1. IPSec certification
IPSec authentication header (AH) is a mechanism used to provide IP datagram integrity and authentication. Its integrity is to ensure that the datagram is not changed by unintentional or malicious means, while authentication verifies the source of the data (identifies the host, user, network, etc.). AH itself does not actually support any form of encryption, and it cannot guarantee the trustworthiness of data sent over the Internet. AH can only improve the security of the global Intenret if encrypted exports, imports or use are subject to local government restrictions. When all functions are implemented, it will provide better security services by authenticating IP packets and reducing the chance of attacks based on IP spoofing. The headers used by AH are placed between the standard IPv4 and IPv6 headers and the next high-level protocol frame (such as TCP, UDP, ICMP, etc.).
The AH protocol provides integrity and authentication services by implementing a message digest calculation throughout the IP datagram. A message digest is a specific one-way data function that creates the unique digital fingerprint of the datagram. The output results of the message digest algorithm are placed in the Authentication_Data area of the AH package header. The Message Digest 5 Algorithm (MD5) is a one-way mathematical function. When applied to the packet data, it divides the entire data into several 128-bit information packets. Information in a set of 128 bits is a compressed or summary representation of large packet data. When used in this way, MD5 only provides digital integrity services. A message digest can be calculated based on a set of data before it is sent and after the data is received. If the digest values calculated twice are the same, the packet data will not be changed during transmission. This prevents unintentional or malicious tampering. In data exchanges that have been authenticated using HMAC-MD5, the sender uses previously exchanged keys to calculate the MD5 digest of the datagram for the first time. The digest value calculated from a series of 16 bits is accumulated into a value, and then placed in the authentication data area of the AH package header, and the datagram is then sent to the receiver. The receiver must also know the key value in order to calculate the correct message digest and adapt it to the received authentication message digest. If the calculated and received digest values are equal, the datagram is not changed during the transmission process and can be believed to be sent by the other party who only knows the secret key.
2. IPSec encryption
The Packet Security Protocol (ESP) header provides the integrity and trustworthiness of IP datagrams. The ESP protocol is designed to work in two modes: tunneling mode and transmission mode. The difference between the two is that the contents of the ESP load part of the IP datagram are different. In tunnel mode, the entire IP datagram is encapsulated and encrypted in the ESP load. When this is done, both the real IP source and destination addresses can be hidden as ordinary data sent by the Internet. A typical usage of this pattern is host or topology hiding when connecting between firewalls and firewalls through virtual private networks. In the transmission mode, only higher-level protocol frames (TCP, UDP, ICMP, etc.) are placed on the ESP load part of the encrypted IP datagram. In this mode, the source and destination IP addresses and all IP header domains are sent without encryption.
IPSec requires that a common default algorithm is used in all ESP implementations, namely the DES-CBC algorithm. The American Data Encryption Standard (DES) is an encryption algorithm that is now very common. It was first published by the U.S. government and was originally used for commercial applications. Up to now, the protection period of all DES patents has expired, so it has been implemented for free worldwide. The IPSec ESP standard requires that all ESPs implement DES that supports cipher group chaining (CBC) as the default algorithm. DES-CBC works by adding a data function to the 8-bit data packet that forms a complete IP packet (tunnel mode) or the next higher layer protocol frame (transmission mode). DES-CBC uses 8-bit encrypted data (ciphertext) to replace 8-bit unencrypted data (plaintext). A random, 8-bit initialization vector (IV) is used to encrypt the first plaintext packet to ensure the randomness of the encrypted information even when the beginning of the plaintext message is the same. DES-CBC mainly uses the same key shared by the communication parties. Because of this, it is considered a symmetric cryptographic algorithm. The receiver can only decrypt the encrypted data using the key used by the sender to encrypt the data. Therefore, the effectiveness of the DES-CBC algorithm depends on the security of the secret key, and the key length of the DES-CBC used by ESP is 56 bits. Article entry: csh Editor in charge: csh
IPSec authentication header (AH) is a mechanism used to provide IP datagram integrity and authentication. Its integrity is to ensure that the datagram is not changed by unintentional or malicious means, while authentication verifies the source of the data (identifies the host, user, network, etc.). AH itself does not actually support any form of encryption, and it cannot guarantee the trustworthiness of data sent over the Internet. AH can only improve the security of the global Intenret if encrypted exports, imports or use are subject to local government restrictions. When all functions are implemented, it will provide better security services by authenticating IP packets and reducing the chance of attacks based on IP spoofing. The headers used by AH are placed between the standard IPv4 and IPv6 headers and the next high-level protocol frame (such as TCP, UDP, ICMP, etc.).
