Page 148 - StudyBook.pdf
P. 148

132    Chapter 3 • Communication Security: Remote Access and Messaging

                 IPSec is made up of two separate security protocols.AH protocol is responsible
             for maintaining the authenticity and integrity of the payload.AH authenticates
             packets by signing them, which ensures the integrity of the data. Since the signa-
             ture is specific to the packet being transmitted, the receiver is assured of the data
             source. Signing packets also provides integrity, since the unique signature prevents
             the data from being modified. Encapsulating security payload (ESP) protocol also
             handles the authenticity and integrity of payloads, but also adds the advantage of
             data confidentiality through encryption.AH and encapsulating security payload can
             be used together or separately. If used together, the entire packet is authenticated.


              TEST DAY TIP

                  An easy way to remember the difference between AH and ESP is to use
                  the E in ESP to remember “Encryption.”





             IPSec Authentication

             To ensure the integrity of data being transmitted using IPSec, there has to be a
             mechanism in place to authenticate end users and manage secret keys.This mecha-
             nism is called Internet Key Exchange (IKE). IKE is used to authenticate the two
             ends of a secure tunnel by providing a secure exchange of a shared key before
             IPSec transmissions begin.
                 For IKE to work, both parties must use a password known as a pre-shared key.
             During IKE negotiations, both parties swap a hashed version of a pre-shared key.
             When they receive the hashed data, they attempt to recreate it. If they successfully
             recreate the hash, both parties can begin secure communications. IKEv2 uses
             sequence numbers and acknowledgments to provide reliability, but this mandates
             some error processing logistics and shared state management. IKE could end up in
             a dead state due to the lack of such reliability measures, where both parties were
             expecting the other to initiate an action which never eventuated. Dead-Peer-
             Detection was a work-around implemented in IKE for this particular action.
                 IPSec also has the ability to use digital signatures.A digital signature is a certifi-
             cate signed by a trusted third party called a certificate authority (CA) that offers
             authentication and nonrepudiation, meaning the sender cannot deny that the message
             came from them.Without a digital signature, one party can easily deny they were
             responsible for messages sent.




          www.syngress.com
   143   144   145   146   147   148   149   150   151   152   153