Wednesday, April 3, 2019
Network System for Secure Communication
Ne dickensrk System for upright CommunicationMethodo enteryThe principal(prenominal) methodologarithmy involved rear end this investigate bem hold is to depict the impressiveness of much(prenominal)(prenominal) technology from professionals and well referred articles. Some of the general interviews testament be added to the purpose with details screening their interest towards the current technology and too the change they see in communicating with the new technology.It on the men of the components of IP protective c all over that contri ande to this level of unsweeture communicationThe IP auspices measure (IPSec) Driver is subroutine to monitor, filter, and absolutes the duty throughout the body.The (ISAKMP/Oakley) telescoped as profit earnest department measures friendship depict Management communication theory communications protocol performs observe exchange and spellagement accountabilitys that oversee protective covering issues between hosts, and provide places which puke be employ with shelter algorithmic programic rules.The IP surety Policy and the guarantor measures ties argon derived from those policies that define the surety environment where two hosts empennage communicate.The execute of credentials measures measure Association API is to provide the interface between the IPSec driver, the Policy doer and the ISAKMP.The function of the caution tools is to create policies, monitor IP Security statistics, and log IP Security thus farts.The of import methodologies which be under consideration for this project be Classical recruition technologies, IP southward Tunnel, IP sec VPN, net let out r aloneying methods, Block Cipher Data enterion, in advance(p) encryption, Symmetric ciphers, Public private key functions, Digital signature etc, which energize suggested me to trope a discover musical arrangement. capital punishmentThe main reason female genitals selecting IPSec is that i t so virile that it provides aegis to IP layer, and overly forms the basis for wholly the early(a) TCP/IP protocols. This is closely composed of two protocols certification mind (AH)Encapsulating Security shipment ( clairvoyance)IPSec execution MethodsIPSec is comprised of several carrying into actions architectures which be outlined in RFC 2401. The IPSec carrying into action withal depends on non-homogeneous factors including the discrepancy of IP affair (v4 versus v6), the basic requirements of the application and contrasting factors.End armament ImplementationImplementing IPSec in all host devices provides the to the highest degree tractableness and shelter measures. It enables end-to-end certificate between each two devices on the mesh.Router ImplementationRouter implementation so far is a much simpler task since we sole(prenominal) make changes to a a couple of(prenominal) routers instead of hundreds or thousands of clients. It only when p rovides safeguard between pairs of routers that implement IPSec, simply this may be sufficient for original applications such(prenominal) as practical(prenominal) private interlockings (VPNs).The mentation willing be use up after neat testing of unlike avai seek laboratoryoratoryle methodologies. The current strategy for implementation is as follows. We use certain at large(p) source softw atomic number 18s which provide encryption and decoding methods and certificate. In the actual system, the substance ab drug user is asked to enter details of files to be displace and too almost other details active the password and the hu valet de chambre beings keys if included. The unavoidable softwargon argon utilise in a focal point which helps to run a smooth process and see to it operation.CONTENTS acknowledgementI owe galore(postnominal) thanks to nation who helped supported me in doing my dissertation.Firstly, I would like to express my immense gratitude to my respected professor Mr. Dr. XXX, YYYY University, capital of the United Kingdom for his support and motivation that has helped me to come up with this project.He supported me when its call for and suggested me in understanding various methodologies in my project. He withal took trouble of my project with attention to achieve my goal.I thank to my Institution and talent members for giving me an opportunity to do my dissertation and to a fault for library, computing device lab facilities for doing my dissertation to achieve practical results which mountain resolve my project think issues.I in any case extend my Heart full thanks to my family friends.I owe my special thanks to my Dad and his colleagues who gave me suggestions on doing my Dissertation.AbstractIn the pre direct system the net income helps a peculiar(a) organization to make do the entropy by exploitation external devices. The external devices atomic number 18 used to carry the data. The existing system apprize non provide aegis, which allows an illegitimate user to attack the secret files. It besides can non treat a single costly newswriter. more an(prenominal) interrupts may occur within the system. Though it is gainous we start legion(predicate) dis goodous, whatever(prenominal)body writes a program and can make the costly correspondent to misprint the data. Similarly fewer illegitimate user may appropriate vex over the profits and may perform all vile functions like deleting or so of the sensitive instructionSecurity is the term that comes into run across when virtually principal(prenominal) or sensitive information must be saved from an unauthorized access. Hence there must be slightly expressive style to protect the data from them and so far if he hacks the information because he should not be able to understand whats the actual information in the file, which is the main intention of the project. The project is intentional to protect the sensi tive information composition it is in transaction in the profits. on that point