Dr Shivu_GAT_Computer Network_Module 5.pdf

COMPUTER NETWORKS (INTEGRATED)
(22ISE52 )
Module-5
Dr. Shivashankar
Professor
Department of Information Science & Engineering
GLOBAL ACADEMY OF TECHNOLOGY-Bengaluru
1/23/2025 1
Dr. Shivashankar, ISE, GAT
GLOBAL ACADEMY OF TECHNOLOGY
Ideal Homes Township, Rajarajeshwari Nagar, Bengaluru – 560 098
Department of Information Science & Engineering

Course Outcomes
After Completion of the course, student will be able to:
 Describe the Internet Protocol and network layer routing algorithms.
 Explain transport layer UDP and TCP protocols services.
 Describe and demonstrate of application layer protocol and its supporting
protocols.
 Discuss the wireless and mobile network covering IEEE 802.11 standard
 Describe the different network security algorithms.
Text Book:
1. James F Kurose and Keith W Ross, Computer Networking, A Top-Down
Approach, Sixth edition, Pearson,2017.
Reference Books:
1. Behrouz A Forouzan, Data and Communications and Networking, Fifth
Edition, McGraw Hill, Indian Edition
2. Larry L Peterson and Brusce S Davie, Computer Networks, fifth edition,
ELSEVIER
3. Andrew S Tanenbaum, Computer Networks, fifth edition, Pearson
4. Mayank Dave, Computer Networks, Second edition, Cengage Learning
1/23/2025 2

Module 5 : Security in Computer Networks
• Network security is the use of technologies, policies, and
procedures to protect a network's communication infrastructure
from cyberattacks, unauthorized access, misuse, and data loss.
• It involves using tools, technologies, and policies to ensure that
data traveling over the network is safe and secure, keeping
sensitive information away from hackers and other threats.
Figure 5.1: Sender, receiver, and intruder (Alice, Bob, and Trudy)
1/23/2025 3

Cont…
Confidentiality: Only the sender and intended receiver should be able to
understand the contents of the transmitted message- secure communication.
Message integrity: The process of verifying that a message has not been
altered or tampered with during transmission. It's a key component of
information security programs.
End-point authentication: Both the sender and receiver should be able to
confirm the identity of the other party involved in the communication— to
confirm that the other party is indeed who or what they claim to be.
Operational security: Almost all organizations (companies, universities, and
so on) today have networks that are attached to the public Internet. These
networks therefore can potentially be compromised. Attackers can attempt to
deposit worms into the hosts in the network, obtain corporate secrets, map
the internal network configurations, and launch DoS attacks.
An intruder can potentially perform
• Eavesdropping: sniffing and recording control and data messages on the
channel.
• Modification, insertion, or deletion of messages or message content.
1/23/2025 4

Principles of Cryptography
• Cryptography is a technique of securing communication by converting plain
text into ciphertext.
• It involves various algorithms and protocols to ensure data confidentiality,
integrity, authentication, and non-repudiation.
Figure 5.2: Cryptographic components.
• Suppose now that Alice wants to send a message to Bob.
• Alice’s message in its original form (for example, “Bob, I love you. Alice”) is
known as plaintext, or cleartext.
• Alice encrypts her plaintext message using an encryption algorithm so that
the encrypted message, known as ciphertext, looks unintelligible to any
intruder.
1/23/2025 5

Cont…
• Alice provides a key, KA, a string of numbers or characters, as input to the
encryption algorithm.
• The encryption algorithm takes the key and the plaintext message, m, as input
and produces ciphertext as output.
• The notation KA(m) refers to the ciphertext form (encrypted using the key KA)
of the plaintext message, m.
• The actual encryption algorithm that uses key KA will be evident from the
context. Similarly, Bob will provide a key, KB, to the decryption algorithm that
takes the ciphertext and Bob’s key as input and produces the original plaintext
as output.
• That is, if Bob receives an encrypted message KA(m), he decrypts it by
computing KB(KA(m)) = m. In symmetric key systems, Alice’s and Bob’s keys
are identical and are secret.
• In public key systems, a pair of keys is used. One of the keys is known to both
Bob and Alice.
• The other key is known only by either Bob or Alice (but not both).
1/23/2025 6

