MIME is for industry standard for commercial and organizational use.

It defined in number of documents that is RFC 2630, RFC 2632, RFC 2633

E-mail format standard, RFC 822, which is still in common use. The most recent version of this format
specification is RFC 5322 (Internet Message Format).

RFC 5322 (Internet Message Format).

RFC 5322 defines a format for text messages that are sent using electronic mail. It has been the
standard for Internet-based text mail messages and remains in common use.

Message Structure

A message consists of some number of header lines (the header) followed by unrestrictedtext (the

body). A header line usually consists of a keyword, followed by a colon, followed bythe keyword’s

arguments Example

Date: October 8, 2009 2:15:49 PM EDT From: William Stallings <ws@shore.net>Subject: The Syntax
inRFC 5322

P.SOLMON CSE DEPT, NIT. Page 5

 To: Smith@Other-host.com

Cc: Jones@Yet-Another-Host.com

Hello. This section begins the actual message body, which is delimited from the message heading by a
blank line.

Multipurpose Internet Mail Extensions:

Multipurpose Internet Mail Extension (MIME) is an extension to the RFC 5322 framework that is
intended to address some of the problems and limitations of the use of Simple Mail Transfer Protocol
(SMTP).

The following are limitations of the SMTP/5322 scheme.

SMTP cannot transmit executable files or other binary objects. A number of schemes are in use for

converting binary files into a text form that can be used by SMTP mail systems.

SMTP cannot transmit text data that includes national language characters, because these are

represented by 8-bit codes, and SMTP is limited to 7-bit ASCII.

SMTP servers may reject mail message over a certain size.

SMTP gateways that translate between ASCII and the character code EBCDIC do not use a consistent

set of mappings, resulting in translation problems.

SMTP gateways to X.400 electronic mail networks cannot handle non-textual data included in

X.400 messages.

Some SMTP implementations do not adhere completely to the SMTP standards defined in RFC821.

Common problems include:

Deletion, addition, or reordering of carriage return and linefeedTruncating or wrapping lines longer

than 76 characters Removal of trailing white space (tab and space characters) Padding of lines in a

message to the same length

Conversion of tab characters into multiple space characters

MIME is intended to resolve these problems in a manner that is compatible with existing RFC
5322implementations. The specification is provided in RFCs 2045 through 2049.

P.SOLMON CSE DEPT, NIT. Page 6

 MIME has 5 header fields
The five header fields defined in MIME are

MIME-Version: Must have the parameter value 1.0.

Content-Type: Describes the data contained in the body with sufficient detail that the receivinguser

agent can pick an appropriate agent or mechanism to represent the data to the user

Content-Transfer-Encoding: Indicates the type of transformation that has been used to representthe

body of the message in a way that is acceptable for mail transport.

Content-ID: Used to identify MIME entities uniquely in multiple contexts.

Content-Description: A text description of the object with the body; this is useful when the object is

not readable (e.g., audio data).

Mime Content Types

Describes the data contained in the body with sufficient detail

Example

Here is a simple example of a multipart message containing two parts--both consisting of simple
text

From: Nathaniel Borenstein nsb@bellcore.com>To: Ned Freed <ned@innosoft.com>Subject: Sample

message

P.SOLMON CSE DEPT, NIT. Page 7

MIME-Version: 1.0

Content-type: multipart/mixed; boundary="simple boundary“

This is the preamble. It is to be ignored, though itis a handy place for mail composers to include an

explanatory note to non-MIME conformant readers.

—simple boundary

Content-type: text/plain; charset=us-ASCII

This is explicitly typed plain ASCII text. It DOES end with a line break.

S/MIME Functionality

In terms of general functionality, S/MIME is very similar to PGP. Both offer the ability to sign and/or
encrypt messages. In this subsection, we briefly summarize S/MIME capability.

S/MIME provides the following functions.

Enveloped data: This consists of encrypted content of any type and encrypted-content encryption keys for
one or more recipients.

Signed data: A digital signature is formed by taking the message digest of the content to be signed and
then encrypting that with the private key of the signer. The content plus signature are then encoded using
base64 encoding. A signed data message can only be viewed by a recipient with S/MIME capability.