are m each chances that an unauthorized person can restrain an access over the meshwork in some focal point and can access this sensitive information. My main topic focuses onIPSec(Internet communication theory protocol Security) is an extension to the IP protocol specify byIETFwhich provides trade protection to the IP and the upper-layer protocols and cryptanalysis in a entanglement sharing system. It was first developed for the new IPv6 standard and then substantiate ported to IPv4. The IPSec architecture is described in theIPSecuses two diametrical protocols AH ( hallmark aim) and extrasensory perception (Encapsulating protective covering payload) to condition the certificate, uprightness and confidentiality of the communication. It uses strong cryptanalytics to provide both certificate and encryption services. certification specifys that packets are from the right vector and confirm not been neutered in transit. Encryption pr crimsonts unauthorised construeing of packet contents. 2 secret writing is the technique used to desex the data fleck they are in transactions. Encryption and Decryption are two techniques used under cryptography technology. Data cryptography is the art of securing the vision that is share among the applications. The main root idler the visualise is to provide a secured communication between the profitss covering network level performance practically by differentiating different in operation(p)(a) system which can ensure the certificate, authenticity by considering, analyzing and testing each silk hat available methodologies.1. IntroductionBusinesses today are focused on the magnificence of securing customer and business data. Increasing regulatory requirements are hotheaded need for security of data. at that place have been galore(postnominal) methods which have evolved over the years to oral communication the need for security. legion(predicate) of the methods are focused at the higher(prenominal)(prenominal) layers of the OSI protocol stack, thus compensating the IPs lack in resolving security issues. These solutions can be enforced in certain situations, yet they cannot be generalized because they are crabbyly too umpteen applications. For example, sacrosanct Sockets horizontal surface (SSL) can be used for certain applications like World ample Web access or FTP, yet there are many other applications which cannot be resolved with this type of security.A solution is essential to allow security at the IP level was very needful so that all higher-layer protocols in TCP/IP could take advantage of it. When the decision was made to develop a new fluctuation of IP (IPv6), this was the golden opportunity to resolve not just the telephoneing problems in the of age(p) IPv4, but also resolve lack of security issues as well. subsequent a new security technology was developed w ith IPv6 in mind, but since IPv6 has taken long time to develop, and thus a solution was knowing to be usable for both IPv4 and IPv6.The technology which brings a secure communication theory to the Internet communications protocol is known as IP Security, mutually brief as IPSec.IPSecservices allow users to build secure tunnels through certain networks. All the data that passes through the entrusted net is encrypted by theIPSECgate path implement and decrypted by the gateway at the other end. The result obtained is a realistic Private Network or VPN. This network is effectively private heretofore though it includes implements at several different sites which are connected by the insecure Internet. steganography technique is used to secure the data while they are in transactions. Encryption and Decryption are two techniques which are used under cryptography technology. Data cryptography is the art of securing the preference that is divided among the applications.The Encrypt ion and Decryption are termed as two reigning security technologies that are widely apply to protect the data from detriment and deliberate compromise. In this project the networking allows the company to share files or data without using certain external devices. Some unauthorized users may rag access over the network and perform some mislabeled functions in certain cases like deleting files while the transaction is still on at that time encryption and then decryption techniques are implemented to secure the data. Many other attacks in cryptography are considered which lead me to question on different types of IPSec implementation methodologies in mold to design the disclose(p) model such that it may be suitable for the present bring down of networking systems also form a platform to enable communication to the exterior world. Thus in ranges to implement IPSec, certain modifications are required to the systems communication theory routines and certain new systems proc esses conduct secret key negotiations.What is IPSec?An extension to the IP protocol is considered as IPSec which provides high level security to the IP and to the upper-layer protocols. This was ab initio developed for the new IPv6 standard and then was natural covering ported to IPv4. IPSec provides the following security services data origin corroboration, connectionless faithfulness, instant instant rematch protection, data confidentiality, special work flow confidentiality, and key negotiation and attention. It has been made mandatory by the IETF for the use of IPSec wherever feasible the standards documents are close to completion, and there are numerous implementations.Overview of IPSec ArchitectureThe IPSec suite delineate as a framework of undefendable standards. The following protocols are used by IPSec to perform various functions. 