Symmetric key Cryptography
• Symmetrical Key Cryptography also known as conventional or single-key
encryption, called private key.
• In symmetric-key algorithms, the same keys are used for data encryption
and decryption.
• This type of cryptography plays a crucial role in securing data because the
same key is used for both encryption and decryption.
Caesar cipher: Method for encrypting data.
 A simple encryption technique that involves shifting letters in a message
by a fixed number of positions in the alphabet.
 Replaces each letter in a message with a different letter a fixed number of
positions down the alphabet.
 How to decrypt: Applies the same number of shifts in the opposite
direction
 For example, if the shift is 3, then the letter A would be replaced by the
letter D, B would become E, C would become F, and so on. The alphabet is
wrapped around so that after Z, it starts back at A.
1/23/2025 7

Cont…
For instance, here is a Caesar cipher using a left rotation of three places,
equivalent to a right shift of 23 (the shift parameter is used as the key):
Example : When encrypting, a person looks up each letter of the message in the
"plain" line and writes down the corresponding letter in the "cipher" line.
Plaintext: THE QUICK BROWN FOX JUMPS OVER THE LAZY DOG
Ciphertext: QEB NRFZH YOLTK CLU GRJMP LSBO QEB IXWV ALD
1/23/2025 8
Pl
ai
n
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
Ci
p
h
e
r
X Y Z A B C D E F G H I J K L M N O P Q R S T U V W

Cont…
Monoalphabetic cipher:
• A type of encryption that uses a single alphabetic key to map each
character in the plaintext to a corresponding character in the
ciphertext.
• It's also known as a simple substitution cipher.
• The Caesar cipher is a well-known example of a monoalphabetic
cipher.
• In this cipher, each letter in the plaintext is shifted a predetermined
number of places.
• For example, if the shift is 3, then every "A" in the plaintext becomes a
"D" in the ciphertext, and "B" becomes "E“ and special symbols also
Mathematical Expression:
For Encryption: C=( P + K ) mod 26
For Decryption: P=( C-K ) mod 26
where 'P' is the character in plain text, 'K' is the key, and 'C' is the
Cipher.
1/23/2025 9

Cont…
1. Use Adaptive with (key=15) to encrypt the message “hello”.
So, we apply the Encryption algorithm to the plain text, Character
by character.
Encryption : C = (P+K) mod 26
Plain text of (P) : h → 07 → Encryption (07+15) mod 26 = → Cypher
text (C) → 22 (W)
Plain text of (P) : e→ 04 → Encryption (04+15) mod 26 = → Cypher
text (C) → 19 (T)
Plain text of (P) : l → 11 → Encryption (11+15) mod 26 = → Cypher
text (C) → 00 (A)
Plain text of (P) : l → 11 → Encryption (11+15) mod 26 = → Cypher
text (C) → 00 (A)
Plain text of (P) : o → 14 → Encryption (14+15) mod 26 = → Cypher
text (C) → 03(D)
1/23/2025 10

Cont…
2. Use Adaptive with (key=15) to DECRYPT the message “WTAAD”.
So, we apply the Decryption algorithm to the plain text. Character
by character.
Decryption : P = (C-K) mod 26
Cypher text of (C) : W → 22 → Decryption (22-15) mod 26 = → Plain
text (P) → 07 (h)
Cypher text of (C) : T→ 19 →Decryption (19-15) mod 26 = → Plain
text (P) → 04 (e)
Cypher text of (C) : A→ 00 → Decryption (00-15) mod 26 = → Plain
text (P) → 11 (l)
Cypher text of (C) : A→ 00 → Decryption (00-15) mod 26 = → Plain
text (P) → 11 (l)
Cypher text of (C) : D → 03 → Decryption (14-15) mod 26 = → Plain
text (P) → 12(o)
1/23/2025 11

