Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session.
IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite. It can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host).
Security Architecture
The IPsec suite is an open standard. IPsec uses the following protocols to perform various functions:
- Encapsulating Security Payloads (ESP) provide confidentiality, data-origin authentication, connection-less integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic-flow confidentiality.
- Authentication Header (AH) is a member of the IPsec protocol suite. AH guarantees connectionless integrity and data origin authentication of IP packets. Further, it can optionally protect against replay attacks by using the sliding window technique and discarding old packet
DES Algorithm
Data Encryption Standard (DES) is used to encrypt and decrypt packet data; it turns cleartext into ciphertext via an encryption algorithm. The decryption algorithm on the remote end restores clear-text from ciphertext. Shared secret keys enable the encryption and decryption. DES uses a 56-bit key, ensuring high-performance encryption.Message Digest 5 (MD5)
Message Digest 5 (MD5) is a hash algorithm used to authenticate packet data. Cisco routers and the PIX Firewall use the MD5 hashed message authentication code (HMAC) variant that provides an additional level of hashing. A hash is a one-way encryption algorithm that takes an input message of arbitrary length and produces a fixed-length output message. IKE, AH, and ESP can use MD5 for authentication.Secure Hash Algorithm 1 (SHA-1)
Secure Hash Algorithm 1 (SHA-1) is a hash algorithm used to authenticate packet data. Cisco routers and the PIX Firewall use the SHA-1 HMAC variant, which provides an additional level of hashing. IKE, AH, and ESP can use SHA-1 for authentication.Diffie-Hellman (D-H)
Diffie-Hellman (D-H) is a public-key cryptography protocol. It allows two parties to establish a shared secret key used by encryption algorithms (DES or MD5, for example) over an insecure communications channel. D-H is used within IKE (described later in this article) to establish session keys. 768-bit and 1024-bit D-H groups are supported in the Cisco routers and PIX Firewall. The 1024-bit group is more secure.References:
http://en.wikipedia.org/wiki/IPsec
http://www.ciscopress.com/articles/article.asp?p=25470
No comments:
Post a Comment