1 e n c o d e d (message + signed digest)

Clear-signed data: As with signed data, a digital signature of the content is formed. However, in this case,
only the digital signature is encoded using base64.As a result, recipients without S/MIME capability can
view the message content, although they cannot verify the signature.

1 clear text message + encoded (signed digest)

Signed and enveloped data: Signed-only and encrypted-only entities may be nested, so that encrypted data
may be signed and signed data or clear-signed data may be encrypted.

o nesting of signed & encrypted entities

CRYPTOGRAPHIC ALGORITHMS

S/MIME uses the following terminology taken from RFC 2119 (Key Words for use in RFCs to Indicate
Requirement Levels) to specify the requirement level:

MUST: The definition is an absolute requirement of the specification. An implementation must include
this feature or function to be in conformance with the specification.

SHOULD: There may exist valid reasons in particular circumstances to ignore this feature or function,

P.SOLMON CSE DEPT, NIT. Page 8

but it is recommended that an implementation include the feature or function.

S/MIME incorporates three public-key algorithms. The Digital Signature Standard (DSS) is the preferred
algorithm for digital signature.

SECURE SOCKET LAYER

Secure Socket Layer (SSL) provides security services between TCP and applications that use TCP. The
Internet standard version is called Transport Layer Service (TLS).

SSL/TLS provides confidentiality using symmetric encryption and message integrity using a message
authentication code.

SSL/TLS includes protocol mechanisms to enable two TCP users to determine the security mechanisms
and services they will use.

Netscape originated SSL.

SSL Architecture

SSL is designed to make use of TCP to provide a reliable end-to-end secure service.

SSL is not a single protocol but rather two layers of protocols, as illustrated in Figure 16.2.

P.SOLMON CSE DEPT, NIT. Page 9

The SSL Record Protocol provides basic security services to various higher-layer protocols. In particular,
the Hypertext Transfer Protocol (HTTP), which provides the transfer service for Web client/server
interaction, can operate on top of SSL. Three higher-layer protocols are defined as part of SSL: the
Handshake Protocol, The Change Cipher Spec Protocol, and the Alert Protocol. These SSL- specific
protocols are used in the management of SSL exchanges.

Two important SSL concepts are the SSL session and the SSL connection, which are defined in the
specification as follows.

Connection: A connection is a transport (in the OSI layering model definition) that provides a suitable
type of service. Every connection is associated with one session.

Session: An SSL session is an association between a client and a server. Sessions are created by the
Handshake Protocol. Sessions define a set of cryptographic security parameters which can be shared
among multiple connections.

A session state is defined by the following parameters.

Session identifier: An arbitrary byte sequence chosen by the server to identify an active or reusable
session state.

Peer certificate: An X509.v3 certificate of the peer. This element of the state may be null.

Compression method: The algorithm used to compress data prior to encryption.

Cipher spec: Specifies the bulk data encryption algorithm (such as null, AES, etc.) and a hash algorithm
(such as MD5 or SHA-1) used for MAC calculation. It also defines cryptographic attributes such as the
hash size.

Master secret: 48-byte secret shared between the client and server.

Is reusable: A flag indicating whether the session can be used to initiate new connections.

A connection state is defined by the following parameters

Server and client random: Byte sequences that are chosen by the server and client for each connection.

Server write MAC secret: The secret key used in MAC operations on data sent by the server.

Client write MAC secret: The secret key used in MAC operations on data sent by the client.

Server write key: The secret encryption key for data encrypted by the server and decrypted by the client.

Client write key: The symmetric encryption key for data encrypted by the client and decrypted by the
server.

Initialization vectors: When a block cipher in CBC mode is used, an initialization vector

P.SOLMON CSE DEPT, NIT. Page 10

is maintained for each key. This field is first initialized by the SSL Hand shake Protocol.

Sequence numbers: Each party maintains separate sequence numbers for transmitted and received
messages for each connection.

SSL Record Protocol

The SSL Record Protocol provides two services for SSL connections:

Confidentiality: The Handshake Protocol defines a shared secret key that is used forconventional
encryption of SSL payloads.

