Protocols for secure communication channels

From CryptoWiki
Jump to: navigation, search

Secure data channels are virtual secure communications, called crypto saved tunnels or tunnels VPN.


Statement of the Problem

Initially, the Internet was seen as a safe environment data transfer between military forces. Security was organized at the level of physical isolation of objects from other people, and it was justified when the network has access to a limited number of machines. However, when the Internet has become an open information environment, not only in terms of "freedom of information", but also in terms of unauthorized access to this information, the need for data security appears.

Protection of data during transmission over open channels is based on the construction of virtual private communication channels - crypto-protected tunnels. The tunnel is a compound carried out through a public network that carries a cryptographically protected message packets.

Building a secure channel of information transmission can be implemented at different levels of model OSI. The most common technologies of secure information transmission channels: SSL-protocol, SSH-protocol operates at the application level, IPsec at the network level, and PPTP is at the link layer.

When choosing the level of implementation of the secure channel there are some contradictory arguments: on the one hand, the choice of the upper levels is better because of their independence from the type of transport (protocol selection network and link layer), on the other hand each application requires its own setup and configuration. The advantage in choosing the lower levels is their versatility and visibility for applications minus is the dependence on the choice of a particular protocol (for example, PPP or Ethernet).

Protection at the link layer

General Information

By the protocol for constructing a secure channel data link layer are:

  • Protocol PPTP (Point-to-Point Tunneling Protocol)was developed jointly with Microsoft Ascend Communications, 3Com / Primary Access, Ecl-Telematics and US Robotics;
  • protocol L2TP (Layer-2 Tunneling Protocol), which combined protocol L2F (Layer-2 Forwarding) and PPTP.

The above protocols in common is that they are tunneling protocol link layer. The definition of a secure channel corresponds to a protocol PPTP, which provides tunneling and data encryption. The L2TP, in fact, is only a tunneling protocol and security features in them are not supported. There is a possibility of using this protocol in conjunction with the protocol IPSec.

Protocol PPTP

PPTP (Point-to-Point-Tunneling Protocol) was developed by Microsoft in cooperation with companies Ascend Communications, 3Com / Primary Access, ECI-Telematics and US Robotics. PPTP protocol involves creating crypto saved tunnel at the link layer of the OSI model for the cases of both the direct connection of a remote computer with an open network, and connection it to the public network via a telephone line of any provider. Protocol PPTP is based on link layer protocol PPP (Point-to-Point). Originally protocol PPP that located at the link layer was designed to encapsulate data and its delivery on a point-to-point connection. This protocol is also used for organizing asynchronous connections.

For delivery of confidential data from one point to another through the public network, initially data encapsulation using PPP protocol is performed, and then the PPTP protocol is performing encrypts the data and its own encapsulation. After tunnel protocol delivers packets from the start point to the end of the tunnel, de-encapsulation is performed. PPTP protocol creates a secure channel for data exchange via IP, IPX, or NetBEUI. Details of these protocols are packed in PPP frames and then encapsulated by the PPTP protocol packets in the IR protocol and then are transferred in encrypted form via any TCP / IP network.

Figure 1 Structure of the package for the shipment on the PPTP tunnel

Packets transmitted during the session PPTP, have the following structure (Fig. 1):

  • link-layer header is used in the Internet, such as frame header Ethernet;
  • header of IP, containing the addresses of the sender and receiver;
  • header of general method for routing encapsulation GRE (Generic Routing Encapsulation);
  • primary PPP packet including packet IP, IPX, or NetBEUI.

The receiving node extracts the PPP frame from the IP packet and then remove the frame from the PPP frame primary packet IP, IPX, or NetBEUI, and sends it to a particular destination using the local network. Multiprotocol of encapsulating link layer protocols such as the PPTP protocol is their major advantage over a secure channel protocols higher levels. For example, if the corporate network uses IPX, or NetBEUI, using IPSec or SSL protocol is impossible because they target only one network layer protocol IP.

This encapsulation method provides independence from the network layer of the OSI model and enables secure distant access through open IP networks to all local networks (IP, IPX, or NetBEUI). According to the protocol PPTP creation of a secure virtual channel authenticates distant users and encrypts of transmitted data (Fig. 2).

Figure 2 Architecture of the PPTP

Different protocols for PPP can be used for authentication of distant user. In the implementation of PPTP enabled by Microsoft in Windows NT / 2000 the following authentication protocols can be supported: Password Authentication Protocol PAP (Password Authentication Protocol), a handshake authentication protocol MSCHAP (Microsoft Challenge-Handshaking Authentication Protocol) and authentication protocol EAP-TLS (Extensible Authentication Protocol-Transport Layer Security). While using the PAP protocol identifiers and passwords are sent unencrypted over link, and only the server can authenticate the client. While using protocols MSCHAP and EAP-TLS protection against attacker’s reuse of captured packets and encrypted password is provided as well as mutual authentication of the client and the VPN-server.