Cont…
3. Use Adaptive with K=125 to encrypt the message “WORLD”.
So, apply the Encryption and Decryption algorithms to the plain to
cypher text, and cypher to plain text, character by character.
1/23/2025 12

Cont…
Block Cipher
• A method of encrypting data in blocks to produce ciphertext using a
cryptographic key and algorithm.
• The block cipher processes fixed-size blocks simultaneously, as opposed to a
stream cipher, which encrypts data one bit at a time.
• Block ciphers are a fundamental building block of many cryptographic
protocols and are often used to encrypt large amounts of data.
• Example: Table 5.1: A specific 3-bit block cipher
• One type of block cipher is Blowfish, which encrypts text 64 bits at a time.
• The key length for Blowfish can be varied from 32 to 448 bits, with longer keys
making it more difficult to decipher the ciphertext.
1/23/2025 13
Input Output Input Output
000 110 100 011
001 111 101 001
010 101 110 000
011 100 111 001

Cont…
• Today there are a number of popular block ciphers, including Data Encryption Standard
(DES), 3DES, and Advanced Encryption Standard (AES).
• Each of these standards uses functions, rather than predetermined tables.
(example, 11110000 becomes 00001111).
• Each of these algorithms also uses a string of bits for a key. For example, DES uses 64-
bit blocks with a 56-bit key.
• AES uses 128-bit blocks and can operate with keys that are 128, 192, and 256 bits long.
An algorithm’s key determines the specific “mini-table” mappings and permutations
within the algorithm’s internals.
•
•
Figure 5.5: An
example of a block cipher
1/23/2025 14

Cipher Block Chaining (CBC)
CBC is a cryptographic method used for turning plaintext into ciphertext and back
again. It is a specific operational mode in encryption.
In this mode, each plaintext block is Exclusive-OR'd or XORed with the previous
ciphertext block and then encrypted.
CBC operates as follows:
1. Before encrypting the message (or the stream of data), the sender generates
a random k-bit string, called the Initialization Vector (IV). Denote this
initialization vector by c(0). The sender sends the IV to the receiver in
cleartext.
2. For the first block, the sender calculates m(1)∅c(0), that is, calculates the
exclusive-or of the first block of cleartext with the IV. It then runs the result
through the block-cipher algorithm to get the corresponding ciphertext
block; that is, c(1) = 𝐾𝑠(m(1) ∅ c(0)). The sender sends the encrypted block
c(1) to the receiver.
3. For the ith block, the sender generates the 𝑖𝑡ℎ
ciphertext block from
c(i) = 𝐾𝑠 (m(i) ∅ c(i - 1)).
1/23/2025 15

Public Key Encryption
• Public key cryptography provides a secure way to exchange information
and authenticate users by using pairs of keys.
• The public key is used for encryption and signature verification, while the
private key is used for decryption and signing.
• When the two parties communicate with each other to transfer the
intelligible or sensible message, referred to as plaintext, is converted into
apparently random unreadable for security purposes referred to
as ciphertext.
• It is essential for secure internet communications, allowing for confidential
messaging, authentication of identities, and verification of data integrity.
What is a Cryptographic Key?
• A cryptographic key is a piece of information used by cryptographic
algorithms to encrypt or decrypt data, authenticate identities, or
generate digital signatures.
• It serves as a parameter to control cryptographic operations, ensuring the
security and privacy of digital communications and transactions.
1/23/2025 16

Cont…
Figure 5.6 : Public key cryptography
• Bob (the recipient of Alice’s messages) instead has two keys—a public key that is
available to everyone in the world (including Trudy the intruder) and a private key that
is known only to Bob.
• We will use the notation 𝐾𝐵
+
and 𝐾𝐵
−
to refer to Bob’s public and private keys,
respectively. In order to communicate with Bob, Alice first fetches Bob’s public key.
• Public key and private key encryption and get the same remarkable result––that is,
𝐾𝐵
−
(𝐾𝐵
+
(𝑚)) = 𝑘𝐵
+
(𝐾𝐵
−
𝑚 ) = m.
1/23/2025 17

