DOCSLIB.ORG

Draft SP 800-77 Rev. 1, Guide to Ipsec Vpns

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Withdrawn Draft Warning Notice The attached draft document has been withdrawn, and is provided solely for historical purposes. It has been superseded by the document identified below. Withdrawal Date June 30, 2020 Original Release Date July 2, 2019 Superseding Document Status Final Series/Number NIST Special Publication 800-77 Revision 1 Title Guide to IPsec VPNs Publication Date June 2020 DOI CSRC URL https://csrc.nist.gov/publications/detail/sp/800-77/rev-1/draft Additional Information 1 Draft NIST Special Publication 800-77 2 Revision 1 3 Guide to IPsec VPNs 4 5 6 Elaine Barker 7 Quynh Dang 8 Sheila Frankel 9 Karen Scarfone 10 Paul Wouters 11 12 13 14 15 16 This publication is available free of charge from: 17 https://doi.org/10.6028/NIST.SP.800-77r1-draft 18 19 20 C O M P U T E R S E C U R I T Y 21 22 23 Draft NIST Special Publication 800-77 24 Revision 1 25 Guide to IPsec VPNs 26 27 Elaine Barker 28 Quynh Dang 29 Sheila Frankel 30 Computer Security Division 31 Information Technology Laboratory 32 33 Karen Scarfone 34 Scarfone Cybersecurity 35 Clifton, VA 36 37 Paul Wouters 38 No Hats Corporation 39 Toronto, ON, Canada 40 41 This publication is available free of charge from: 42 https://doi.org/10.6028/NIST.SP.800-77r1-draft 43 44 45 July 2019 46 47 48 49 50 51 U.S. Department of Commerce 52 Wilbur L. Ross, Jr., Secretary 53 54 National Institute of Standards and Technology 55 Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology 56 Authority 57 This publication has been developed by NIST in accordance with its statutory responsibilities under the 58 Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law 59 (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including 60 minimum requirements for federal information systems, but such standards and guidelines shall not apply 61 to national security systems without the express approval of appropriate federal officials exercising policy 62 authority over such systems. This guideline is consistent with the requirements of the Office of Management 63 and Budget (OMB) Circular A-130. 64 Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and 65 binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these 66 guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, 67 Director of the OMB, or any other federal official. This publication may be used by nongovernmental 68 organizations on a voluntary basis and is not subject to copyright in the United States. Attribution would, 69 however, be appreciated by NIST. 70 National Institute of Standards and Technology Special Publication 800-77 Revision 1 71 Natl. Inst. Stand. Technol. Spec. Publ. 800-77 Rev. 1, 161 pages (July 2019) 72 CODEN: NSPUE2 73 This publication is available free of charge from: 74 https://doi.org/10.6028/NIST.SP.800-77r1-draft 75 Certain commercial entities, equipment, or materials may be identified in this document in order to describe an 76 experimental procedure or concept adequately. Such identification is not intended to imply recommendation or 77 endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best 78 available for the purpose. 79 There may be references in this publication to other publications currently under development by NIST in accordance 80 with its assigned statutory responsibilities. The information in this publication, including concepts and methodologies, 81 may be used by federal agencies even before the completion of such companion publications. Thus, until each 82 publication is completed, current requirements, guidelines, and procedures, where they exist, remain operative. For 83 planning and transition purposes, federal agencies may wish to closely follow the development of these new 84 publications by NIST. 85 Organizations are encouraged to review all draft publications during public comment periods and provide feedback to 86 NIST. Many NIST cybersecurity publications, other than the ones noted above, are available at 87 https://csrc.nist.gov/publications. 