Message Integrity: The Handshake Protocol also defines a shared secret key that is usedto form a
message authentication code (MAC).

Figure 16.3 indicates the overall operation of the SSL Record Protocol. The Record Protocol takes an
application message to be transmitted, fragments the data into manageable blocks, optionally compresses
the data, applies a MAC, encrypts, adds a header, and transmits the resulting unit in a TCP segment.
Received data are decrypted, verified, decompressed, and reassembled before being delivered to higher-
level users.

The first step is fragmentation. Each upper-layer message is fragmented into blocks of 214 bytes (16384
bytes) or less.

Next, compression is optionally applied. Compression must be lossless and may not increase the content
length by more than 1024 bytes.1In SSLv3 (as well as the current version of TLS), no compression
algorithm is specified, so the default compression algorithm is null.

The next step in processing is to compute a message authentication code over the compressed data. For
this purpose, a shared secret key is used.

P.SOLMON CSE DEPT, NIT. Page 11

The next step is perform encryption and adds a header

SSL Handshake Protocol

This phase is used to initiate a logical connection between client and server

P.SOLMON CSE DEPT, NIT. Page 12

It consists of 4 phases

 Establish Security Capabilities

 Server Authentication and Key Exchange

 Client Authentication and Key Exchange

 Finish

P.SOLMON CSE DEPT, NIT. Page 13

 The exchange is initiated by the client, which sends a client_hello message with the following parameters:

Version: The highest SSL version understood by the client.

Random: A client-generated random structure consisting of a 32-bit timestamp and 28 bytes generated by
a secure random number generator. These values serve as nonces and are used during key exchange to
prevent replay attacks.

Session ID: A variable-length session identifier. A nonzero value indicates that the client wishes to update
the parameters of an existing connection or to create a new connection on this session. A zero value
indicates that the client wishes to establish a new connection on a new session.

Cipher Suite: This is a list that contains the combinations of cryptographic algorithms supported by the
client, in decreasing order of preference. Each element of the list (each cipher suite) defines both a key
exchange algorithm and a Cipher Spec; these are discussed subsequently.

Compression Method: This is a list of the compression methods the client supports.

P.SOLMON CSE DEPT, NIT. Page 14

 Change Cipher Spec Protocol

The Change Cipher Spec Protocol is one of the three SSL-specific protocols that use the SSL Record
Protocol, and it is the simplest.

This protocol consists of a single message (Figure 16.5a), which consists of a single byte with the value
1.The sole purpose of this message is to cause the pending state to be copied into the current state,

Alert Protocol

The Alert Protocol is used to convey SSL-related alerts to the peer entity

Each message in this protocol consists of two bytes (Figure 16.5b). The first byte takes the value
warning (1) or fatal (2) to convey the severity of the message.

If the level is fatal, SSL immediately terminates the connection The second byte contains a code that

indicates the specific alert.

Example Alerts

Fatal: unexpected message, bad record mac, decompression failure, handshake failure, illegal
parameter

Warning: close notify, no certificate, bad certificate, unsupported certificate, certificate revoked,
certificate expired, certificate unknown

Unexpected_message: An inappropriate message was received.

Bad_record_MAC: An incorrect MAC was received.

P.SOLMON CSE DEPT, NIT. Page 15

 TRANSPORT LAYER SECURITY

TLS was released in response to the Internet community’s demands for a standardized protocol.
TLS (Transport Layer Security), defined in RFC 2246, is a protocol for establishing a secure connection
between a client and a server.

TLS (Transport Layer Security) is capable of authenticating both the client and the server and creating
a encrypted connection between the two.

Many protocols use TLS (Transport Layer Security) to establish secure connections, including HTTP,
IMAP, POP3, and SMTP.

The TLS Handshake Protocol first negotiates key exchange using an asymmetric algorithm such as
RSA or Diffie- Hellman.

TLS is very similar to SSLv3.

There are some minor differences ranging from protocol version numbers to generation of key
material.

Version Number: The TLS Record Format is the same as that of the SSL Record Format and the fields
in the header have the same meanings. The one difference is in version values. For the current version of
TLS, the Major Version is 3 and the Minor Version is 3.