Encryption using PPTP ensures that nobody can access the transit data over the Internet. Encryption MRRE (Microsoft Point-to-Point Encryption) is only compatible with MSCHAP (versions 1 and 2) and EAP- TLS can automatically select the length of the encryption key during negotiation between client and server. Encryption MRRE supports key with lengths of 128 bits or 40.56. PPTP protocol changes the value of the encryption key after each received packet. PPTP protocol is used in tunnel schemes for direct connection of the distant user computer to the Internet. Figure 3 shows the implementation of this scheme tunneling.

Figure 3 Schematic of tunneling in direct connect your computer to the remote user's Internet

The distant user establishes a distant connection to the local network via the client side distant Access Service RAS (Remote Access Service), which is part of Windows. Then, the user accesses the distant access server network, indicating its IP-address, and establishes contact with him via PPTR. Functions of the remote access server can perform the edge router LAN. Client part of the service of the RAS and PPTP driver which is included in Windows 98 / NT must be installed on the distant user’s computer, , and server RAS and PPTP driver which is included in the Windows NT Server must be installed on the distant access server network. PPTP protocol defines a number of classified messages exchanged between the communicating parties. Classified messages are sent over TCP protocol. After successful authentication process of secure information exchange begins. Internal LAN servers may not support PPTP protocol, as the border router extracts the PPP frames from IP packets and sends them on a local network in the required format - IP, IPX or NetBIOS.

Protocol "point to point"

Key Exchange Diffie-Hellman sensitive to vsrkytiyu "man in the middle". The solution is the need for signing messages. These certificates are signed by a trusted authority.

Suppose that A is a certified public key of B, while B is a certified public key of A.   Key generation k is as follows:

1. A generates a random number X and sends it to B;

2. B generates a random number y. Using the protocol Diffie-Hellman, it computes the shared key k based on x and y. He signs of x and y, and encrypts the signature key k. Then he sends to get along with in A.


3. A also computes k. A decrypts the rest of the message and checks in his signature. It then sends a signed message, consisting of x and y, encrypted shared key k.


4. decrypts the message and verifies the signature of A.

Protocol L2TP

L2F protocol was developed by Cisco Systems for building secure virtual networks on the data link layer of the OSI model as a replacement for PPTP protocol. From the PPTP protocol L2F version supports different network protocols.

L2F protocol is characterized by the following properties:

  • flexible authentication procedures, suggesting the absence of strong binding to specific authentication protocol;
  • transparency for end systems - workstations LAN and remote system does not require any special software to use the security service;
  • transparency for intermediaries - remote user authentication is performed similarly to the case of direct connect users to remote access server network;
  • completeness of the audit - logging server access the local network is not only remote access server of the network, but the server provider.

For this protocol L2F can identify the following disadvantages:

  • the creation of the current version of IP crypto saved tunnel between the endpoints of information exchange doesn't provide in L2F protocol;
  • virtual secure channel can only be created between the remote access server provider and border router LAN, while the area between the remote user's computer and the server provider remains open.

Currently L2F protocol is actually absorbed by the L2TP, with the status of the draft standard Internet. L2TP protocol was designed as a secure tunneling protocol PPP- traffic through a network of general purpose.

L2TP Protocol is different from PPTP protocol in that adhered not to the protocol IP, so it can be used in packet switched networks, such as networks in ATM (Asynchronous Transfer Mode) or Frame Relay networks (Frame Relay). L2TP protocol incorporates the best features of PPTP protocols and L2F, but also added new features. In the L2TP added a number of missing in the protocol specification PPTP security features, in particular includes the ability to work with protocols AH and ESP protocol stack IPSec. L2TP protocol architecture is shown in Figure 4.

Figure 4 Architecture of the L2TP

AH and ESP protocols are essential components of the protocol stack IPSec. These protocols allow users to use their agreed choice of different cryptographic algorithms encrypt and authenticate a. Domain interpretation DOI (Domain of Interpretation) is responsible for ensuring collaboration used protocols and algorithms.

In fact, hybrid L2TP protocol is an extension of PPP authentication functions remote users create a secure virtual connection and data flow management.

L2TP is applied as a transport protocol UDP and uses the same format as messages to the tunnel control and for data transfer. Reliability of delivery guarantees the control sequence of packets. Similarly Protocol PPTP, L2TP protocol starts building the package for transmission to the tunnel with the fact that information to the field data PPP PPP header is added first, followed by the title of L2TP. The thus obtained encapsulated packet of UDP.

Depending on the type of security policy protocol stack IPSec, L2TP protocol can encrypt UDP-messages and add them to the header and the end of ESP (Encapsulating Security Payload), as well as the end of the IPSec ESP Authentication. Next is the encapsulation in IP. Added IP-header containing the source and destination addresses. At the end of the second L2TP carries PPP encapsulation for the preparation of data for transmission. Computer recipient receives the data, processes the header and the end of the PPP header removes IP. Using the IPSec ESP Authentication to authenticate the information field of IP, and ESP IPSec protocol helps to decrypt the packet. Next, the computer processes the UDP header and uses the L2TP header to identify the tunnel.