88 Public comment period: July 2, 2019 through October 8, 2019 89 National Institute of Standards and Technology 90 Attn: Computer Security Division, Information Technology Laboratory 91 100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930 92 Email: [email protected] 93 All comments are subject to release under the Freedom of Information Act (FOIA). NIST SP 800-77 REV. 1 (DRAFT) GUIDE TO IPSEC VPNS 94 Reports on Computer Systems Technology 95 The Information Technology Laboratory (ITL) at the National Institute of Standards and 96 Technology (NIST) promotes the U.S. economy and public welfare by providing technical 97 leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test 98 methods, reference data, proof of concept implementations, and technical analyses to advance 99 the development and productive use of information technology. ITL’s responsibilities include the 100 development of management, administrative, technical, and physical standards and guidelines for 101 the cost-effective security and privacy of other than national security-related information in 102 federal information systems. The Special Publication 800-series reports on ITL’s research, 103 guidelines, and outreach efforts in information system security, and its collaborative activities 104 with industry, government, and academic organizations. 105 106 Abstract 107 Internet Protocol Security (IPsec) is a widely used network layer security control for protecting 108 communications. IPsec is a framework of open standards for ensuring private communications 109 over Internet Protocol (IP) networks. IPsec configuration is usually performed using the Internet 110 Key Exchange (IKE) protocol. This publication provides practical guidance to organizations on 111 implementing security services based on IPsec so that they can mitigate the risks associated with 112 transmitting sensitive information across networks. The document focuses on how IPsec 113 provides network layer security services and how organizations can implement IPsec and IKE to 114 provide security under different circumstances. It also describes alternatives to IPsec and 115 discusses under what circumstances each alternative may be appropriate. 116 117 Keywords 118 communications security; Internet Key Exchange (IKE); Internet Protocol (IP); Internet Protocol 119 Security (IPsec); network layer security; networking; virtual private network (VPN). 120 ii NIST SP 800-77 REV. 1 (DRAFT) GUIDE TO IPSEC VPNS 121 Acknowledgments 122 The authors, Elaine Barker, Quynh Dang, and Sheila Frankel of NIST, wish to thank everyone 123 who has contributed to this revision of Special Publication (SP) 800-77, particularly Andrew 124 Regenscheid, David Waltermire, and Lily Chen of NIST, and Dorothy E. Cooley and James 125 Banoczi of the National Security Agency (NSA). 126 The authors acknowledge the following individuals (with their original affiliations) and 127 organizations that assisted in the development of the original SP 800-77: 128 • The authors of the original version: Sheila Frankel of NIST, and Karen Kent, Ryan 129 Lewkowski, Angela D. Orebaugh, Ronald W. Ritchey, and Steven R. Sharma of Booz 130 Allen Hamilton 131 • Bill Burr, Tim Grance, Okhee Kim, Peter Mell, and Murugiah Souppaya of NIST 132 • Darren Hartman and Mark Zimmerman of ICSA Labs 133 • Paul Hoffman of the VPN Consortium 134 • Representatives from the Department of Energy, the Department of State, the 135 Environmental Protection Agency, and the U.S. Nuclear Regulatory Commission 136 137 Audience 138 This document has been created for network architects, network administrators, security staff, 139 technical support staff, and computer security program managers who are responsible for the 140 technical aspects of preparing, operating, and securing networked infrastructures. The material in 141 this document is technically oriented, and it is assumed that readers have at least a basic 142 understanding of networking and network security. 143 144 Trademark Information 145 All names are registered trademarks or trademarks of their respective companies. 146 iii NIST SP 800-77 REV. 1 (DRAFT) GUIDE TO IPSEC VPNS 147 Call for Patent Claims 148 This public review includes a call for information on essential patent claims (claims whose use 149 would be required for compliance with the guidance or requirements in this Information 150 Technology Laboratory (ITL) draft publication). Such guidance and/or requirements may be 151 directly stated in this ITL Publication or by reference to another publication. This call also 152 includes disclosure, where known, of the existence of pending U.S. or foreign patent applications 153 relating to this ITL draft publication and of any relevant unexpired U.S. or foreign patents. 154 ITL may require from the patent holder, or a party authorized to make assurances on its behalf, 155 in written or electronic form, either: 156 a) assurance in the form of a general disclaimer to the effect that such party does not hold 157 and does not currently intend holding any essential patent claim(s); or 158 b) assurance that a license to such essential patent claim(s) will be made available to 159 applicants desiring to utilize the license for the purpose of
Recommended publications
  • Flexgw Ipsec VPN Image User Guide

