Imagine someone is sniffing electronic transactions...

Linki


» Dzieci to nie książeczki do kolorowania. Nie da się wypełnić ich naszymi ulubionymi kolorami.
» środek płatniczy środek transakcyjny = akumulacji Zasada neutralności pieniądza opiera się na założeniu, że pieniądz nie ma wpływu na realne...
» to a few MHz) are caused by the chopping technique used by variable-speed drives or the electronic ballasts of fluorescent lighting...
» pride; none of them ever arises in the smallest degree imaginable...
» bloków parzystości, co przy częstych operacjach zapisu bardzo spowolniłoby pracę systemu...
» cjana
» Właściwości i zastosowaniaOlejek cytrynowy stosowany jest powszechnie jako środek smakowy w artykułach spożywczych, a także w kosmetykach (pasty do zębów)...
» o tobie mówią, że po Achillesie Najlepszybyłeś ze wszystkich Danaów,co niegdyś stanęli pod Troją...
» Znaczniki i komponenty JavaBeans...
» Zabrakło czasu na dokładne rozpoznanie przed akcją...
» 5

Dzieci to nie książeczki do kolorowania. Nie da się wypełnić ich naszymi ulubionymi kolorami.

The sniffed person is transferring a personal paycheck into an online account. This is a transaction the person performs every week. These transactions are always encrypted with DES. The sniffer would see the same ciphertext each week. However, what if the person got a http://corpitk.earthweb.com/reference/pro/1928994024/ch07/07-04.html (1 of 3) [8/3/2000 6:54:09 AM]
Configuring Windows 2000 Server Security:IP Security for Microsoft Windows 2000 Server raise or a new job? The sniffer would have information about a change in the person’s current financial situation. This information can be integrated with other facts during an investigation.
In order to prevent each block from looking the same, DES can be combined with cpher block chaining (CBC). This DES-CBC algorithm will make each ciphertext message appear different by using a different initialization vector (IV), which is a random block of encrypted data that begins each chain. In this fashion, you can make each message’s ciphertext appear different, even if you send the exact same message a hundred times.
IPSec Security Services
IPSec engages two protocols to implement security on an IP network:
• Authentication header (AH)
• Encapsulating security protocol (ESP)
Authentication Header (AH)
The authentication header insures data integrity and authentication. The AH does not encrypt data, and therefore provides no confidentiality. When the AH protocol is applied in transport mode, the authentication header is inserted between the original IP header and the TCP header, as shown in Figure 7.1. The entire datagram is authenticated using AH.
Figure 7.1 This is the datagram as it appears after the authentication header is applied in transport mode.
Encapsulating Security Payload (ESP)
The encapsulating security payload protocol can provide authentication, integrity, and confidentiality to an IP
datagram. Authentication services are available with ESP, but the original IP header prior to application of the ESP header is not authenticated. The ESP header, in transport mode, is placed between the original header and the TCP header, as shwon in Figure 7.2.Only the TCP header, data, and ESP trailer are encrypted.
If authentication of the original IP header is required, you can combine and use AH and ESP together.
Figure 7.2 This is the datagram after the encapsulating security payload header is applied in transport mode.
Figures 7.1 and 7.2 demonstrate packet configurations when AH or ESP is used in transport mode. Transport mode is used when point-to-point communications are taking place between source and destination computers. AH and ESP can be applied at a gateway machine connecting the LAN to a remote network. In this case, tunnel mode would be utilized.
In tunnel mode an additional IP header is added that denotes the destination tunnel endpoint. This tunnel header encapsulates the original IP header, which contains the IP address of the destination computer. Figure 7.3 shows a packet constructed for tunnel mode.
Figure 7.3 This is a datagram with ESP header in tunnel mode.
Security Associations and IPSec Key Management Procedures
When two computers establish a connection using IPSec, they must come to an agreement regarding which algorithms and protocols they will use. A single security association (SA) is established for each link a computer maintains with another computer via IPSec. If a file server has several simultaneous sessions with multiple clients, a number of different SAs will be defined, one for each connection via IPSec.
Each security association has associated with it these parameters:
• An encryption algorithm (DES or 3DES)
http://corpitk.earthweb.com/reference/pro/1928994024/ch07/07-04.html (2 of 3) [8/3/2000 6:54:09 AM]
Configuring Windows 2000 Server Security:IP Security for Microsoft Windows 2000 Server
• A session key (via Internet Key Exchange or IKE)
• An authentication algorithm (SHA1 or MD5)
A security parameters index (SPI) tracks each SA. The SPI uniquely identifies each SA as separate and distinct from any other IPSec connections current on a particular machine. The index itself is derived from the destination host’s IP address and a randomly assigned number. When a computer communicates with another computer via IPSec, it checks its database for an applicable SA. It then applies the appropriate algorithms, protocols, and keys and inserts the SPI into the IPSec header.

Powered by MyScript