RSA Algorithms
• RSA algorithm is an asymmetric cryptography algorithm. Asymmetric means
that it works on two different keys i.e. Public Key and Private Key.
• Public Key is given to everyone and the Private key is kept private. Each sender
is assigned a pair of keys:
 Public key
 Private key
The Public key is used for encryption, and the Private Key is used for decryption.
• Anyone can use a public key to encrypt a message, but only the owner of the
private key can decrypt it.
• This allows for secure communication over the internet without the need to
exchange keys.
• RSA makes extensive use of arithmetic operations using modulo-n arithmetic.
• Adding and multiplying with modular arithmetic is facilitated with the
following handy facts:
• [(a mod n) + (b mod n)] mod n = (a + b) mod n
• [(a mod n) – (b mod n)] mod n = (a – b) mod n
• [(a mod n) • (b mod n)] mod n = (a • b) mod n
1/23/2025 18

Cont…
To generate the public and private RSA keys, Bob performs the
following steps:
1. Choose two large prime numbers, p and q.
2. Compute n = pq and z = (p – 1)(q – 1).
3. Choose a number, e, less than n, that has no common factors
(other than 1) with z. The letter e is used since this value will be
used in encryption.
4. Find a number, d, such that ed – 1 is exactly divisible (that is, with
no remainder) by z. The letter d is used because this value will be
used in decryption. Put another way, given e, we choose d such
that
ed mod z = 1
5. The public key that Bob makes available to the world, 𝐾𝐵
+
, is pair
of numbers (n, e); his private key, 𝐾𝐵
−
, is the pair of numbers (n, d).
1/23/2025 19

Cont…
The encryption by Alice and the decryption by Bob are done as follows:
• Suppose Alice wants to send Bob a bit pattern represented by the integer
number m (with m < n). To encode, Alice performs the exponentiation me , and
then computes the integer remainder when me is divided by n. In other words,
the encrypted value, c, of Alice’s plaintext message, m, is
c = 𝑚𝑒
mod n
The bit pattern corresponding to this ciphertext c is sent to Bob.
• To decrypt the received ciphertext message, c, Bob computes
m = 𝑐𝑑 mod n
which requires the use of his private key (n,d)
Example: Suppose Bob chooses p = 5 and q = 7.
Then n = 35 and z = 24.
Bob chooses e = 5, since 5 and 24 have no common factors.
Finally, Bob chooses d = 29, since 5 . 29 – 1.
Bob makes the two values, n = 35 and e = 5, public and keeps the value d = 29
secret.
1/23/2025 20

Session Key
A session key is a temporary key that encrypts and decrypts data during a
communication session between two parties:
Purpose: Session keys are used to ensure the security of a communication
session.
Generation: Session keys are randomly generated at the start of a
communication session.
Type: Session keys are typically symmetric keys, meaning the same key is used for
both encryption and decryption.
Use: Session keys are frequently changed and discarded when they are no longer
needed.
Storage: Applications can save session keys for later use or for transmission to
other users.
Authentication: To prevent man-in-the-middle attacks, key exchange typically
includes some kind of authentication, such as a digital signature of all data
exchanged.
Session keys are similar to One-time Passwords (OTPs), which are generated once
for a specific purpose, such as logging in.
1/23/2025 21

Message Integrity and Digital Signature
• Message integrity is the process of verifying that a message has not been
altered or tampered with during transmission.
• It's a key component of information security programs.
• To ensure message integrity, a sender can use a hashing algorithm to
create a message digest from the message and a secret key.
• The sender then includes the digest with the message.
• When the receiver receives the message, they can independently calculate
the hash and compare it to the digest sent with the message.
• If the digests match, the message is intact.
Example: To authenticate this message, Bob needs to verify:
1. The message indeed originated from Alice.
2. The message was not tampered with on its way to Bob.
When router B receives a link-state message from router A, router B should
verify that router A actually created the message and, further, that no one
tampered with the message in transit.
1/23/2025 22