    Flexgw Ipsec VPN Image User Guide

    FlexGW IPsec VPN Image User Guide Zhuyun Information Technology Co.,Ltd. www.cloudcare.cn Zhuyun Information Technology Co.,Ltd. Contents .......................................................................................................... .................................................................................................................. 1 Introduction 4 1.1 Software Compon.e..n..t.s................................................................................................................... 4 1.2 Login Description ................................................................................................................... 4 1.3 Function Description ....................................................................................................5 1.4 Typical Scenarios Des..c..r..i.p..t..i.o..n......................................................................................................5 1.5 Program Description .................................................................................6 1.6 Software Operation Command Summary ............................... 7 ............................................................................................................... 2 IPSec Site-to-Site VPN User Guide (VPC network scenario) 8 2.1 Start IPSec VPN.s..e..r..v..i.c..e.................................................................................................................8 2.2 Add new tunnel .................................................................................................................
  • Uila Supported Apps

    Uila Supported Apps

    Uila Supported Applications and Protocols updated Oct 2020 Application/Protocol Name Full Description 01net.com 01net website, a French high-tech news site. 050 plus is a Japanese embedded smartphone application dedicated to 050 plus audio-conferencing. 0zz0.com 0zz0 is an online solution to store, send and share files 10050.net China Railcom group web portal. This protocol plug-in classifies the http traffic to the host 10086.cn. It also 10086.cn classifies the ssl traffic to the Common Name 10086.cn. 104.com Web site dedicated to job research. 1111.com.tw Website dedicated to job research in Taiwan. 114la.com Chinese web portal operated by YLMF Computer Technology Co. Chinese cloud storing system of the 115 website. It is operated by YLMF 115.com Computer Technology Co. 118114.cn Chinese booking and reservation portal. 11st.co.kr Korean shopping website 11st. It is operated by SK Planet Co. 1337x.org Bittorrent tracker search engine 139mail 139mail is a chinese webmail powered by China Mobile. 15min.lt Lithuanian news portal Chinese web portal 163. It is operated by NetEase, a company which 163.com pioneered the development of Internet in China. 17173.com Website distributing Chinese games. 17u.com Chinese online travel booking website. 20 minutes is a free, daily newspaper available in France, Spain and 20minutes Switzerland. This plugin classifies websites. 24h.com.vn Vietnamese news portal 24ora.com Aruban news portal 24sata.hr Croatian news portal 24SevenOffice 24SevenOffice is a web-based Enterprise resource planning (ERP) systems. 24ur.com Slovenian news portal 2ch.net Japanese adult videos web site 2Shared 2shared is an online space for sharing and storage.
  • Implementation Single Account Pdc Vpn Based on Ldap

    Implementation Single Account Pdc Vpn Based on Ldap

    IMPLEMENTATION SINGLE ACCOUNT PDC VPN BASED ON LDAP Gregorius Hendita Artha Kusuma Teknik Informatika, Fakultas Teknik Universitas Pancasila [email protected] Abstrak Data is an important for the company. Centralized data storage to facilitate users for accessing data in the company. Data will be stored centrally with PDC (Primary Domain Controller). Build communicate between head office and branch office requires high cost for each connection is not enough to ensure safety and security of data. Exchange data between head office and branch office should be kept confidential. VPN (Virtual Private Network) makes communication more efficient, not only the cost affordable that connection, security and safety will be the primary facility of VPN (Virtual Private Network). Service were established in the system will be integrated using LDAP (Lightweight Directory Access Protocol) to create a single account in each services such as PDC (Primary Domain Controller) and VPN (Virtual Private Network). The purposes of this final project to design and implementation a system centralized data storage and build communicate between head office and branch office are integrated with LDAP (Lighweight Active Directory Protocol). Hopefully this system can give more advantage to each network users. Keyword: PDC, VPN, LDAP, Single Account. I. Introduction previous workstations. To support the performance of the employees of the company of course has a Centralized data storage makes it easy for users variety of network services are formed in it such as to access data. many companies need a ftp, mail server, file sharing etc. These services of centralized storage system, because the data is course have their respective accounts.
  • Efficient, Dos-Resistant, Secure Key Exchange

