IP security (IPSec) was designed by the IEFT to allow encrypted and digitally signed communication to pass between two computers or between computers and a router over the public network. IPSec defines two functions : Data encryption and Data integrity. IPSec uses the authentication header (AH) to provide authentication and integrity, but without encryption. It uses the encapsulating security payload (ESP) to provide authentication and integrity, with encryption. With IPSec uses the security key that is only known by the sender and recipient. The recipient will be able to know if the transmission is from the original sender, if the authentication data is valid.
Benefits of IPSec:
- IPSec is an international standard, it can provide security for communication with a huge variety of different networks.
- IPSec can be applied to all sizes of networks; very scalable
- IPSec function at a low network level, will not affect the performance of higher level such as users and applications
- IPSec has a high compatibility with any applications, it does not limit to specific application.
- IPSec has a complex configuration
- IPSec reduce the performance of the network due to high overheads
- Not all Firewalls or routers support IPSec
A few protocols used by IPSec are:
ESP uses IP protocol 50 to provide confidentially using encryption and authentication. It works in transport mode and does not provide integrity and authentication for the entire packet; only the IP payload is protected. ESP protects everything except the IP header.
AH uses IP protocol 51 to provide authentication, integrity, and anti-reply protection for the entire packet; but it does not provide encryption for the data, which means the data is readable but cannot be modified.
Using both AH and ESP is the only way to protect both IP header and provide encryption to the data.
Data Encryption Standard (DES)
DES is an data encyption algorithm standard used in computer cryptography which uses 56-bits key size for encryption. Due to the 56-bit key size being too small, DES is now considered to be insecure as it can be decrypt using the brute force attacks. DES was later improved to Triple DES, which provides a relatively simple method of increasing the key size of DES to protect against the brute force attacks.
Message-Digest Algorithm (MD5)
MD5 is a hashing algorithm used in hash functions that produces a 128-bit (16-byte) hash value. It is use to check for data integrity, and is widely employed in many security applications.
Secure Hash Algorithm (SHA)
SHA is also a hashing algorithm, but it uses a longer hash value as compare to MD5, which means it is much more secured than MD5. SHA employes three type of hashing algorithms, SHA-0, SHA-1 and SHA-2; each with different hashing value for different purposes.
Diffie-Hellman (DH)
DH is a key exchange method in cartographic which allows two computers to establish a shared secret key over an insecure communications channel. The purpose of key exchange is to encrypt subsequent communications using a symmetric key cipher.
No comments:
Post a Comment