Cryptographic Hash Function
• A Cryptographic Hash Function (CHF) is an equation that is widely used to
verify the validity of data.
• It has many applications, particularly in information security (e.g. user
authentication).
• A CHF translates data of various lengths of the message into a fixed-size
numerical string the hash.
• A cryptographic hash function is a single-directional work, making it extremely
difficult to reverse to recreate the information used to make it.
• It is computationally infeasible to find any two different messages x and y such
that H(x) = H(y).
• Informally, this property means that it is computationally infeasible for an
intruder to substitute one message for another message that is protected by
the hash function.
• That is, if (m, H(m)) are the message and the hash of the message created by
the sender, then an intruder cannot forge the contents of another message, y,
that has the same hash value as the original message.
1/23/2025 23

Cont…
Example: ASCII
Message Representation
I O U 1 49 4F 55 31
0 0 . 9 30 30 2E 39
9 B O B 39 42 4F 42
------------------
Check sum: B2 C1 D2 AC
Figure 5.8: Initial message and fraudulent message have the same checksum!
1/23/2025 24
Figure 8.7 Hash function
ASCII
Message Representation
I O U 1 49 4F 55 31
0 0 . 9 30 30 2E 39
9 B O B 39 42 4F 42
------------------
Check sum: B2 C1 D2 AC

Message Authentication Code
To perform message integrity, in addition to using CHF, Alice and Bob will need a shared
secret s.
This shared secret, which is nothing more than a string of bits, is called the authentication
key. Using this shared secret, message integrity can be performed as follows:
1. Alice creates message m, concatenates s with m to create m + s, and calculates the
hash H(m + s) (for example with SHA-1). H(m + s) is called the message authentication
code (MAC).
2. Alice then appends the MAC to the message m, creating an extended message
(m, H(m + s)), and sends the extended message to Bob.
3. Bob receives an extended message (m, h) and knowing s, calculates the MAC H(m + s).
If H(m + s) = h, Bob concludes that everything is fine.
1/23/2025 25
Figure 5.9: Message authentiquassion code (MAC

Digital Signatures
• A digital signature is a mathematical technique used to validate the
authenticity and integrity of a message, software, or digital document.
• A digital signature is a cryptographic technique for achieving these goals in a
digital world.
• It's a type of electronic signature that creates a unique virtual fingerprint for a
person or entity.
Digital signatures are used to:
Identify users: A digital certificate can be used to prove identity electronically.
Protect information: Digital signatures protect information in digital messages
and documents.
Validate authenticity: A valid digital signature on a message gives the recipient
confidence that the message came from a known sender.
Here are some things to know about digital signatures: Example:
• Suppose that Bob wants to digitally sign a document, m. (Whoever signed the message
must have used the private key, 𝐾𝐵−
, in computing the signature 𝐾𝐵−
(m), such that KB
+(𝐾𝐵−(m)) = m.
• Bob simply uses his private key, 𝐾𝐵−, to compute 𝐾𝐵−(m). At first, it might seem odd
that Bob is using his private key -to decrypt a message that had been encrypted with
his public key) to sign a document.
1/23/2025 26

Cont…
Figure 5.10: Creating a digital signature for a document.
Digital signatures have many uses, including:
Authenticating identity: Digital signatures verify the identity of the signer and
the integrity of the signed document.
Legal evidence: Digital signatures are admissible as evidence in legal
proceedings.
Securing data: Digital signatures help secure data in online interactions.
Signing documents: Digital signatures can be used to sign documents that are
sent online, such as legal documents, invoices, and contractual agreements.
Obtaining services: Digital signatures can be used to obtain services or
information on the internet.
1/23/2025 27