    Efficient, Dos-Resistant, Secure Key Exchange

    Efficient, DoS-Resistant, Secure Key Exchange for Internet Protocols∗ William Aiello Steven M. Bellovin Matt Blaze AT&T Labs Research AT&T Labs Research AT&T Labs Research [email protected] [email protected] [email protected] Ran Canetti John Ioannidis Angelos D. Keromytis IBM T.J. Watson Research Center AT&T Labs Research Columbia University [email protected] [email protected] [email protected] Omer Reingold AT&T Labs Research [email protected] Categories and Subject Descriptors While it might be possible to “patch” the IKE protocol to fix C.2.0 [Security and Protection]: Key Agreement Protocols some of these problems, it may be perferable to construct a new protocol that more narrorwly addresses the requirements “from the ground up.” We set out to engineer a new key exchange protocol General Terms specifically for Internet security applications. We call our new pro- Security, Reliability, Standardization tocol “JFK,” which stands for “Just Fast Keying.” Keywords 1.1 Design Goals We seek a protocol with the following characteristics: Cryptography, Denial of Service Attacks Security: No one other than the participants may have access to ABSTRACT the generated key. We describe JFK, a new key exchange protocol, primarily designed PFS: It must approach Perfect Forward Secrecy. for use in the IP Security Architecture. It is simple, efficient, and secure; we sketch a proof of the latter property. JFK also has a Privacy: It must preserve the privacy of the initiator and/or re- number of novel engineering parameters that permit a variety of sponder, insofar as possible.
  • Enabling TPM Based System Security Features

    Enabling TPM Based System Security Features

    Enabling TPM based system security features Andreas Fuchs <[email protected]> Who am I ? ● 13 year on/off TPMs ● Fraunhofer SIT: Trustworthy Platforms ● TCG-member: TPM Software Stack WG ● Maintainer – tpm2-tss: The libraries – tpm2-tss-engine: The openssl engine – tpm2-totp: Computer-to-user attestation (mjg’s tpm-totp reimplemented for 2.0) 2 The hardware stack ● Trusted Platform Module (TPM) 2.0 – Smartcard-like capabilities but soldered in – Remote Attestation capabilities – As separate chip (LPC, SPI, I²C) – In Southbridge / Firmware – Via TEEs/TrustZone, etc – Thanks to Windows-Logos in every PC ● CPU – OS, TSS 2.0, where the fun is... 3 The TPM Software Stack 2.0 ● Kernel exposes /dev/tpm0 with byte buffers ● tpm2-tss is like the mesa of TCG specs ● TCG specifications: – TPM spec for functionality – TSS spec for software API ● tpm2-tss implements the glue ● Then comes core module / application integration – Think GDK, but OpenSSL – Think godot, but pkcs11 – Think wayland, but cryptsetup 4 The TSS APIs System API (sys) Enhanced SYS (esys) Feature API (FAPI) • 1:1 to TPM2 cmds • Automate crypto for • Spec in draft form HMAC / encrypted • TBimplemented • Cmd / Rsp sessions • No custom typedefs U serialization • Dynamic TCTI • JSON interfaces s • No file I/O loading • Provides Policy e • No crypto • Memory allocations language r • No heap / malloc • No file I/O • Provides keystore S p TPM Command Transmission Interface (tss2-tcti) p a Abstract command / response mechanism, • No crypto, heap, file I/O a Decouple APIs
  • Master Thesis