Message Authentication Code: Two differences arise one being the actual algorithm and the other being
scope of MAC calculation. TLS makes use of the HMAC algorithm defined in RFC 2104. SSLv3 uses
the same algorithm, except that the padding bytes are concatenated with the secret key rather than being
XORed with the secret key padded to the block length. For TLS, the MAC calculation encompasses the
fields.

The MAC calculation covers all of the fields covered by the SSLv3 calculation, plus the field TLS
Compressed. Version, which is the version of the protocol being employed.

P.SOLMON CSE DEPT, NIT. Page 16

 Pseudorandom Function: TLS makes use of a pseudorandom function referred to as PRFto expand
secrets into blocks of data for purposes of key generation or validation. The PRF is based on the following
data expansion function:

Alert Codes

TLS supports all of the alert codes defined in SSLv3 with the exception of no certificate number of
additional codes is defined in TLS. Some of them are

 Record_overflow

 Unknown_capacity

 Access_denied

 Protocol_version

 Internal_error

 Decrypt_error

IP SECURITY OVERVIEW

IPSec is an Internet Engineering Task Force (IETF) standard suite of protocols that provides data
authentication, integrity, and confidentiality as data is transferred between communication points across
IP networks. IPSec provides data security at the IP packet level. A packet is a data bundle that is
organized for transmission across a network, and it includes a header and payload (the data in the packet).
IPSec emerged as a viable network security standard because enterprises wanted to ensure that data could
be securely transmitted over the Internet. IPSec protects against possible security exposures by protecting
data while in transit.

IPSEC SECURITY FEATURES

IPSec is the most secure method commercially available for connecting network sites. IPSec was
designed to provide the following security features when transferring packets across networks:

Authentication: Verifies that the packet received is actually from the claimed sender. Integrity: Ensures that

the contents of the packet did not change in transit.

Confidentiality: Conceals the message content through encryption.

P.SOLMON CSE DEPT, NIT. Page 17

 IPSEC ELEMENTS

IPSec contains the following elements:

Encapsulating Security Payload (ESP): Provides confidentiality, authentication, andintegrity.

Authentication Header (AH): Provides authentication and integrity.

Internet Key Exchange (IKE): Provides key management and Security Association (SA) management.

APPLICATIONS OF IPSEC

IPSec provides the capability to secure communications across a LAN, across private and public WANs,
and across the Internet. Examples of its use include the following:

Secure branch office connectivity over the InternetSecure remote access over the Internet

Establishing extranet and intranet connectivity with partners: IPSec can be used to secure
communication with other organizations, ensuring authentication and confidentiality and providing a key
exchange mechanism.

Enhancing electronic commerce security: Even though some Web and electronic commerce
applications have built-in security protocols, the use of IPSec enhances that security.

Figure: An IP Security Scenario

BENEFITS OF IPSEC

IPSec provides strong security within and across the LANs.

Firewall uses IPSec to restrict all those incoming packets which are not using IP. Since firewall is the
only way to enter into an organization, restricted packets cannot enter.

IPSec is below the transport layer (TCP, UDP) and so is transparent to applications.

There is no need to change software on a user or server system when IPSec is implemented in the firewall
or router. Even if IPSec is implemented in end systems, upper- layer software, including applications, is not
affected.

P.SOLMON CSE DEPT, NIT. Page 18

 IPSec can be transparent to end users.

IPSec can provide security for individual users if needed.

IP SECURITY ARCHITECTURE

Mainly the IPSec is constituted by three major components.

 IPSec Documents

 IPSec Services

 Security Associations (SA)

IP Sec Documents:

The IPSec specification consists of numerous documents. The most important of these, issued in
November of 1998, are RFCs 2401, 2402, 2406, and 2408:

RFC 2401: An overview of security architecture

RFC 2402: Description of a packet authentication extension to IPv4 and IPv6

RFC 2406: Description of a packet encryption extension to IPv4 and IPv6

RFC 2408: Specification of key management capabilities

The header for authentication is known as the Authentication header (AH); that for encryption is known
asthe Encapsulating Security Payload (ESP) header.

