home
NEWS       BLOGS       FORUMS       NEWSLETTERS       RESEARCH       EVENTS       DIGITAL LIBRARY       CAREERS  
Network Computing Network Computing Powered by InformationWeek Business Technology Network

IMMERSE YOURSELF:

SOA

  |

Data Center

  |

802.11n

  |

Data Privacy

  |		 APO  |

Virtualization

  |

NAC

  |

Security

  |

Network Mgmt

  |

Enterprise Apps

  |

Storage & Servers





IPSec For Communities Of Interest

An IPSec connection is defined by an SA (security association). An SA is unidirectional, thus there are two SAs for every connection. The SA defines the various parameters of the IPSec connection, such as the encryption and authentication algorithms that will be used between the communicating systems, the session keys for encryption and the various parameters that control their functions.

IPSec Algorithms As we've noted, IPSec is a set of protocols that use authentication and encryption algorithms within them. Two authentication and seven encryption algorithms have been specified to date. The authentication algorithms used by both AH and ESP are: HMAC-MD5 and HMAC-SHA1. These are both key-based auth entication algorithms where the session participants share a secret key--128 bits for MD5 (Message Digest version 5, RFC 1321) and 160 bits for SHA1 (Secure Hash Algorithm version 1, FIPS 180-1). The HMAC process is defined in RFC 2104 (Keyed-Hashing for Message Authentication Codes).

HMAC is a secret key authentication algorithm. Data integrity and data origin authentication as provided by HMAC are dependent on the scope of the distribution of the secret key. If only the source and destination know the HMAC key, this provides both data origin authentication and data integrity for packets sent between the two parties. The keys for HMAC are generated from the keying material produced by ISAKMP/Oakley.

DES (Data Encryption Standard) with an explicit IV (initialization vector) is the default encryption algorithm for use in ESP. Its implementation is required for IPSec compliance. There are many reasons to provide for other encryption algorithms. The following algorithms have been specified as alternatives to DES: Triple DES, CAST-128, RC5, IDEA, Blowfish and ARCFour (a public implementation of RC4 based on Bruce Scheier's cryptography book).

CAST (RFC 2144) is considered by many to be at least as strong as DES in its 64-bit form and as strong as Triple DES in its 128-bit form; it's also faster than DES. RC5 (RFC 2040) is a variable key-length stream cypher that many consider to be as strong as the key length, which can be up to 256 bits. IDEA (International Data Encryption Algorithm) was used in the original PGP program and recognized as a fast, Triple DES-equivalent cypher. Blowfish is another variable-length cypher developed by Scheier, and gives yet another target to keep attackers busy.

The choice of algorithm beyond DES is left to implementers. Having a choice of encryption algorithms provides an additional benefit: Would-be attackers not only must break the cipher, but they must also determine which cipher they are attempting to break. This, along with the rotation of cipher keys, should keep atta ckers a few steps behind with little more than the hope of deciphering out-of-date data.

The ISAKMP/Oakley Protocol Specifying IPSec algorithms is not a simple task and it requires a session management protocol. ISAKMP (Internet Security Association Key Management Protocol, IANA UDP port 500) is the framework for such a protocol and Oakley (not a mnemonic, just a favorite Wild West character of the protocol's author) is the implementation of that framework for use with IPSec.

The Oakley protocol calls for more functionality than is needed to control IPSec sessions. The resolution of ISAKMP with Oakley is a subset sufficient to satisfy its goals of providing authenticated keying material and parameters for SAs in a secure manner. ISAKMP/Oakley has two phases, or modes--main and quick mode. An Oakley exchange starts with a main-mode exchange and continues with a quick-mode exchange. The main mode establishes the Oakley SA and the quick mode establis hes the IPSec SA.

There can be many quick-mode exchanges per main-mode exchange, since the Oakley SA can have a longer lifetime than the IPSec SA. The combination of the main mode and quick mode produces a very powerful secure session key exchange mechanism through use of finite key lifetimes.

Main-mode and quick-mode lifetimes together create the powerful session rekeying mechanism. The main mode keying is a resource-intensive, Diffie-Hellman (D-H) operation. Diffie-Hellman is a public key exchange mechanism that can securely exchange secret information without any prior information shared by the two ends of the exchange. Thus, D-H is used extensively in establishing secure sessions where dynamic security is required and where end systems may not be under the same administrative control. For example, two companies establishing a connection over which electronic-commerce transactions will travel probably would use D-H.


Other Workshops
Network Monitor Finally Comes Out of Hiding
By J. Scott Haugdahl






Ready to take that job and shove it?

Function:

Keyword(s):

State:
SPONSOR
RECENT JOB POSTINGS
CAREER NEWS
10 Search Engines You Don't Know About
Go beyond Google and get vertical. These specialized search sites will help you find the business information you need -- fast.

Yahoo Profits Fall 23%, Cuts 1,000 Jobs
Ari Balogh was named to the post of chief technology officer as the companys for a "realignment" of employees.

More articles from our career center










InformationWeek U.S. IT Salary Survey 2008
Salaries for business technology professionals are falling. Here's what you need to know in order to make good hiring decisions and personal career choices. Download Today
 
ROLLING RIGHT ALONG
Follow key Network Computing Reviews from conception to completion. This Week: Holistic APM.



Network Computing Reports Emerging Enterprise Podcast Series: Secrets to Success








TechSearch
Microsite of the Week


Powerful Information at Your Fingertips



InformationWeek Business Technology Network
InformationWeekInformationWeek 500InformationWeek 500 ConferenceInformationWeek AnalyticsInformationWeek CIO
InformationWeek EventsInformationWeek ReportsInformationWeek MagazinebMightyByte and SwitchDark Reading
Digital LibraryIntelligent EnterpriseInternet EvolutionNetwork ComputingNo JitterPlug Into The Cloud
space
Techweb Events Network
InteropVoiceConWeb 2.0 ExpoWeb 2.0 SummitEnterprise 2.0 ConferenceMobile Business ExpoSoftware ConferenceCSI - Computer Security Institute
Black HatGTECEnergy CampMashup CampStartup Camp
space
Light Reading Communications Network
Light ReadingLight Reading EuropeUnstrungLight Reading's Cable Digital NewsConstantinopleInternet EvolutionPyramid Research
Heavy ReadingLight Reading Live!Light Reading InsiderEthernet ExpoOptical ExpoTeleco TVTower Technology Summit
space
Financial Technology Network
Advanced TradingBank Systems & TechnologyInsurance & TechnologyWall Street & TechnologyAccelerating Wall StreetBank Systems & Technology Executive SummitBuyside Trading SummitInsurance & Technology Executive Summit
space
Microsoft Technology Network
MSDN MagazineTechNetThe Architecture Journal
space


App Infrastructure   |   Messaging & Collaboration   |   Network & Systems Mgmt   |   Network Infrastructure   |   Security  |   Storage & Servers   |   Wireless   |   Enterprise Apps
About Us  |  Contact Us  |  Site Map  |  Technology Marketing Solutions  |  Advertising Contacts  |   Briefing Centers
Copyright © 2008  United Business Media LLC  |  Privacy Statement  |  Terms of Service  |  Your California Privacy Rights