    Master Thesis

    Master's Programme in Computer Network Engineering, 60 credits MASTER Connect street light control devices in a secure network THESIS Andreas Kostoulas, Efstathios Lykouropoulos, Zainab Jumaa Network security, 15 credits Halmstad 2015-02-16 “Connect street light control devices in a secure network” Master’s Thesis in Computer Network engineering 2014 Authors: Andreas Kostoulas, Efstathios Lykouropoulos, Zainab Jumaa Supervisor: Alexey Vinel Examiner: Tony Larsson Preface This thesis is submitted in partial fulfilment of the requirements for a Master’s Degree in Computer Network Engineering at the Department of Information Science - Computer and Electrical Engineering, at University of Halmstad, Sweden. The research - implementation described herein was conducted under the supervision of Professor Alexey Vinel and in cooperation with Greinon engineering. This was a challenging trip with both ups and downs but accompanied by an extend team of experts, always willing to coach, sponsor, help and motivate us. For this we would like to thank them. We would like to thank our parents and family for their financial and motivational support, although distance between us was more than 1500 kilometres. Last but not least we would like to thank our fellow researchers and friends on our department for useful discussions, comments, suggestions, thoughts and also creative and fun moments we spend together. i Abstract Wireless communications is a constantly progressing technology in network engineering society, creating an environment full of opportunities that are targeting in financial growth, quality of life and humans prosperity. Wireless security is the science that has as a goal to provide safe data communication between authorized users and prevent unauthorized users from gaining access, deny access, damage or counterfeit data in a wireless environment.
  • Network Access Control and Cloud Security

    Network Access Control and Cloud Security

    Network Access Control and Cloud Security Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 [email protected] Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-17/ Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain 16-1 Overview 1. Network Access Control (NAC) 2. RADIUS 3. Extensible Authentication Protocol (EAP) 4. EAP over LAN (EAPOL) 5. 802.1X 6. Cloud Security These slides are based partly on Lawrie Brown’s slides supplied with William Stallings’s book “Cryptography and Network Security: Principles and Practice,” 7th Ed, 2017. Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain 16-2 Network Access Control (NAC) AAA: Authentication: Is the user legit? Supplicant Authenticator Authentication Server Authorization: What is he allowed to do? Accounting: Keep track of usage Components: Supplicant: User Authenticator: Network edge device Authentication Server: Remote Access Server (RAS) or Policy Server Backend policy and access control Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain 16-3 Network Access Enforcement Methods IEEE 802.1X used in Ethernet, WiFi Firewall DHCP Management VPN VLANs Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain 16-4 RADIUS Remote Authentication Dial-In User Service Central point for Authorization, Accounting, and Auditing data ⇒ AAA server Network Access servers get authentication info from RADIUS servers Allows RADIUS Proxy Servers ⇒ ISP roaming alliances Uses UDP: In case of server failure, the request must be re-sent to backup ⇒ Application level retransmission required TCP takes too long to indicate failure Proxy RADIUS RADIUS Network Remote Access User Customer Access ISP Net Server Network Server Ref: http://en.wikipedia.org/wiki/RADIUS Washington University in St.
  • Kommentarer Till Utgåvan Debian 10 (Buster), 64-Bit PC

    Kommentarer Till Utgåvan Debian 10 (Buster), 64-Bit PC

    Kommentarer till utgåvan Debian 11 (bullseye), 64-bit PC The Debian Documentation Project (https://www.debian.org/doc/) 5 oktober 2021 Kommentarer till utgåvan Debian 11 (bullseye), 64-bit PC Detta dokument är fri mjukvara; du kan vidaredistribuera det och/eller modifiera det i enlighet med villkoren i Free Software Foundations GNU General Public License version 2. Detta program är distribuerat med förhoppning att det ska vara användbart men HELT UTAN GARAN- TIER; inte ens underförstådd garanti om SÄLJBARHET eller att PASSA ETT SÄRSKILT SYFTE. Läs mer i GNU General Public License för djupare detaljer. Du borde ha fått en kopia av GNU General Public License tillsammans med det här programmet; om inte, skriv till Free Software Foundation, Inc., 51 Franklin Street. Fifth Floor, Boston, MA, 02110-1301 USA. Licenstexten kan också hämtas på https://www.gnu.org/licenses/gpl-2.0.html och /usr/ share/common-licenses/GPL-2 på Debian-system. ii Innehåll 1 Introduktion 1 1.1 Rapportera fel i det här dokumentet . 1 1.2 Bidra med uppgraderingsrapporter . 1 1.3 Källor för det här dokumentet . 2 2 Vad är nytt i Debian 11 3 2.1 Arkitekturer med stöd . 3 2.2 Vad är nytt i distributionen? . 3 2.2.1 Skrivbordsmiljöer och kända paket . 3 2.2.2 Utskrifter och scanning utan drivrutiner . 4 2.2.2.1 CUPS och utskrifter utan drivrutiner . 4 2.2.2.2 SANE och scannrar utan drivrutiner . 4 2.2.3 Nytt generellt kommando ”open” . 5 2.2.4 Control groups v2 . 5 2.2.5 Beständig systemd-journal .
  • Ipv6-Ipsec And