The documents are divided into seven groups, as depicted in Figure

Figure: IPSec Document Overview

P.SOLMON CSE DEPT, NIT. Page 19

 Architecture: Covers the general concepts, security requirements, definitions, and mechanisms defining
IPSec technology.

Encapsulating Security Payload (ESP): Covers the packet format and general issues related to the use
ofthe ESP for packet encryption and, optionally, authentication.

Authentication Header (AH): Covers the packet format and general issues related to the use of AH for
packet authentication.

Encryption Algorithm: A set of documents that describe how various encryption algorithms are used for
ESP.

Authentication Algorithm: A set of documents that describe how various authentication algorithms are
used for AH and for the authentication option of ESP.

Key Management: Documents that describe key management schemes.

Domain of Interpretation (DOI): Contains values needed for the other documents to relate to each
other. These include identifiers for approved encryption and authentication algorithms, as well as
operational parameters such as key lifetime.

IPSec Services:

IPSec provides security services at the IP layer by selecting required security protocols, algorithms and
cryptographic keys as per the services requested.

Two protocols are used to provide security:

An authentication protocol designated by the header of the protocol, Authentication Header (AH)
and a combined encryption/authentication protocol designated by the format of the packet for that
protocol, Encapsulating Security Payload (ESP).

These services are

 Access control

 Connectionless integrity

 Data origin authentication

 Rejection of replayed packets

 Confidentiality

 Limited traffic flow confidentiality

P.SOLMON CSE DEPT, NIT. Page 20

 Security Associations

A key concept that appears in both the authentication and confidentiality mechanisms for IP is the
security association (SA). An association is a one-way relationship between a sender and a receiver that
affords security services to the traffic carried on it. If a peer relationship is needed, for two-way secure
exchange, then two security associations are required. Security services are afforded to an SA for the use
of AH or ESP, but not both.

A security association is uniquely identified by three parameters:

Security Parameters Index (SPI): A bit string assigned to this SA and having local significance only.
SPI is located in AH and ESP headers. SPI enables the receiving system under which the packet is to
process.

IP Destination Address: It is the end point address of SA which can be end user system or a network
system.

Security Protocol Identifier: security protocol identifier indicates whether the associationsis an AH or
ESP.
SA Parameters

The implementation of IPsec contain SA database which identifies the parameters related to SA.

Sequence Number Counter: A 32-bit value used to generate the Sequence Number field in AH or ESP
headers.

Sequence Counter Overflow: A flag indicating whether overflow of the Sequence Number Counter
should generate an auditable event and prevent further transmission of packets on this SA.

Anti-Replay Window: Used to determine whether an inbound AH or ESP packet is a replay

AH Information: Authentication algorithm, keys, key lifetimes, and related parameters being used with
AH.

ESP Information: Encryption and authentication algorithm, keys, initialization values, key lifetimes,
and related parameters being used with ESP (required for ESP implementations).
P.SOLMON CSE DEPT, NIT. Page 21
 Lifetime of This Security Association: A time interval or byte count after which an SA must be replaced
with a new SA or terminated.

IPSec Protocol Mode: This parameter represents the type of mode used for IPSec implementation.
The mode may be a Tunnel or transport.

Path MTU: Any observed path maximum transmission unit (maximum size of a packet that can be
transmitted).

SA Selectors

IPSec provides flexibility in providing services to the users according to their needs. For this purpose,
SA’s are used. Different combinations of SA’s can give different user configurations. IPSec is also
capable of differentiating traffic i.e., which traffic is allowed to pass and which traffic should be
forwarded the IPSec protection. The property of IPSec requires the traffic to be associated with a security
association. To associate a particular SA to IP traffic IPSec maintains a database called Security Policy
Database (SPD).

SPD is table entries which maps a set of IP traffic to a single or more SAs.

Selectors are basically used to define policy that specifies which packet should be forwarded and which
packet should be rejected to filter outgoing traffic.

A sequence of steps is performed on the outgoing traffic,

Compare the values of the appropriate fields in the packet (the selector fields) against the SPD to find a
matching SPD entry, which will point to zero or more SAs.