L2TP protocol provides authentication levels "user" and "computer", and performs authentication and data encryption. In the first phase of authentication of client and server VPN L2TP protocol uses local certificates from Certificate Services. The client and server exchange certificates and create a secure connection ESP SA (Security Association). Then, after finishing the process of authentication protocol computer is authenticated at the user level. For this you can use any authentication protocol, PAP for example, a username and password in the clear. It is quite safe as L2TP encrypts the entire session. However, carrying out user authentication using MSCHAP, apply different encryption keys for the computer and user authentication can increase security.

A similar protocol PPTP, the formation of a secure channel in the L2TP operates by three stages:

  • connection to the remote access server network;
  • user authentication;
  • configuring a secure tunnel.

In a first step - a remote user initiates a PPP connection with the provider. Access Concentrator accepts this connection and establishes a PPP. Then, the partial authentication of the end node and its user. Using only your user name, the provider decides whether the user needs the service tunnel L2TP. If such service is required, the next step is finding out the address network server LNS, which you want to install a tunnel connection. After ascertaining the IP-address of the server LNS checks, if there is already an L2TP tunnel to the server. If this tunnel is not present, it is installed.

The second stage of the network server LNS network performs the user authentication process. To do this, use one of the standard authentication protocols, such as protocol CHAP. In the case of CHAP authentication protocol notification packet includes the word call, the user name and its answer. PAP protocol for this information consists of a user name and unencrypted password. When sending an authentication result LNS network server sends information about the IP-address of the user node.

In the third stage, in case of successful user authentication, create an encrypted tunnel between the hub and server access provider LNS network. As a result, the encapsulated PPP frames may be transmitted through a tunnel between the hub and the network server LNS in both directions.

The L2TP tunnel has a number of shortcomings in the data link layer:

  • for the implementation of the L2TP need support providers ISP;
  • L2TP protocol restricts the traffic within the selected tunnel and deprives users access to other parts of the Internet;
  • the creation of the current version of IP crypto saved tunnel between the endpoints of information exchange doesn't provide in L2F protocol;
  • proposed specification provides a standard L2TP encryption only IP-based networks using protocol IPSec.


L2TP protocol does not define specific encryption methods and suggests the possibility of using different encryption standards. If the secure tunnel is formed in IP-based networks, then for the implementation of cryptographic protocol is used IPSec. L2TP protocol over IPSec provides the highest level of data security than PPTP because it uses an encryption algorithm 3-DES (Triple Data Encryption Standard). If a high level of protection is not needed, it is sufficient to use the DES algorithm with a 56-bit key. In addition, using the algorithm HMAC (Hash Message Authentication Code) L2TP protocol provides authentication data. For this data authentication algorithm creates a hash length of 128 bits.

Summing up, the functionality of the PPTP and L2TP protocols are different. PPTP protocol can only be used in IP-based networks, and for this purpose it is necessary to separate TCP connection to make and use the tunnel. L2TP protocol can be used not only in IP-based networks, service messages to create a tunnel and forward through it use the same data formats and protocols. L2TP protocol over IPSec offers more layers of security than PPTP, and can guarantee almost 100 percent safety is important to organize the data. The positive qualities of the L2TP makes it very promising for the construction of virtual private networks.

Protection at the network level

General Information

Eliminating vulnerabilities of computer networks is possible when creating a system of protection not for individual classes of applications, and for the network as a whole. With regard to the IP-network, this means that the protection system should operate at the network layer model OSI. Implementation of network protection at a third level at least ensures a degree of protection for all network applications, without any modification of the applications. Protocol stack IPsec (Internet Protocol Security) is used to authenticate the participants of exchange, traffic tunneling and encryption IP-packets.

IPSec - defined by the IETF standard for reliable / confidential data on networks IP.

IPSec is an integral part of IPv6 - Internet Protocol next generation, and the expansion of the existing version of the Internet Protocol IPv4. IPSec is defined in RFC 2401 to 2412.

Standardized mechanisms for IP-security should enjoy a higher level protocol, and in particular, control protocols, protocols and routing configuration.

Security features for IP describes a family of specifications IPSec, developed by a working group of IP Security.

IPSec to provide access control, integrity is the connection, data origin authentication, protection against reproduction, confidentiality and partial protection against traffic analysis.

Basic concepts of IPSec are:

  • authentication header (AH);
  • secure data hiding (ESP);
  • modes: tunnel and transport;
  • contexts (associations) security (SA);
  • key management (IKE);

IPSec Architecture

Protocol stack IPsec (Internet Protocol Security) is used to authenticate the participants in the exchange, traffic tunneling and encryption IP-packets.

The main task of the protocols IPsec is to ensure secure transmission of data over IP. Application IPSec ensures:

  • the integrity of the transmitted data, ie data transmission is not distorted, not lost and not duplicated;
  • authenticity of the sender, ie the data transmitted by the sender exactly which proved that he is the one who he will give;
  • the confidentiality of transmitted data, i.e. the data is transmitted in the form of preventing an unauthorized viewing and access.

The fundamental unit of communication in IP-based networks is the IP packet. The structure of the IP-packet is shown in Fig. 5. IP-package contains the S-address of primary source and D-address of destination, transport header, information about the type of data carried in the packet, and the data itself.