    Ipv6-Ipsec And

    IPSec and SSL Virtual Private Networks ITU/APNIC/MICT IPv6 Security Workshop 23rd – 27th May 2016 Bangkok Last updated 29 June 2014 1 Acknowledgment p Content sourced from n Merike Kaeo of Double Shot Security n Contact: [email protected] Virtual Private Networks p Creates a secure tunnel over a public network p Any VPN is not automagically secure n You need to add security functionality to create secure VPNs n That means using firewalls for access control n And probably IPsec or SSL/TLS for confidentiality and data origin authentication 3 VPN Protocols p IPsec (Internet Protocol Security) n Open standard for VPN implementation n Operates on the network layer Other VPN Implementations p MPLS VPN n Used for large and small enterprises n Pseudowire, VPLS, VPRN p GRE Tunnel n Packet encapsulation protocol developed by Cisco n Not encrypted n Implemented with IPsec p L2TP IPsec n Uses L2TP protocol n Usually implemented along with IPsec n IPsec provides the secure channel, while L2TP provides the tunnel What is IPSec? Internet IPSec p IETF standard that enables encrypted communication between peers: n Consists of open standards for securing private communications n Network layer encryption ensuring data confidentiality, integrity, and authentication n Scales from small to very large networks What Does IPsec Provide ? p Confidentiality….many algorithms to choose from p Data integrity and source authentication n Data “signed” by sender and “signature” verified by the recipient n Modification of data can be detected by signature “verification”
  • On the NIST Lightweight Cryptography Standardization

    On the NIST Lightweight Cryptography Standardization

    On the NIST Lightweight Cryptography Standardization Meltem S¨onmez Turan NIST Lightweight Cryptography Team ECC 2019: 23rd Workshop on Elliptic Curve Cryptography December 2, 2019 Outline • NIST's Cryptography Standards • Overview - Lightweight Cryptography • NIST Lightweight Cryptography Standardization Process • Announcements 1 NIST's Cryptography Standards National Institute of Standards and Technology • Non-regulatory federal agency within U.S. Department of Commerce. • Founded in 1901, known as the National Bureau of Standards (NBS) prior to 1988. • Headquarters in Gaithersburg, Maryland, and laboratories in Boulder, Colorado. • Employs around 6,000 employees and associates. NIST's Mission to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. 2 NIST Organization Chart Laboratory Programs Computer Security Division • Center for Nanoscale Science and • Cryptographic Technology Technology • Secure Systems and Applications • Communications Technology Lab. • Security Outreach and Integration • Engineering Lab. • Security Components and Mechanisms • Information Technology Lab. • Security Test, Validation and • Material Measurement Lab. Measurements • NIST Center for Neutron Research • Physical Measurement Lab. Information Technology Lab. • Advanced Network Technologies • Applied and Computational Mathematics • Applied Cybersecurity • Computer Security • Information Access • Software and Systems • Statistical
  • Lecture 12: Security Systems Using Public Keys 11.1 PGP 11.2 SSL/TLS 11.3 IPSEC Stallings: Ch 16,17

    Lecture 12: Security Systems Using Public Keys 11.1 PGP 11.2 SSL/TLS 11.3 IPSEC Stallings: Ch 16,17