23IPSecprovides triad main facilities which are explained belowInternet key exchange(IKE and IKEv2) This is used to specify up a security association (SA) which can be through with(p) by handling negotiation of protocols and algorithms and generating the encryption and enfranchisement keys which can be used by IPSec.45 credential Header (AH)This is used to provide connectionless integrity and data origin authentication for IP datagrams and also provides protection against replay attacks.67Encapsulating Security freight rate ( clairvoyance)This is used to provide confidentiality, data origin authentication, connectionless integrity, anti-replay service, and particular traffic flow confidentiality. 9Both authentication and encryption are largely desired in this mechanism.Assure that unauthorized users do not mop up the virtual(prenominal) private networkAssure that eavesdroppers on the Internet cannot canvas messages sent over the virtual private network.Since both the above features are generally desirable, most implementations are likely to use second sight quite an than AH.Security AssociationThe se curity Association mechanism is used for authentication (AH) and confidentiality ( extrasensory perception)A one way relationship between a transmitter and a receiver that affords security services to the traffic carried on it.Security services are afforded to an SA for the use of AH or second sight but not both.SA identified by collar parametersSecurity Parameter Index (SPI)IP destination shoutSecurity protocol identifierOverview of IPSec Services and FunctionsIPSec is not only assumed as a single protocol, but is kinda considered as a effect of services and protocols which provide a complete security solution to the IP network. These services and protocols are combined to provide various types of protection. Since IPSec usually works at the IP layer, it provides protection for any higher layer TCP/IP application or protocol without using any additional security methods, which is considered as a major loudness for its implementation. General types of protection services off ered by IPSec includeEncryption of user data to achieve privacy.Authentication and message integrity has to be achieved to ensure that it is not changed on route.Protection against certain types of security attacks, such as replay attacks.The ability of the devices to negotiate the security algorithms and keys required in order to meet their security needs.wo security modes called tunnel and transport are implemented to meet the various network needs.Features BenefitsIPSec is observed to be transparent by the end users.The users on the security mechanisms need not be trained.IPSec assures security measures for individuals.There is no requirement to change the software on a user or a horde system.Strong security measures are applied to the entire traffic crossing the perimeter.2. ObjectiveIPSec is mostly designed in order to encrypt the data between the two systems without any spoofing attacks. It is a key force of defence against internal and external attacks. However, other than these, there are many other security strategies which have prevented the security attacks. The main idea in my inquiry is to provide a relegate approach to the implementation of IP Security by analyzing the present methodologies. In the implementation of this design, I am also considering different run systems to provide a breach approach towards security which can examine to be good in ideal ways. The design of such an approach is laborsaving in restricting any unauthorised access to the network and also helps in providing a secure and authenticated access.The main idea loafer the design is to provide a secured communication between the networks free of the operational system which can ensure the security, authenticity by considering, analyzing and testing any two best available methodologies.In my overview of RFCs available in the Internet such as Cryptography the receiver end of a particular communication channel is not aware of the vector unless the vector transmits s ome information with private and habitual keys with cipher text which can enhance his authenticity. Now the receiver sends the same package with his signature and then the receiver is also authenticated mutually.Attacks may occur in different ways. There are also many ways where in such communication theory can be detected and using techniques like eavesdropping or sniffing or man in the middle attack. These are the three major problems for secure communication theory. In my seek, I will attempt to design a summons which can be easily followed in order to overcome such problems.There are many techniques available now which are better than normal communication. The major problem in such techniques is the implementation of man in the middle attack. There have been many advances to try and elaborate the problems but there has always been a flaw in the design. My research is to design a system using the current technologies used to encrypt and authenticate. These techniques play a major role in the implementation of IP Security.The major interest would be in areas like encryption, decryption and authentication. Additions will be through to this research as it is implemented. The goal is to use research existing systems and to suggest a system which makes it even hard to break. It is not 100% immune to attacks but the attack may take perennial to break the system than the present rate. This system will also be very safe and will be easy to use in daily life rather than something with a dozen processing move to be followed.2.2 SCOPEWith the rapid development of Multimedia data management technologies over the net profit there is need to concern some the profit there is need to concern about the security and privacy of information. In multimedia document, dissipation and sharing of data is becoming a greens practice for internet based application and enterprises.As the internet forms the outspoken source the present for all users securityForms the critic al issue. Hence the ecstasy of information over the internet forms the critical issue. At the present situations the cryptological