Figure 5 Structure of IP-packet

IPSec protocol stack is based on a series of standardized cryptographic techniques in order to provide authentication, confidentiality and integrity of transmitted data:

  • exchanges of keys according to the Diffie-Hellman algorithm for the distribution of secret keys among users on an open network;
  • cryptography of public keys for signing the Diffie-Hellman exchange to ensure the authenticity of the two sides and to avoid attacks such as "man-in-the-middle";
  • digital certificates to authenticate the public keys; O block symmetric algorithms encrypt data;
  • messages of authentication algorithms based on hashing functions.

IPSec protocol defines a standard way of protection of information exchange in the network layer of the OSI model for IP-based networks, that is the main type of open networks. This protocol is part of a new version of a protocol IP (IPv6), and is also applicable to its current version (IPv4). For IPv4 protocol, IPSec support is desirable, and for IPv6 is mandatory. IPSec protocol is a framework of open standards, which have a clearly delineated core and which can be supplemented with new protocols, algorithms and functions. Standardized functions IPSec-defense may use higher-level protocols, in particular the control protocols, protocols of configuration, and routing protocols.

The main objectives of establishing and maintaining a secure channel are as follows:

  • authentication of users or computers in the initiation of a secure channel;
  • encryption and authentication of data transmitted between the endpoints of the secure channel;
  • providing endpoints of channel with secret key needed to operate authentication protocols and encryption.

IPsec protocol has the following components:

  • basic protocol IPsec. This component implements the ESP and AH. Headers are processed, interaction with databases SPD and SAD is in progress to determine the security policy applied to the package;
  • management protocol of key information exchange IKE (Internet Key Exchange). IKE is usually presented as a user-level process;
  • database of security policies SPD (Security Policy Database);
  • security associations database SAD (Security Association Database). The database stores a list of safe SAD Association SA (Security Association) for the processing of incoming and outgoing information. Outgoing SA is used to protect outbound packets, and inbound SA is used to process packets with headers IPSec. Database SAD SA is filled manually or by using the key management protocol IKE;
  • About the security policy management and safe associations SA. This is an application that manages security policy and the SA.

The basic protocol IPSec (ESP and AH implements) works closely with the transport and network layer protocol stack TCP / IP. IPSec is actually a part of the network layer. The main module of IPSec provides two interfaces: input and output. The input interface is used by the incoming packet and output - outgoing. Implementing IPSec should not depend on the interface between the transport and network layer protocol stack TCP / IP.

Databases SPD and SAD significantly affect the efficiency of the PA IPSec. The choice of the data structure for the storage of the SPD and SAD is critical that affects the performance of IPSec. Features of the implementation of the SPD and SAD depend on the requirements of performance and compatibility of the system. The nucleus is composed of three IPSec protocol: protocol authenticating header AH (Authentication Header), it encapsulates the protection of ESP (Encapsulating Security Payload) and a negotiation protocol parameters of the virtual channel and key management IKE (Internet Key Exchange). Architecture means IPSec security is presented in Fig 6.

Figure 6 Architecture IPsec protocol stack

Protocols IKE, AH and ESP interact with each other as follows. 1. Use the IKE protocol between two points is established logical connection. In case of this connection is authenticated endpoints channel, as well as selected data protection settings. 2. Within the secure associations established SA starts AH protocol or ESP, and with which is performed the required data security using the selected parameters.

The average level of IPSec architecture forms a matching algorithm parameters and key management protocol used in IKE, as well as authentication and encryption algorithms used in the document authenticating header AH and ESP protect the contents of the encapsulating. Security protocols virtual channel top-level architecture of IPSec (AH and ESP) are independent of specific cryptographic algorithms.

Lower level IPSec architecture forms the so-called domain of interpretation DOI. The need for a domain interpretation DOI for the following reasons. Protocols AH and ESP are modular, allowing application users on their consistent choice of different cryptographic algorithms for encryption and authentication. Therefore, a module that could work together to ensure all applicable and newly included protocols and algorithms. Such functions are assigned to the domain of interpretation DOI. Domain interpretation DOI as the database stores information about the used in IPSec protocols and algorithms, their parameters, protocol identifier. Essentially, the domain interpreting DOI serves as the foundation architecture IPSec. In order to use the algorithms corresponding to national standards, as authentication and encryption algorithms in the protocols AH and ESP, you must register these algorithms in the domain of interpretation DOI.

Functioning IPSec provides two modes:

  • tunnel;
  • transport.

Tunnel mode involves encrypting the entire package, including the network layer header. This mode is used when you want to hide the organization of information exchange with the outside world. In this case, the address fields network layer header packet using tunnel mode, filled firewall organization and does not contain information about a particular sender of the package. The transmission of information from the outside world into the local network of the organization as a destination network address used by the firewall. After deciphering firewall initial network layer header packet is sent to the recipient.

The transport mode is used to encrypt the data field of the IP packet containing the transport layer protocol (TCP, UDP, ICMP), which in turn contains information application services. An example of the use of transport mode is the transmission of e-mail. All intermediate nodes on the route a packet from the sender to the receiver using only public information network layer and possibly some optional packet headers (in IPv6). The disadvantage is the lack of transport mode-specific mechanisms to hide the sender and receiver, as well as the possibility of traffic analysis. The result of this analysis may be information on volumes and directions of information transmission, the area of interest of subscribers, location managers.