Securing E-Mail
• Basically, Email security refers to the steps where we protect the email
messages and the information that they contain from unauthorized access,
and damage.
• It involves ensuring the confidentiality, integrity, and availability of email
messages, as well as safeguarding against phishing attacks, spam, viruses, and
another form of malware.
• It can be achieved through a combination of technical and non-technical
measures.
Alice (1) selects a random symmetric session key, KS,
(2) encrypts her message, m, with the symmetric key,
(3) encrypts the symmetric key with Bob’s public key, 𝐾𝐵+,
(4) concatenates the encrypted message and the encrypted symmetric key to
form a “package,” and When Bob receives the package,
he (1) uses his private key, 𝐾𝐵−, to obtain the symmetric key, KS, and
(2) uses the symmetric key KS to decrypt the message m.
1/23/2025 28

Cont…
Figure 5.11: Alice used a symmetric session key, KS , to send a secret e-mail to Bob.
Why is email security important?
Protection Against Cyberattacks: Email is a top goal for cybercriminals. Malware,
phishing attacks, and other threats often arrive via email.
Reducing Risk: Cybersecurity incidents can have devastating consequences, including
financial losses, operational disruptions, and damage to an organization’s reputation.
Compliance: By safeguarding sensitive information, organizations avoid legal fines
and other intangible costs associated with cyberattacks.
Productivity Enhancement: With email security in place, disruptions caused by
threats like phishing emails are minimized.
1/23/2025 29

Pretty Good Privacy (PGP)
• PGP is an encryption software program software designed to ensure the
confidentiality, integrity, and authenticity of virtual communications and
information.
• At its core, PGP employs a hybrid cryptographic method, combining
symmetric-key and public-key cryptography techniques.
• Symmetric-key cryptography entails the use of a single mystery key to each
encrypt and decrypt statistics.
• Conversely, public-key cryptography utilizes a pair of mathematically
associated keys: a public key, that is freely shared and used for encryption,
and a personal key, that is stored in mystery and used for decryption.
The following are the services offered by PGP:
1. Authentication
2. Confidentiality
3. Email Compatibility
4. Segmentation
1/23/2025 30

Network Layer Security
• The network layer in cybersecurity is responsible for protecting and managing
communication between devices and applications on a network.
• It uses security measures and controls to prevent attackers from tampering
with or intercepting information as it travels across the network.
• The IP security protocol, more commonly known as IPsec, provides security at
the network layer.
• IPsec secures IP datagrams between any two network-layer entities, including
hosts and routers.
• Many institutions - corporations, government branches, non-profit
organizations, and so on use IPsec to create Virtual Private Networks (VPNs)
that run over the public Internet.
• It provides confidentiality
• It could provide source authentication
• It could provide data integrity.
• It could also provide replay-attack prevention
1/23/2025 31

IPsec and Virtual Private Networks (VPNs)
• Internet Protocol Security (IPsec) is a set of protocols that secure data
transmission over the internet by creating secure connections between
devices.
• IPsec operates on top of the Internet Protocol, which is the standard that
determines how data travels over the internet.
• IPsec-enabled devices verify each other's identity to ensure they are
authorized to establish a secure connection.
• IPSec adds encryption and authentication to make the protocol more secure.
Virtual Private Networks (VPN)
VPN is a mechanism of employing encryption, authentication, and integrity
protection so that we can use a public network as if it is a private network.
• It offers a high amount of security and allows users to remotely access private
networks.
• VPN also ensures security by providing an encrypted tunnel between the
client and the VPN server.
• VPN is used to bypass many blocked sites.
• VPN facilitates Anonymous browsing by hiding your IP address.
1/23/2025 32