Determine the SA if any for this packet and its associated SPI. Security Parameter Index(SPI) is one of
the fields of IPSec header which is a unique identifier to identify a security association.
Do the required IPSec processing (i.e., AH or ESP processing). The following selectors determine an SPD
entry:

Destination IP Address: This may be a single IP address, an enumerated list or range of addresses.

Source IP Address: This may be a single IP address, an enumerated list or range of addresses.

User ID: A user identifier from the operating system. This is not a field in the IP or upper-layer headers
but is available if IPSec is running on the same operating system as the user.

Data Sensitivity Level: Used for systems providing information flow security (e.g., Secret or
Unclassified).

Transport Layer Protocol: Obtained from the IPv4 Protocol or IPv6 Next Header field. This may be an
individual protocol number, a list of protocol numbers, or a range of protocol numbers.

Source and Destination Ports: These may be individual TCP or UDP port values, an enumerated list of
ports, or a wildcard port.

P.SOLMON CSE DEPT, NIT. Page 22

 Transport and Tunnel Modes

Both AH and ESP support two modes of use: transport and tunnel mode.

The operation of these two modes is best understood in the context of a description of AH and ESP.

Transport Mode:

Transport mode provides protection primarily for upper-layer protocols. That is, transport mode
protection extends to the payload of an IP packet. Transport mode is used for end-to-end communication
between two hosts. ESP in transport mode encrypts and optionally authenticates the IP payload but not the
IP header. AH in transport mode authenticates the IP payload and selected portions of the IP header.

Tunnel Mode:

Tunnel mode provides protection to the entire IP packet. To achieve this, after the AH or ESP fields are
added to the IP packet, the entire packet plus security fields is treated as the payload of new "outer" IP
packet with a new outer IP header. The entire original, or inner, packet travels through a "tunnel" from
one point of an IP network to another; no routers along the way are able to examine the inner IP header.
Because the original packet is encapsulated, the new, larger packet may have totally different source and
destination addresses, adding to the security.

Tunnel mode is used when one or both ends of an SA are a security gateway, such as a firewall or router
that implements IPSec. ESP in tunnel mode encrypts and optionally authenticates the entire inner IP
packet, including the inner IP header. AH in tunnel mode authenticates the entire inner IP packet and
selected portions of the outer IP header.

AUTHENTICATION HEADER (AH):

The Authentication Header provides support for data integrity and authentication of IP packets. Data
integrity service insures that data inside IP packets is not altered during the transit. The authentication
feature enables an end system to authenticate the user or application and filter traffic accordingly. It also
prevents the address spoofing attacks (A technique used to gain unauthorized access to computers,
whereby the intruder sends messages to a computer with an IP address indicating that the message is
coming from a trusted host).Authentication is based on the use of a message authentication code
(MAC)i.e.; two communication parties must share a secret key.

P.SOLMON CSE DEPT, NIT. Page 23

 Figure: IPSec Authentication Header The Authentication Header consists of the following fields

Next Header (8 bits): Identifies the type of header that immediately following the AH.

Payload Length: Length of Authentication Header in 32-bit words.

Reserved (16 bits): For future use.

Security Parameters Index (32 bits): Identifies a security association.

Sequence Number (32 bits): A monotonically increasing counter value.

Authentication Data (variable): A variable-length field (must be an integral number of 32-bit words)
that contains the Integrity Check Value (ICV), or MAC, for this packet.

Anti-Replay Service:

A replay attack is one in which an attacker obtains a copy of an authenticated packet and later transmits it
to the intended destination. The receipt of duplicate, authenticated IP packets may disrupt service in some
way or may have some other undesired consequence. The Sequence Number field is designed to stop such
attacks.

Figure: Anti-replay Mechanism

When a new SA is established, the sender initializes a sequence number counter to 0. Each time that a
packet is sent on this SA, the sender increments the counter and places the value in the Sequence Number
field. Thus, the first value to be used is 1. If anti-replay is enabled (the default), the sender must not allow
the sequence number to cycle past 232-1 back to zero. Otherwise, there would be multiple valid packets
with the same sequence number. If the limit of 232-1 is reached, the sender should terminate this SA and
negotiate a new SA with a new key. IP is a connectionless, unreliable service, the protocol does not
guarantee that packets will be delivered in order and does not guarantee that all packets will be delivered.
Therefore, the IPSec authentication document dictates that the receiver should implement a window of
size W, with a default of W = 64. The right edge of the window represents the highest sequence number,
N, so far received for a valid packet. For any packet with a sequence number in the range from N-W+ 1 to
N that has been correctly received (i.e., properly authenticated), the corresponding slot in the window is
marked (Figure).