Authentication header

AH protocol is an optional header and located between the main IP packet header and a data field. AH is responsible for ensuring data integrity and authentication.

AH header format includes a 96-bit header and variable length data composed of 32-bit words. Field names:

  • Next Header points to the next header;
  • Payload Len is the length of the packet;
  • SPI is a pointer to the security context;
  • Sequence Number Field contains the serial number of the packet.
Figure 7 AH header format

The serial number of the packet is entered in the AH in 1997 during the revision process specification IPsec. The value of this field and the sender is formed for protection against attacks involving repeated authentication process using the data. Since the Internet does not guarantee in-order delivery of packets, the recipient must store information on the maximum sequence numbers, the last successful authentication, and the receipt of a number of packages containing the previous serial number (usually this number is 64).

In the process of formation AH, using the algorithm MD5, consistently calculated hash function from the merger of the package and a pre-shared key, and then from the combination of the result and convert key. This mechanism is used by default in order to ensure that all implementations of IPv6, at least one common algorithm, not subject to export restrictions.

Secure data hiding

The ESP protocol is able to encrypt data and to perform the functions protocol AH.

Figure 8 ESP header format

ESP can support encryption and authentication / integrity in any combination, that is, either the one and the other group functions, or only authentication / integrity, or only encryption. To encrypt data exists the possibility of using any symmetric encryption algorithm with a secret key. To ensure the integrity and authentication data is encrypted using a one-way funktsiey.Sledovatelno format ESP can change significantly depending on the cryptographic algorithms. Nevertheless, the following mandatory fields:

  • SPI, indicating a security context;
  • Sequence Number Field, comprising a serial number of the packet;
  • ESP Authentication Data (checksum) is not required in the header ESP.

The recipient ESP packet decrypts the ESP header and parametres and data encryption algorithm used for decoding the information of the transport layer.

Key Management

ESP and AH protocols contribute to the realization of communication confidentiality, authentication of the parties and the integrity of the data. But despite this, they lose value function in the absence of a strong infrastructure that provides key distribution protocols and agreement between the parties obmena.V as such infrastructure supports protocol IKE.

IKE - key exchange protocol default ISAKMP, is currently the only one.

Protocol ISAKMP (Internet Security Association and Key Management Protocol), described in RFC 2408, it is necessary to agree on algorithms and mathematical structures for the exchange procedure Diffie - Hellman and authentication processes.

Protocol Oakley, described in RFC 2412, is the definition of key used replacement algorithm Diffie-Hellman key. Oakley protocol supports Perfect Forward Secrecy (Perfect Forward Secrecy - PFS). Availability PFS means you can not decrypt all traffic at any compromised key in the system.

IKE is on top ISAKMP and performs determination as ISAKMP SA, and IPSec SA. IKE supports a set of various primitive functions for use in reports. Among them are the hash function and a pseudo-random function (PRF).

The hash function - a function that is resistant to collisions. Under a collision-aware of the fact that it is impossible to find two different messages Безымянный.png и M2.png, such that Равенств.png, where H — hash function.

With regard to a pseudo-random function PRF is used instead of special design hash function HMAC (HMAC - mechanism for message authentication using a hash function). To determine the required HMAC cryptographic hash function (hereinafter - H) and a secret key K. It is assumed that H is a hash function, where the data is hashed using a compression procedure, sequentially applied to the sequence data blocks. Denote by B such a length, in bytes, blocks, and block length, the resulting hash - as L (L <B). The key K may have a length of less than or equal to B. If the application uses a greater length of the keys, first hash key itself using H, and only then to use the resulting string of L bytes as a key HMAC. In both cases, the recommended minimum length for K is L bytes. We define the following two different fixed-length strings:

ipad = the byte 0x36, repeated B times

opad = byte 0x5C, repeated B times

To calculate the HMAC of data 'text' must do the following:


IKE protocol performs three tasks:

  • responsible for authentication of the interacting parties negotiate the encryption algorithm and key characteristics that will be used in the secure session information exchange;
  • provide key information creation and management of connection, direct key exchange (including the possibility of frequent change);
  • control the parameters of the connection and protection against certain types of attacks, monitor the implementation of all agreements reached.

As a result, the third problem solving introduced the concept of security associations SA.

Concept of security associations

Security Association (SA) - a compound that provides security services for traffic which is transmitted through. Two computer on each side is stored SA mode protocol algorithms and keys used in SA. Each SA is used in only one direction. For bi-directional communication requires two SA. Each SA implements one mode and protocol; Thus, if one package is necessary for the use of two protocol (such as AH and ESP), it requires two SA.

For authentication of the parties in the IKE uses two basic ways.

The first method is to use a shared secret. Before initiating the IPSec-devices forming secure associations in their database is placed pre-allocated shared secret. The digital signature is based on one-way function, for example, MD5, used as an argument that the pre-shared secret, proves the authenticity of the opposite side.

The second method is based on the use of digital signature technology and standard X.509 digital certificates. Each side of the digital certificate signed with her private key, and transmits the data to the opposite side. If the signed certificate stands for the public key of the sender, it confirms the fact that the sender provide data really has a mate of public-key - a corresponding private key.

