- remote users
- site-to-site connectivity
- secure,
- part of the connection in which data is encapsulated is referred to as Tunnel.
- PPTP (Point-to-Point Tunneling Protocol)
- enables PPP to encapsulate packets within IP packets.
- older than L2TP and ipsec.
- consumes less resources.
- secure extension of PPP
- operated on L2 of OSI model, allowing different N/W protocols to run over PPTP tunnel.
- supports 2 separate technologies for - authenticating (EAP - Extensible Authentication protocol and CHAP - Challenge Handshake Authentication Protocol).
- EAP
- was designed for PPTP, works within PPP's authentication protocol.
- provides framework for different authentication methods.
- includes, passwords, chalange-response tokens, PKI certs.
- CHAP
- a three part handshaking procedure.
- once link established, server sends a challenge to client, client responds by a calculated value, using one-way hash. server checks response against its own calculated hash.
- it repeats this process periodically. (re-authentication), provide robust security.
- L2TP ( Layer 2 Tunneling Protocol), is often combined with IPSec to achieve a high level of security.
- enhancement of PPTP, improved version of PPTP.
- operates on L2 (datalink layer), like PPTP.
- considered as less secure than IPsec.
- supports both EAP and CHAP. and more .... , MS-CHAP, PAP, SPAP, Kerberos
-
MS-CHAP
- Microsoft-specific extension to CHAP
- mostly consistent with CHAP, some basic differences.
- response packet is in format compatible with MS networking.
- does not require the authenticator to store a clear-text pwd.
- provides authenticator-controlled authentication retry.
- defines a set of reason-for-failure codes.(in failure packet's messages field).
-
PAP
-
Password Authentication Protocol, basic form of authentication.
-
tramission is clear txt as well as unencrypted.
-
http uses PAP.
-
no longer used. -SPAP
-
Shiva Password Authentication Protocol, proprietary.
-
bit more secure than PAP, username/pwd are encrypted, when sent.
-
susceptible to playback attacks, because SPAP uses same reversible encryption method. -Kerberos
-
works by sending messages back and forth b/w the client and server.
-
actual pwd is never sent (not even hashed)
-
username is sent.
-
server gets stored hash of pwd, and uses it as encryption key to encrypt data and sent it back to client.
-
client then uses pwd entered by user and uses that as a key to decrypt.
-
if pwd is wrong (entered by user), it will never get decrypted.
-
Authentication happens with UDP on port 88.
-
After user's username is sent to AS (authentication service), AS will use the hash of user password that is stored as secret key to encrypt the following 2 messages that get sent to client -
- Message A: Contains client/TGS(Ticket Granting Service) sessions key encrypted with secret key of client.
- Message B: Contains TGT (Ticket Granting Ticket) that includes client ID, client network address and validity period.
-
client attempts to decrypt Message A with secret key generated by hash of user's entered pwd.
-
if decryption works, messageA's TGS key can be used for communication with TGS. MessageB is encrypted with TGS secret key and cannot be decrypted by client.
-
now user is authenticated to system, but when user requests a service, more authorization/comm required with more messages. When requesting services, client sends 2 messages to TGS.
3. Message C: composed of TGT from message B and the ID of the requested service.
4. Message D: Authenticator (clientID and timestamp), encrypted used client/TGS session key. -
TGS retrieves message B from message C. decrypts message B usign TGS secret key -> resulting "Client/TGS session key". using this key TGS decrypts message D and sends following to client.
5. Message E: Client-to-server ticket (includes clientiD, client nw addr, validity period and client/server session key), encrypted using the service's secret key.
6. Message F: client/server session key encrypted with client TGS session key. -
on receiving E and F from TGS, client has enough info to authenticate itself to service server (SS). client connects to SS and send 2 messages
6. Message E: from above step, encrypted with servers secret key.
7. Message G: a new authenticator, which includes clientID and timestamp - encrypted using client/server session key. -
SS decrypts the ticket (E) using its own key -> retrieves client/server secret key. using session key, SS decrypts the Authenticator and sends following messages to client - to confirm identify and willingness to server the client.
8. Message H: Timestamp found in clients Authenticator. -
client decrypts the confirmation (H) using session key. and checks wether the timestamp is correct. -> yes -> trus the server and start issueing service requests. server provides the requested service.
-
-
Kerberos terms:
-
Principal
-
Authentication Service (AS)
-
Ticket Granting Service (TGS)
-
Key Distribution Centre (KDC)
-
Realm: a boundary within an org. each realm has its own AS and TGS.
-
Remote TGS
-
Ticket Granting Ticket (TGT)
-
Ticket:
-
Session Key:
-
AUthenticator:
-
- used for VPN.
- set of protocols - to support sec exchange of packets.
- two encryption modes, Transport (encrypts data but not header) and Tunnel (encrypts both header and data).
- both sending and receiving devices must share a key (single).
- Two protocols -
- AH (Authentication Header):
- ESP (Encapsulating Security Payload): - can be used with confidentiality only, authentication only or both.
- both can be applied to single packet.
- other protocols, IKE (internet key exchange).
- ISAKMP, provides framework for auth and key exchange.
- DH public keys will be used to encrypt data being sent bw two endpoints.
- quick mode
- Aggressive mode
- VPN thorough web portal
- SSL handshake process is needed to establish secure/encrypted connection: 1.
-
Cisco Solutions
- uses 3DES encryption., but AES is preferred and recommended.
- can handle packets larger than 500bytes.
- can create upto 60 new virtual tunnels/sec.
-
Openswan
- open source, Linux OS, free, uses IPSec.
- remote user or site-to-site, supports wireless.
- does not support NAT.