CIS2153.gif (14009 bytes)

Resource Page   CIS 2153 Syllabus    Chapter Lesson Notes: 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11

How IPSec Works

  1. Computer A generates outbound packets to send to Computer B.
  2. IPSec driver on Computer A compares the outbound packets against IPSec filters, checking to determine whether the packets need to be secured.
  3. If a matched filter has to negotiate a security action, Computer A uses Internet Key Exchange (IKE) to begin security negotiations with Computer B.

Phase I IKE Security Associations - provides identity protection

Policy negotiation

Encryption algorithm (DES or 3DES)

Hash algorithm (MD5 - 128 bit hash or SHA - 160 bit hash See p. 326)

Authentication method (Certificate, Pre-shared key, or Kerberos v5)

Diffie-Hellman (DH) group to be used for the base keying material

DH exchange of public values - base info needed by DH to generate the shared, secret key is exchanged. No actual keys are exchanged - the IKE service on each computer generates the master key used to protect authentication.

Authentication - the computers attempt to authenticate the DH exchange

The sender presents an offer for potential security association to the receiver. The offer cannot be modified. The receiver sends either a reply accepting the offer or a reply with alternatives. Once the offer reaches agreement, Phase II SA beings

Phase II IPSec Security Associations - provides protection by refreshing the keying material to prevent bogus SA’s.

Policy negotiation - the IPSec computers exchange their requirements for securing the data transfer:

IPSec protocol (AH or ESP)

Hash algorithm (MD5 or SHA)

Encryption algorithm (3DES or DES)

A common agreement is reached, and two SA’s are established: one for the inbound and one for outbound communication.

Session-key material refresh or exchange

Passing the SA’s and keys

4.  The IPSec driver on computer A signs the outgoing packets for integrity and optionally encrypts them for confidentiality using the methods agreed upon during the negotiation. It transmits the secured packets to Computer B.

5.  The IPSec driver on Computer B check the packets for integrity and decrypts their content if necessary. It then sends them to the receiving application

 1