IPSec Abbreviations Flashcards
DES
- Data Encryption Standard
- Encryption
PSK
- Pre-shared Key
- Credential for mutually authenticating peers
AES
- Advanced Encryption Standard
- Encryption
MD5
- Message Digest 5
- Hashing algorithm that provides data integrity
SHA
- Secure Hash Algorithm
- Authentication of packet data
What does AH stand for and what are 3 services it provides?
- Authentication Header
- Data integrity
- Data Authentication
- Replay protection
What does ESP stand for and what 4 services does it provide?
- Encapsulating Security Payload
- Data Integrity
- Data authentication
- Replay protection
- Encryption
RSA
- Rivest Shamir Adelman
- Public Key exchange using digital certificates
- Mutually authenticates peers
IKE
- Internet Key Exchange
- Authentication between 2 endpoints
- Establishes SAs
- SAs used to carry control and data plane traffic
ECDSA
- Elliptic Curve Digital Signature Algorithm
- Encryption
EAP
- Extensible Authentication Protocol
- Authentication method for IKEv2
AES-GCM
- Advanced Encryption Standard Galois/Counter Model
- Encryption
ECDH
- Elliptic Curve Diffie Hellman
- Encryption
ISAKMP
- Internet Security Association Key Management Protocol
- Framework for authentication and key exchanges to build ISAKMP SAs
ESP-GCM
- Encapsulating Security Payload using Galois/Counter Mode
- Encryption
GMAC
- Galois/Counter Message Authentication Code
- Message integrity
Name two HMAC protocols.
- md5
- sha
HMAC
Hashed Message Authentication Codes
DH
- Diffie Hellman
- Allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure medium
- The shared secret key then becomes the input used to generate key material that secures the IKE SA.
Which 2 transforms provide ESP with data integrity and encryption?
- esp-gcm
- esp-gmac
What are the 2 modes for IKE phase 1 negotiation and how many messages are used by each mode?
- Main mode - 6 messages
- Aggressive mode - 3 messages
What is the advantage and disadvantage of Main mode and Aggressive mode?
- Main mode takes longer but peer identities are hidden
- Aggressive mode is faster but the peer identities are exposed
What are the 6 messages in Main Mode?
- MM1 - Initiator sends SA proposals to Responder
- MM2 - Responder replies with SA proposal that matched
- MM3 - Initiator starts DH key exchange
- MM4 - Responder sends its own key to Initiator
- MM5 - Initiator starts authentication by sending its IP address
- MM6 - Responder sends its IP address and completes authentication
Name the 5 things that make up the SA proposal.
- Hash algorithm - MD5 or SHA
- Encryption algorithm - DES, 3DES, or AES
- Authentication method - PSK or Digital Certificates
- DH group - Group 1, 2, 5, and so on
- Lifetime - how long until Phase 1 tunnel will be torn down
What is the default lifetime for the Phase 1 tunnel?
24 hours
What are the 3 messages exchanged in Aggressive Mode?
- AM1 - Initiator sends SA, KEi, Ni, and IDi
- AM2 - Responder accepted SAr, KEr, Nr, IDr, and AUTH
- AM3 - Initiator sends AUTH
What are the 3 messages sent during phase 2?
- QM1 - initiator sends agreed upon algorithms from phase 1 and Traffic Selector
- QM2 - responder sends agreed upon algorithms from phase 1 and Traffic Selector
- QM3 - acknowledges the responder’s previous message
What is the name of the mode used during phase 2 IPsec SA establishment?
Quick mode
During IKE phase 1 how many tunnels are built?
One single bi-directional tunnel.
During phase 2 how many tunnels are built?
2 unidirectional tunnels - one in each direction
PFS
- Perfect Forwarding Security
- Optional function for phase 2
- Provides for additional session keys not derived from previous ones
At what point during phase 1 main mode is encryption started?
After the DH public key exchange is completed (after MM4)
Describe the Main Mode messages from a high level.
- the first pair negotiate cryptographic ciphers
- the second pair exchange key material
- the third pair are encrypted and prove the identity.
What are 3 methods the IKE peers can authenticate each other?
- Pre-shared key
- RSA signatures
- RSA encrypted nonces
What are 2 values used for IDs?
- IP address
- FQDN
SPI
- Security Parameter Index
- Randomly generated 32-bit value that is used by a receiver to identify the SA to which an incoming packet should be bound.
How does IPsec provide access control?
By defining Traffic Selectors
Another name for anti-replay?
Anti MiTM
Another name for encryption?
Confidentiality
Data Integrity (2 things)
- Packet hasn’t been altered
- Source of the packet has been verified
How is Data Integrity accomplished?
- Source device computes a HASH (md5 or SHA) based on shared secret and packet contents
- The keyed HASH inserted in the ICV field of the packet
- Destination decrypts HASH using the shared secret to validate data integrity
What are the 3 packet headers for AH in transport mode?
- Original IP header
- AH header
- Original packet
What are the 3 packet headers for AH in tunnel mode?
- New IP header
- AH header
- Original packet
What are the 5 headers for ESP in transport mode?
- Original IP header
- ESP header
- Original Data
- ESP trailer
- ESP Auth
What are the 5 packet headers for ESP in tunnel mode?
- New IP header from IPsec
- ESP header
- Original Packet
- ESP trailer
- ESP auth