P.SOLMON CSE DEPT, NIT. Page 24

 Inbound processing proceeds as follows when a packet is received:

If the received packet falls within the window and is new, the MAC is checked. If the packet is
authenticated, the corresponding slot in the window is marked.

If the received packet is to the right of the window and is new, the MAC is checked. If the packet is
authenticated, the window is advanced so that this sequence number is the right edge of the window, and
the corresponding slot in the window is marked.

If the received packet is to the left of the window, or if authentication fails, the packet is discarded;
this is an auditable event.

Integrity Check Value:

The Authentication Data field holds a value referred to as the Integrity Check Value. The ICV is a
message authentication code or a truncated version of a code produced by a MAC algorithm.

Transport and Tunnel Modes:

There are two ways in which the IPSec authentication service can be used. In one case, authentication is
provided directly between a server and client workstations; the workstation can be either on the same
network as the server or on an external network. As long as the workstation and the server share a protected
secret key, the authentication process is secure. This case uses a transport mode SA. In the other case, a
remote workstation authenticates itself to the corporate firewall, either for access to the entire internal
network or because the requested server does not support the authentication feature. This case uses a
tunnel mode SA.

Figure: End-to-End versus End-to-Intermediate Authentication

Encapsulating Security Payload (ESP):

The Encapsulating Security Payload provides confidentiality services, including confidentiality of

message contents and limited traffic flow confidentiality. As an optional feature, ESP can also provide an
authentication service.

P.SOLMON CSE DEPT, NIT. Page 25

 ESP Format:

It contains the following fields:

Security Parameters Index (32 bits): Identifies a security association.

Sequence Number (32 bits): A monotonically increasing counter value; this provides an anti- replay
function, as discussed for AH.

Payload Data (variable): This is a transport-level segment (transport mode) or IP packet(tunnel mode)
that is protected by encryption.

Padding (0-255 bytes): The purpose of this field is discussed later.

Pad Length (8 bits): Indicates the number of pad bytes immediately preceding this field.

Next Header (8 bits): Identifies the type of data contained in the payload data field by identifying the
first header in that.

Authentication Data (variable): A variable-length field (must be an integral number of 32-bitwords) that
contains the Integrity Check Value computed over the ESP packet minus the Authentication Data field.

Encryption and Authentication Algorithms:

The Payload Data, Padding, Pad Length, and Next Header fields are encrypted by the ESP.

Various algorithms used for encryption are: Three-key triple DES, RC5, IDEA, Three-key triple
IDEA, CAST, and Blowfish

Padding:

The Padding field serves several purposes:

If an encryption algorithm requires the plaintext to be a multiple of some number of bytes. The
Padding field is used to expand the plaintext to the required length.

The ESP format requires that the Pad Length and Next Header fields be right aligned within a 32-bit
word. Equivalently, the ciphertext must be an integer multiple of 32 bits. The Padding field is used to
assure this alignment.

P.SOLMON CSE DEPT, NIT. Page 26

 Additional padding may be added to provide partial traffic flow confidentiality by concealing the
actual length of the payload.

Transport and Tunnel Modes:

Figure shows two ways in which the IPSec ESP service can be used. In the upper part of the figure,
encryption (and optionally authentication) is provided directly between two hosts. Figure( b) shows
how tunnel mode operation can be used to set up a virtual private network. In this example, an
organization has four private networks interconnected across the Internet. Hosts on the internal
networks use the Internet for transport of data but do not interact with other Internet-based hosts. By
terminating the tunnels at the security gateway to each internal network, the configuration allows the
hosts to avoid implementing the security capability. The former technique is support by a transport
mode SA, while the latter technique uses a tunnel mode SA.

P.SOLMON CSE DEPT, NIT. Page 27

P.SOLMON CSE DEPT, NIT. Page 28