    T-79.4501 Cryptography and Data Security Lecture 12: Security systems using public keys 11.1 PGP 11.2 SSL/TLS 11.3 IPSEC Stallings: Ch 16,17 1 Pretty Good Privacy • Email encryption program • Bottom–up approach to the distribution of trust • Each user acts as his/her own CA and signs the public keys of other users • User can accept authenticity of a public key based on recommendation by a third trusted user • RSA public key encryption used for distribution of session keys *) • Digital signatures produced by RSA or DSA signature algorithms • Hash functions are MD5 and SHA-1 • Symmetric encryption performed using IDEA in CFB mode (self- synchronising stream cipher) • Public keys held in ”Key-ring” • Revocation of public keys is a problem *) A data encryption protocol, where the data is encrypted using symmetric encryption, and the symmetric encryption key is encrypted using public key encryption, is called as ”hybrid encryption” 2 1 Secure Sockets Layer /Transport Layer Security • SSL (by Netscape) adds security to the TCP level of the Internet Protocol stack • Reliable end-to-end service. • TLS developed by IETF is basically equivalent to SSL v 3.1 Structure: SSL SSL Change SSL Handshake Cipher Spec Alert HTTP Protocol Protocol Protocol SSL Record Protocol TCP IP • Hypertext Transfer Protocol (Web client/server interaction) can operate on top of SSL (https://...) 3 SSL Record Protocol Application data fragment compressed fragment MAC added encrypted SSL record header appended 4 2 SSL Record Protocol Crypto • The MAC is similar to HMAC (indeed, an early version of HMAC) with the difference that OPAD and IPAD fields are concatenated to the key data (not xored as in HMAC).
  • Test-Beds and Guidelines for Securing Iot Products and for Secure Set-Up Production Environments

    Test-Beds and Guidelines for Securing Iot Products and for Secure Set-Up Production Environments

    IoT4CPS – Trustworthy IoT for CPS FFG - ICT of the Future Project No. 863129 Deliverable D7.4 Test-beds and guidelines for securing IoT products and for secure set-up production environments The IoT4CPS Consortium: AIT – Austrian Institute of Technology GmbH AVL – AVL List GmbH DUK – Donau-Universit t Krems I!AT – In"neon Technologies Austria AG #KU – JK Universit t Lin$ / Institute for &ervasive 'om(uting #) – Joanneum )esearch !orschungsgesellschaft mbH *+KIA – No,ia -olutions an. Net/or,s 0sterreich GmbH *1& – *1& -emicon.uctors Austria GmbH -2A – -2A )esearch GmbH -)!G – -al$burg )esearch !orschungsgesellschaft -''H – -oft/are 'om(etence 'enter Hagenberg GmbH -AG0 – -iemens AG 0sterreich TTTech – TTTech 'om(utertechni, AG IAIK – TU Gra$ / Institute for A((lie. Information &rocessing an. 'ommunications ITI – TU Gra$ / Institute for Technical Informatics TU3 – TU 3ien / Institute of 'om(uter 4ngineering 1*4T – 1-Net -ervices GmbH © Copyright 2020, the Members of the IoT4CPS Consortium !or more information on this .ocument or the IoT5'&- (ro6ect, (lease contact8 9ario Drobics7 AIT Austrian Institute of Technology7 mario:.robics@ait:ac:at IoT4C&- – <=>?@A Test-be.s an. guidelines for securing IoT (ro.ucts an. for secure set-up (ro.uction environments Dissemination level8 &U2LI' Document Control Title8 Test-be.s an. gui.elines for securing IoT (ro.ucts an. for secure set-u( (ro.uction environments Ty(e8 &ublic 4.itorBsC8 Katharina Kloiber 4-mail8 ,,;D-net:at AuthorBsC8 Katharina Kloiber, Ni,olaus DEr,, -ilvio -tern )evie/erBsC8 -te(hanie von )E.en, Violeta Dam6anovic, Leo Ha((-2otler Doc ID8 DF:5 Amendment History Version Date Author Description/Comments VG:? ?>:G?:@G@G -ilvio -tern Technology Analysis VG:@ ?G:G>:@G@G -ilvio -tern &ossible )esearch !iel.s for the -2I--ystem VG:> >?:G<:@G@G Katharina Kloiber Initial version (re(are.