After the mutual authentication of communicating parties to agree on the parameters of moving a secure channel. Selectable parameters define SA:

  • protocol used to ensure security of data transmission;
  • AH protocol authentication algorithm and its keys; encryption algorithm used protocol ESP, and his keys;
  • the presence or absence of encryption synchronization
  • ways to protect the sharing session; frequency shift key and a number of other parameters.

SA is an important parameter called cryptographic material, i.e. the secret keys used in the protocols AH and ESP.

SA parameters should suit both endpoints secure channel. Therefore, when using automatic setup procedure protocols SA IKE, working on opposite sides of the channel selected parameters during the negotiation process. Secure Association SA is a unidirectional IPSec logical connection, so when two-way communication, you must install two associations SA. Within one association SA can operate only one of these security protocols - either AH or ESP, but not both.

The system allows the use of IPSec manual and automatic method for establishing SA.

Databases SAD and SPD

IPSec has the opportunity to implement different methods to protect traffic. Each node supports IPSec, used two types of databases:

  • security database associations SAD (Security Associations Database);
  • database security policy SPD (Security Policy Database).

In establishing two SA entering the exchange parties accept a number of agreements regulating the data flow between them. Agreements are represented as a set of parameters. SA for such parameters are, in particular, the type and mode of security protocol (AH or ESP), encryption, secret keys, the value of the current packet number in associations and other information.

Sets the current parameters that define all active associations are stored on both endpoints secure channel in the form of SAD. Each node IPSec supports two base SAD - one for outgoing association, the other - for incoming.

In SAD contains:

  • AH: authentication algorithm.
  • AH: secret key for authentication
  • ESP: encryption algorithm.
  • ESP: secret key encryption.
  • ESP: Use authentication (yes / no).
  • Parameters for the key exchange
  • routing restrictions
  • Policy IP-filter

SPD defines the correspondence between the IP-packets and set rules for their treatment. Packet processing database SPD used in conjunction with database SAD. SPD is an ordered set of rules, each of which includes a set of permissible selections and security policies. Selectors are used for the selection of packages and security policy specifies the required treatment. This database is formed and maintained at each node, where software is installed IPSec. Example selectors SPD:

  • IP-address of destination
  • IP-address of the sender
  • Username in the format of DNS or X.500
  • Source and destination port

When the packet arrives, compare the values of the corresponding fields in the packet (field selector) from those contained in the SPD. When a match is found in the field of security policy contains information on how to deal with this package: pass unchanged, discarded or processed. In the case of processing, in the same field refers to the corresponding entry in the SAD. Next, the SA for the package and it involves a Security Parameter Index (SPI). After which operations are performed IPsec (AH protocol operation or ESP). If the package is included, then it immediately provides SPI - perform corresponding actions.

Creating a Connection IPsec

Creating an IPsec connection is carried out in two stages:

  • IPsec SA

Stage 1

At this stage, a mutual authentication and encryption keys are necessary to protect the 2 stages. Stage includes 2 modes: basic and aggressive. The difference between the two modes is the number of messages exchanged between them and how to protect the keys.

Basic mode:


Aggressive Mode:


Stage 2

The step of determining a cipher algorithm and the authentication necessary to protect further operations. Phase 2 has one mode - Fast mode.

Fast mode:


Explanation of stages

HDR: ASAKMP title;

SA: safety association;

KE: public key exchange Diffie-Hellman

Ni, Nr: disposable keys;

ID_I, ID_R: the keys of the sender and the recipient;

CERT: certification;

SIG_I, SIG_R: signature of the sender and the recipient;

[x]: x is not mandatory.

* : Encryption should begin after the title.

Key exchange and authentication

The protocol supports various protocols IPSec key exchange and authentication:

Key exchange protocol:

1. Diffie-Hellman;

2. The protocol Kerberos (KINK)

Protocol Kerberos


Authentication protocols === ===

1. Pre-Shared key (PSK)

2. Digital Signature, in particular algorithms are applied RSA and DSA

3. Authentication using public key



p = prime number length L bits, where L is set to a multiple of 64 in the range from 512 to 1024.

q = 160-bit prime number - factor p-1

g = Dsaq.png, where h - any number less than p-1, for which the Dsaq.png is greater than 1

x = number less than q


Using one-way hash function: H (m).

The first three options, p, q, g, are open and can be shared by network users. Private key is x, and open - y. To sign a message, m:

1. A generates a random number k, is less than q

2. A generates


His signature are parameters r and s, it sends them to the

3. verifies the signature by computing


If v = r, then the signature is valid.


IPSec standards system has incorporated advanced techniques and achievements in the field of network security. IPSec system has a leading position in a set of standards for creating VPN. This contributes to its open construction, able to include all the new developments in the field of cryptography. IPsec allows you to protect your network from most Internet attacks, "dropping" the wrong packets before they reach the IP layer on the receiving computer. In a protected computer or network can enter only the packets from the registered interaction partners.