Cont…
Figure 5.12: Virtual Private Network (VPN)
1/23/2025 33

The AH and ESP protocols
• The Authentication Header (AH) is a security protocol used within the IPsec
suite.
• Its primary function is to ensure that the message remains unmodified during
transmission from the source and it confirms that the data originates from the
expected source.
• AH achieves this by adding a header to IP packets, containing a checksum and
a digital signature.
Its main functions are:
Message Integrity – It means, the message is not modified while coming from
the source.
Source Authentication – Confirming that the data originates from the expected
source.
The Encapsulation Security Payload (ESP) protocol provides source
authentication, data integrity, and confidentiality.
Because confidentiality is often critical for VPNs and other IPsec applications, the
ESP protocol is much more widely used than the AH protocol.
1/23/2025 34

Security Associations
• A set of shared security attributes that allows two network entities to
communicate securely.
• Before sending IPsec datagrams from source entity to destination entity, the
source and destination entities create a network-layer logical connection.
• This logical connection is called a security association (SA).
• An SA is a simplex logical connection; that is, it is unidirectional from source to
destination.
• If both entities want to send secure datagrams to each other, then two SAs
(that is, two logical connections) need to be established, one in each
direction.
Figure 5.18: Security Association (SA) from R1 to R2
1/23/2025 35

Cont…
Router R1 will maintain state information about this SA, which will
include:
• A 32-bit identifier for the SA, called the Security Parameter Index
(SPI)
• The origin interface of the SA (in this case 200.168.1.100) and the
destination interface of the SA (in this case 193.68.2.23)
• The type of encryption to be used (for example, 3DES with CBC)
• The encryption key
• The type of integrity check (for example, HMAC with MD5)
• The authentication key
1/23/2025 36

The IPsec Datagram
• An IPsec datagram is an IP datagram that has been protected by
IP Security (IPsec)
• Internet Protocol Security (IPsec) is a network protocol suite that
encrypts and authenticates data packets to ensure secure
communication between computers.
• It is used in VPNs.
• IPsec applies security mechanisms to IP datagrams that are
traveling to their destination address.
• IPsec has two different packet forms, one for the so-called tunnel
mode and the other for the so-called transport mode.
• The tunnel mode, being more appropriate for VPNs, is more
widely deployed than the transport mode.
• In transport mode, only the data portion of the IP packet is
encrypted, while in tunnel mode the entire IP packet is
encrypted.
1/23/2025 37

Cont…
Figure 5.19: IPsec datagram format
Router R1 uses the following recipe to convert this “original IPv4 datagram” into an IPsec
datagram:
• Appends to the back of the original IPv4 datagram (which includes the original header
fields!) an “ESP trailer” field
• Encrypts the result using the algorithm and key specified by the SA
• Appends to the front of this encrypted quantity a field called “ESP header”; the resulting
package is called the “enchilada”
• Creates an authentication MAC over the whole enchilada using the algorithm and key
specified in the SA
• Appends the MAC to the back of the enchilada forming the payload
• Finally, creates a brand new IP header with all the classic IPv4 header fields (together
1/23/2025 38

IKE: Key Management in IPsec
• Internet Key Exchange (IKE) is a protocol that automatically manages keys for
IPsec security associations (SAs).
• It is used to establish secure communication channels over IP networks by
negotiating and establishing SAs.
• It ensures that both parties in a communication use the same encryption and
authentication methods.
Here are some of the things IKE does:
Negotiates and manages parameters: It negotiates and manages IKE.
Authenticates key exchange: IKE authenticates secure key exchange.
Provides mutual peer authentication: IKE provides mutual peer authentication
using public keys and shared secrets.
Provides identity protection: IKE provides identity protection in main mode.
IKE has several benefits, including:
• Automatic negotiation and authentication
• Ability to change encryption keys during an IPsec session
• Fast connection speeds and attempts to restore a connection if it drops
• Supports a variety of devices and prevents DoS and replay attacks.
1/23/2025 39

Dr Shivu_GAT_Computer Network_Module 5.pdf

More Related Content

What's hot

Similar to Dr Shivu_GAT_Computer Network_Module 5.pdf

More from Dr. Shivashankar

Recently uploaded

Dr Shivu_GAT_Computer Network_Module 5.pdf