IPSec and Cryptography - Essay Example

Running head: Research Paper, Computer Sciences and Information Technology Research Paper, Computer Sciences and Information Technology IPSec and Cryptography Introduction The major source of security for the IP network layer is the Internet protocol security (IP sec). This implies that the security of all the IP packets is granted, regardless of the superiority of the protocol being transported in the packet payloads. When using the internet security protocol, the applications do not require further reengineering. This is because; the security offered by the IPsec can be made transparent to final users. IPsec is very vital since it offers numerous solutions to virtual private Networking (VPN), by giving communication security against untrusted network like the internet. Cryptography refers to the change of plaintext information into a coded form. The aim of cryptography is to offer the necessary security and frontier access to private information. This paper offers a clear discussion of the major functions of IPsec in relation to the cryptographic functions employed by the protocol suite during the packet exchange process. The paper further discusses the limitations of the IPsec in relation to the used algorithms and attacks against IPsec. Functions of IPsec There are numerous functions that the IPsec performs. First, the IPsec is used for data confidentiality. The function is achieved by the IP sec sender encrypting the data packets prior to sending them to another network. The second function is data integrity. This requires the IPsec receiver to authenticate the data packets received from the IPsec sender in order to guarantee the safety of the received data packets. The third function of IPsec is data authentication. This enables the IP sec receiver to confirm the origin of the sent IPsec packets, although the success of this function relies on the data service. The replay function is the fourth function played by the IPSec (Pachghare, 2009). In the execution of this function the IP sec receiver is capable of sensing and eliminating the repeated packets. The above services are offered at the IP layer, thus they can be employed at any upper layer protocol. Such as TCP, UDP, and ICMP, just to mention a few. The IP DOI is also responsible for the provision of the IP compression; this is achieved through the encryption that is done in the IPsec. This hinders sufficient compression by the lower protocol layers (Elkelany, 2002). At the IP layer, the IPsec offers the necessary security that allows the system to choose the suitable security protocols, establish the algorithms to be employed for the task and reorganize the cryptographic keys needed to offer the application. IPsec are capable of providing sufficient security to more than one path between a protection gateway and host (Pachghare, 2009). IP sec can establish the areas that are susceptible to attacks, thus providing the necessary security. This is achieved by configuring admission lists that are further interfaced in the crypto map sets (Pachghare, 2009). At this point the traffic may be chosen in basing on the origin and destination. There can be several users on a particular traffic, and at the same time the crypto map set might have several admission lists. In order to guarantee the security, a specific sequence must be employed when searching the crypto maps. The traffic usually tries to match the packet in order to gain admittance. When packet gain admittance to a specific data list, the corresponding crypto map is marked as Cisco and the required connections made. IPsec is usually activated whenever the crypto connection is marked as ipsec-isakmp. In the absence of the SA that the IPsec can use to provide the protection to the affected routes, the Internet Key Exchnage (IKE) is usually used to discuss with the secluded users in order to come up with the required IP sec to facilitate the smooth streaming of information. The discussions are usually based on the data specified in the crypto map and the specified access entries. Additionally, IPsec is activated when the crypto map access is marked as IPsec-manual. In the absence of the SA to be used by the IPsec to offer the protection to the affected traffic, the traffic is always terminated. In such instances the SAs are always installed through the configuration minus the intervention of the IKE (Joshi, 2008). Limitations of IPsec in Relationship to the Algorithms Its Uses IPsec has been used as the major source of IP network security. Although the IPsec is broadly used, there are several limitations linked to the system in relation to the algorithms it uses. First, in setting up the system, numerous knobs and settings are involved. This makes the entire system a complicated suite of protocol. The major source of the complications is that the IPsec offers the means, and not the strategy which makes it hard for some users. In comparison to other systems, IPsec has more features which contribute to it being hard to execute and require more supports, thus making it expensive. Additionally, the system also entails the use of some interoperability issues whereby several IPsec executions have failed to adhere to the principles and share the issues affecting them among themselves. This