IPsec provides:

  • Authentication - proof of sending packages to your communication partners, ie the owner of the shared secret;
  • integrity - the inability to change the data in the packet;
  • confidentiality - the impossibility of disclosure of data transmitted;
  • secure key management - IKE protocol calculates the shared secret, known only to the recipient and the sender of the packet;
  • Tunneling - full camouflage topology local area network

Work within the IPSec standard provides full protection of the information flow of data from sender to recipient, closing traffic to observers at the intermediate nodes of the network. VPN-solutions based on the IPSec protocol stack provide building virtual private networks, and their safe use and integration of open communication systems.

Protection at the application level

The SSL protocol

The protocol SSL (Secure Socket Layer - Secure Sockets Layer), developed by Netscape Communications involving RSA Data Security, designed to implement secure exchange of information in the client / server applications.

Security functions provided by the protocol SSL:

  • encrypting data to prevent the exposure of sensitive data during transmission;
  • signing data to prevent the exposure of sensitive data during transmission;
  • authentication of the client and the server.

SSL uses cryptographic methods of information security for security information exchange. This protocol performs mutual authentication, ensure the confidentiality and authenticity of data transmitted. The core of the protocol SSL - technology integrated use of symmetric and asymmetric cryptosystems. Mutual authentication is performed by the parties exchange digital certificates, public keys of the client and the server, digitally signed special certification centers. Privacy is ensured encryption of transmitted data using symmetric session key, which the parties exchange when establishing a connection. The authenticity and integrity of the information provided by the formation and verification of digital signatures. As an asymmetric encryption algorithm used RSA algorithm, and Diffie-Hellman.

Figure 9 Сrypto-protected tunnels formed on the basis of SSL

According to the SSL crypto-protected tunnels are created between the end points of a virtual network. The client and server operate on computers at the endpoints of the tunnel (Fig. 9)

SSL handshake protocol has two main stages of formation and support of the protected compound:

  • establish SSL-session;
  • secure communication.

The first stage is fulfilled before the immediate protection of information exchange protocol and performed the initial greeting (Handshake Protocol), incorporated in a protocol SSL. When establishing re-connection, may generate new session keys based on the old shared secret.

In the process of establishing an SSL - Session objectives:

  • authentication of the parties;
  • negotiation of cryptographic algorithms and compression algorithms to be used in secure information exchange;
  • formation of a shared secret master key;
  • generation on the basis of the generated master key shared secret session key for encryption of information exchange.
Figure 10 The process of client authentication server

In the SSL protocol provides two types of authentication:

  • the authentication server to the client;
  • Client authentication server.

Client / server software that supports SSL, may by standard techniques of public key cryptography to verify that the certificate server / client and the public key is valid and have been issued certificates of source from the list of trusted sources. Example client server authentication process is shown in Figure 10.

The scheme of the protocol

Before sending the message to the data line, the message goes through the following process steps:

1.The message segmented into blocks suitable for processing;

2. Data is compressed (optional);

3. Generation MAC key SP1.JPG;

4. Data is encrypted using a key SP2.JPG;

Next, the encrypted message is transmitted through a data receiver. The recipient receives the encrypted message and read the original conducts inverse transformations:

1.Using key SP2.JPG, the data is decrypted;

2.Checking MAC key SP1.JPG;

3.Decompression of data (if you use compression);

4.The message assembled from blocks and the recipient reads the message.

Authentic key distribution

A, Client CA Certification Authority B, Server
Generate a key pair signature: S3.JPG. Transfer S4.JPG in CA S5.JPG - symmetric encryption scheme; S6.JPG - open encryption scheme; S7.JPG - digital signature scheme; S8.JPG - any function (better ONF) Generated key pair encryption scheme open: S9.JPG. Transfer S10.JPG in CA
K - a random session key. S11.JPG S12.JPG S13.JPG



If S19 1.JPG, then K is taken as an authentic shared secret


Work Phase


S5.JPG - symmetric encryption scheme

Rs6e.jpg Rs7.JPG Rs8.JPG
. . . etc . . .

Attacks on the SSL protocol

Like other protocols, SSL susceptible to attacks associated with untrusted software environment, the implementation of programs, bookmarks, etc .:

  • Attack response. Is to record a successful attacker communication session between the client and the server. Later, he establishes a connection to the server using the client's recorded messages. But with the help of a unique connection identifier "nonce" SSL beats the attack. Codes of identifiers are 128 bits in length, in connection with which the attacker must record identifiers 64 ^ 2, the probability of guessing was 50%. The number of required records and a low probability of guessing make this senseless attack.
  • Attack of the protocol handshake. Attacker can try to influence the process of exchanging handshakes for the parties to chose different encryption algorithms. Due to the fact that many exported implementations support encryption, and some even 0-or MAC-encryption algorithm, such attacks are of great interest. To implement such an attack the attacker would need to replace one or more messages handshake. If this happens, the client and server will compute different values hashes posts handshake. As a result, the parties do not take apart the message "finished". Without knowledge of the secret of the attacker will not be able to correct a message "finished", so the attack can be detected.
  • Disclosure ciphers. SSL depends on several cryptographic technologies. Encryption with RSA public key used to send session keys and authentication of the client / server. As a cipher session use different cryptographic algorithms. If carried out a successful attack on these algorithms, SSL can no longer be considered safe. Attacks against certain communication sessions may be carried out by recording the session, and then attempt to pick up the session key or key RSA. If successful, it becomes possible to read the transmitted data.
  • The attacker in the middle. Man-in-the-Middle attack suggests the presence of three parties: client, server, and the attacker. The attacker, while between them, can intercept communications between client and server. The attack is effective only if used for key exchange Diffie-Helmana, since the integrity of the received information and its source could not be verified. In the case of SSL, this attack can not be due to the use of server certificates, certified by a certification authority.

