CSC 774 -- Network Security - Dr. Peng Ning

More documents

Recommendations

Info

SKIP (Cont’d) Two types of keys: 1. KEK 2. Packet key Certificate repository Bob’s certificate Alice’s certificate Alice Bob K p encrypted with KEK. Payload encrypted with K p . Computer Science Dr. Peng Ning CSC 774 Network Security 15 SKIP (Cont’d) • KEK should be changed periodically – Minimize the exposure of KEK – Prevent the reuse of compromised packet keys • SKIP’s approach – KEK = h (K AB , n), where h is a one-way hash function, K AB is the the long term key between A and B, and n is a counter. Computer Science Dr. Peng Ning CSC 774 Network Security 16
SKIP (Cont’d) • Limitations – No Perfect Forward Secrecy • Can be modified to provide PFS, but it will lose the sessionless property. – No concept of SA; difficult to work with the current IPsec architecture • Not the standard, but remains as an alternative. Computer Science Dr. Peng Ning CSC 774 Network Security 17 Oakley • Oakley is a refinement of the basic Diffie- Hellman key exchange protocol. • Why need refinement – Resource clogging attack – Replay attack – Man-in-the-middle attack – Choice of D-H groups Computer Science Dr. Peng Ning CSC 774 Network Security 18
Page 1 and 2: Computer Science CSC 774 -- Network
Page 3 and 4: Security Principles (Cont’d) •
Page 5 and 6: Tunnel Mode Encrypted Tunnel Gatewa
Page 7: Automatic Key Management • Key di
Page 11 and 12: Resource Clogging Attack (Cont’d)
Page 13 and 14: Oakley Groups • 0 no group (place
Page 15 and 16: ISAKMP Message • Fixed format hea
Page 17 and 18: ISAKMP Domain Of Interpretation (DO
Page 19 and 20: ISAKKMP Payload Types • 8 H hash
Page 21 and 22: ISAKMP Exchanges (Cont’d) Authent

CSC 774 -- Network Security - Dr. Peng Ning

Create successful ePaper yourself

Delete template?

Save as template?