has made it hard to reach for the solutions to these problems affecting the system (Schmeh, 2003) The IPsec constructed using the standard IPsec may be hard to scale due to the need for the provision for the IPsec tunnels between the pairs of VPN gateways. At the same time, it is hard to scale vibrant multipoint VPNs using the IP sec site-to -site VPVs using the IPsec tunnels. This implies that the success of the IPsec will call for the more scalability (Loshin, 2003). IPsec is usually used as a data security measure, but in order to guarantee the effective security of the IPsec VPNs, it always essential to involve the digital signature authentication. This offers permission to install Public Key Infrastructure (PKI) that requires proper management. This implies that the IPsec cannot be effective without the digital signature. In an IPsec site-to-site VPN, it is true that the routing is dynamic, especially when using the point-to-point IPSec tunnel configuration. This makes the system more complicated than in an MPLS layer 3 VPN. Each individual IPsec VPN gateway ought to be an IP routing peer of another IPsec VPN gateway; this is applicable for fully meshed connectivity. Each Customer Edge (CE) router is a VPN is an IP routing peer that has an in depended direct link to the VPN. In instances with meshed connectivity having dynamic multiple VPN, spoke site routers do not qualify to be routing peers to any other spoke site routers apart from the hub site route (Joshi, 2008). Basing on the current situation, the IP sec does not offer support for multicast and multi-protocol traffic. This limitation offers a chance for the use of the Generic Routing Encapsulation (GRE) tunnels or the Virtual Tunnel Interfaces (VTI). IPsec can also cause the overworking of the CPU in terms of the VPN gateways. This is because it involves the packet encryption/ decryption and authentication processing (Joshi, 2008). Existing Work on IPsec Cryptographic Overhead(s) In terms of literature review, there are limited studies done on IPSec cryptographic overheads. This is evident in terms of the limited number of the existing works. It has been noted that none of the existing work contains all the security algorithms that are currently in use. The existing work also does not offer the specific implications of the system. This is because; on various platforms most aspects of the system have not been addressed. Elkeen asserts that in order to achieve data confidentiality of the IPsec overhead cryptographic, Data Encryption Standards (DES) was the best approach (Elkeelany, 2002). Eskeen also asserts that secure authentication is granted whenever the IPsec is incorporated in the Message Digest (MD5) and Secure Hash Algorithm 1 (SHA-1). Further studies done by Miltcheve et al mainly considered the Advanced Encryption Standards (AES). In their studies they acted as a reference point in relation to the functionality of the IPsec in an Open BSD system. The study also addressed the importance of employing hardware accelerators in order to enhance the cryptographic processing. The scarcity of information of the IPsec cryptographic overheads is an implication that there is need for further research on the same (Miltchev & Keromytis, 2002). Key Attacks against IPsec There are various attacks against IPsec, for instance, the Initializing Vector (IV) aims at the modification of the CBC-encrypted packet during transmission. The IV attacks against IPsec very serious if used carelessly. Therefore while using the IPsec it is necessary to have the defense mechanisms against such attacks. IV attacks pose a huge security risk of the CBC encryption approach of block ciphers that are employed in IPsec. The IV attacks are mainly unauthenticated in CBC encryption. This enables the attacker to take charge of the first block of the decrypted plain text and modifying the IV. At this instance is where cryptographic is essential since when the data is coded it will be resistant to the attack (Miltchev & Keromytis, 2002). Conclusion Currently wireless systems have become the major data transmission channels. This has led to increased information insecurity. The introduction of the IPsec and cryptographic aimed at increasing the information security. Various cryptographic algorithms such as Data Inscription Standards (DES) and Advanced Encryption Standards (AES) just to mention a few have been used together with the IPsec. These systems have worked perfectly, but there is need for further research on the systems in order to assure total security, since the instances of data insecurity still exist. References Elkeelany, O, 2002, ‘Performance Analysis of IPSec Protocol: Encryption and Authentication’, IEEE Communications Conference (ICC 2002), pp. 1164-1168. Joshi, J. B. D2008. Network security knows it all. Amsterdam, Morgan Kaufmann/Elsevier. Loshin, P, 2003, IPv6 Theory, Protocol, and Practice, 2nd Edition. Burlington: Elsevier. Miltchev, S & Keromytis, A, 2002, ‘A Study of the Relative Costs of Network Security Protocols’Proc.’ USENIX 2002 Annual Thnical Conference, Monterey, CA. Pachghare, V, 2009, Cryptography and information security. New Delhi, PHI Learning. Schmeh, K, 2003, Cryptography and public key infrastructure on the Internet, Chichester, England, J. Wiley. Read More