The TLS protocol

TLS (Transport Layer Security) - a standard protocol designed to create secure Web communications on the Internet or intranets. It enables clients to authenticate servers and server - client authentication (if necessary). This protocol also provides a secure channel by encrypting the transmitted data. The TLS protocol version 1.0, based on SSL Version 3.0 is the first industry-standard SSL. Its specification is defined by the working group IETF in RFC 2246 protocol TLS. Last published protocol specification described in RFC 5246.

Purpose and benefits

The purpose of the TLS - SSL security and increase a more accurate and complete definition of the protocol:

  • More reliable MAC algorithm
  • More detailed warnings
  • Clearer definition of specifications "gray area"

TLS offers the following advanced methods of protection:

  • Hashing keys for identification using messages - TLS uses a message authentication code (HMAC) hash that prevents changes from recording during transmission over an insecure network such as the Internet. SSL Version 3.0 also supports the identification of messages using the keys, but HMAC is considered more reliable than the function of MAC, used in SSL version 3.0.
  • Improved pseudorandom function (PRF) using the C key data created PRF. In the TLS PRF function defined using HMAC. PRF uses two hash algorithm to ensure its protection. If one of the algorithms is compromised, the data will be protected by the second algorithm.
  • Better check the message "Ready" - TLS protocol version 1.0 and SSL 3.0 are sent to both end systems "READY", indicating that the delivered message has not been altered. However, TLS, this check is based on the values of the PRF and HMAC, which provides a higher level of protection compared to SSL version 3.0.
  • Agreed processing certificates - Unlike SSL Version 3.0, TLS attempts to specify the type of certificate that can be used by different implementations of TLS.
  • Special warnings - TLS provides a more accurate and complete prevention of problems detected by one of the end systems. TLS also contains information about when any warning messages should be sent.

Protocol SSH

Protocol SSH (Secure Shell) - a set of authentication protocols with public key, allowing the user on the client side to safely log on to a remote server. The main idea of the protocol is that the user on the client side must be downloaded from the remote server's public key and use it to establish secure channel using cryptographic credentials. Cryptographic mandate is its user password: it can be encrypted using the public key received and transferred to the server. All messages are encrypted using IDEA.

Architecture of the protocol SSH

SSH is performed between the two unreliable computers that are in non-secure network (client - server).

SSH protocol suite consists of three components:

  • The transport layer protocol SSH (SSH Transport Layer Protocol), provides authentication server. It uses public key. The input to this protocol as a server-side and client-side, is a pair of public key - "keys to the host computer." The result is a protocol mutually authenticated secure channel that guarantees privacy and data integrity.
  • User authentication protocol SSH (SSH User Authentication Protocol). Performed via a one-way authentication, established transport layer protocol SSH. To perform authentication from client to server, supports various protocols unilateral authentication. These protocols can use either public key or password. For example, they can be created based on an authentication protocol with a simple password. The result is a protocol mutually authenticated secure channel between the server and the user. The following methods:

publickey - The client sends electronic signature Scauth.png, the server checks the client's confidence in the public key Kcpub.png available on the server copy of the key, and then verifies the authenticity of the client's Sc.

password - the customer confirms its authenticity password.

hostbased - similar to publickey, only a pair of keys for the client host; confirming the authenticity of the host server trusts the user name.

  • The communication protocol SSH (SSH Connection Protocol) is performed at a mutually authenticated secure channel established by the earlier protocols. The protocol provides the secure channel at the same time dividing it into several logical channels are protected.

Key exchange protocol

The protocol includes 3 stages. The first stage - "Hello" phase, wherein the first identifier is a string, I, is sent to start the protocol, followed by a list of supported algorithms - X.

On the 2nd stage of the parties will agree a secret key, s. For this algorithm is used Diffie-Hellman. The server confirms their identity by sending customers their public key, Pks.png, verified digital signature, Sigca.png, and the signature digest, h. As is set identifier sid h.

In step 3, the secret key, the session ID and the digest is used to create 6 "apllication keys", calculated using Kepk.png.



The advantages of the protocol are:

  • The possibility of action on the basis of cross-cutting (end - to - end) with the implementing stack TCP / IP, the existing application programming interfaces;
  • More efficient than the slow channels;
  • The absence of any problems with fragmentation, the definition of the maximum volume of blocks transmitted on this route;
  • A combination of compression with encryption.






Public key distribution protocol Diffie-Hellman



Diffie–Hellman key exchange

Asymmetric encryption

Symmetric encryption


Go to Bibliography

Back to Main Page

Back to Table of Contents


Sagirov R. / Rogozin A. 2014