The AH protocol provides integrity and authentication services by implementing a message digest calculation throughout the IP datagram. A message digest is a specific one-way data function that creates the unique digital fingerprint of the datagram. The output results of the message digest algorithm are placed in the Authentication_Data area of the AH package header. The Message Digest 5 Algorithm (MD5) is a one-way mathematical function. When applied to the packet data, it divides the entire data into several 128-bit information packets. Information in a set of 128 bits is a compressed or summary representation of large packet data. When used in this way, MD5 only provides digital integrity services. A message digest can be calculated based on a set of data before it is sent and after the data is received. If the digest values calculated twice are the same, the packet data will not be changed during transmission. This prevents unintentional or malicious tampering. In data exchanges that have been authenticated using HMAC-MD5, the sender uses previously exchanged keys to calculate the MD5 digest of the datagram for the first time. The digest value calculated from a series of 16 bits is accumulated into a value, and then placed in the authentication data area of the AH package header, and the datagram is then sent to the receiver. The receiver must also know the key value in order to calculate the correct message digest and adapt it to the received authentication message digest. If the calculated and received digest values are equal, the datagram is not changed during the transmission process and can be believed to be sent by the other party who only knows the secret key.
2. IPSec encryption
The Packet Security Protocol (ESP) header provides the integrity and trustworthiness of IP datagrams. The ESP protocol is designed to work in two modes: tunneling mode and transmission mode. The difference between the two is that the contents of the ESP load part of the IP datagram are different. In tunnel mode, the entire IP datagram is encapsulated and encrypted in the ESP load. When this is done, both the real IP source and destination addresses can be hidden as ordinary data sent by the Internet. A typical usage of this pattern is host or topology hiding when connecting between firewalls and firewalls through virtual private networks. In the transmission mode, only higher-level protocol frames (TCP, UDP, ICMP, etc.) are placed on the ESP load part of the encrypted IP datagram. In this mode, the source and destination IP addresses and all IP header domains are sent without encryption.
IPSec requires that a common default algorithm is used in all ESP implementations, namely the DES-CBC algorithm. The American Data Encryption Standard (DES) is an encryption algorithm that is now very common. It was first published by the U.S. government and was originally used for commercial applications. Up to now, the protection period of all DES patents has expired, so it has been implemented for free worldwide. The IPSec ESP standard requires that all ESPs implement DES that supports cipher group chaining (CBC) as the default algorithm. DES-CBC works by adding a data function to the 8-bit data packet that forms a complete IP packet (tunnel mode) or the next higher layer protocol frame (transmission mode). DES-CBC uses 8-bit encrypted data (ciphertext) to replace 8-bit unencrypted data (plaintext). A random, 8-bit initialization vector (IV) is used to encrypt the first plaintext packet to ensure the randomness of the encrypted information even when the beginning of the plaintext message is the same. DES-CBC mainly uses the same key shared by the communication parties. Because of this, it is considered a symmetric cryptographic algorithm. The receiver can only decrypt the encrypted data using the key used by the sender to encrypt the data. Therefore, the effectiveness of the DES-CBC algorithm depends on the security of the secret key, and the key length of the DES-CBC used by ESP is 56 bits. Article entry: csh Editor in charge: csh