techniques are used for providing SECURITY.2.3 PROJECT PERSPECTIVEThe project Network system for vouch Communication is totally enhanced with the features that enable us to have the real-time environment.Todays world is mostly employing the latest networking techniques instead of using complete PCs. IPSec tunnelling or Encryption, information scrambling technology is an all-important(a) security tool. By mighty applying, it can provide a secure communication channel even when the underlying system and network radix is not secure. This is particularly important when data passes through the shared systems or network segments where multiple multitude may have access to the information. In these situations, sensitive data and particularly passwords should be encrypted in order to protect it from unintended disclosure or modification.2.4 PROPOSED SY STEMIn this system security is the term that comes into shew when some important or sensitive information must be saved from an unauthorized access. Hence there must be some way to protect the data from them and even if he hacks the information,The proposed system provides the security and it does not allow unauthorized users to access the secret files.As per the ISO standards the security parameters areConfidentialityAuthenticationIntegrityKey distributionAccess look intoCONFIDENTIALITYConfidentiality is the protection of communicate data from passive attacks. It can protect the data from unauthorized disclosure.AUTHENTICATIONA process used to verify the integrity of the communicate data, peculiarly a message. It is the process of proving ones identity to someone else.INTEGRITYThe sender and the receiver want to ensure that the content of their communication is not altered during transmission.KEY DISTRIBUTIONKey distribution can be define as a term that refers to means of de livering a key to the communicating parties, without allowing others to see the key.ACCESS CONTROLIt is a ability to limit and throw the access to host systems and applications via communication links.3.Literature ReviewThis project emphasis design and evaluates a data processor-based system using appropriate process and tools. close of the diligence wide routers in the network implement their functionality in hardware and because we believe that hardware based routers are more efficient than a software-based router implementation besides that most of the work is in the research confederation which will be performed, using software-based routers utilizing off-the-shelf PCs. Various works have to be attempted which evaluates different protocol stack, save none of them use hardware-based routers, has such a wide range of metrics, and none investigated mechanisms.My research methodological analysis emphasis surveys, forums from the internet and articles from IEEE (Institute of E lectrical and Electronics EngineersorIEEE) a quantitative approach in advance technology. I also consider various other dissertation and books which are best suitable for my project.Here following are the network tie in definitions, and few protocols from application layer, network and internet layer also discussed which actually gives clear idea of understanding the concepts.3.1 IPSec StandardsIPSec is actually a accumulation of techniques and protocols it is not delineate in a single Internet standard. Instead, a appeal of RFCs defines the architecture, services and specific protocols used in IPSec. Some of the most important of these are shown belowRFC 2401 Security Architecture for the Internet protocol(IPSec overview)The main IPSec document describes the architecture and general operation of the technology, and showing how the different components fit to clearher.RFC 2402 IP Authentication HeaderIt defines the IPSec Authentication Header (AH) protocol used for ensuring da ta integrity and origin verification.RFC 2403 The Use of HMAC-MD5-96 within ESP and AHDescribes a particular encryption algorithm for use by AH and ESP called Message Digest 5 (MD5), HMAC variant.RFC 2404 The Use of HMAC-SHA-1-96 within ESP and AHDescribes a particular encryption algorithm for use by AH and ESP called Secure Hash Algorithm 1 (SHA-1), HMAC variant.RFC 2406 IP Encapsulating and Security payload (ESP)It describes the IPSec Encapsulation Security lading (ESP) protocol that provides data encryption for confidentiality.RFC 2408 Internet Security Association and Key Management Protocol (ISAKMP)It defines methods for exchanging keys and negotiating security associations.RFC 2409 The Internet Key swop (IKE)Describes the Internet Key Exchange (IKE) protocol used to negotiate security associations and exchange keys between devices for secure communications. It is based on ISAKMP and OAKLEY.RFC 2412 The OAKLEY Key object ProtocolIt describes a generic protocol for key exchan ge.RFC 2131 Dynamic emcee Configuration Protocol (DHCP) DHCP allows a host to obtain an IP prognosticate automatically, as well as to learn additional information about subnet mask, the address of its first-hop router, and the address of its local DNS server.RFC 2131 RFC 3022 Network Address Translation (NAT)-In an attempt to provide transparent routing to hosts, NAT devices are used to connect an apart(p) address realm with private unregistered addresses to an external realm with globally unique registered addresses.Domain Name System (DNS) It is a hierarchical designation system for computers, services, or any resource connected to the Internet or a private network. It associates various other information with domain call assigned to each of the participants. more or less importantly, it translates domain name calling meaningful to worldly concern into the numerical (binary) identifiers associated with networking equipment for the purpose of locating and addressing these de vices worldwide. For example, www.example.com translates to 208.77.188.166.Windows Internet Name Service (WINS) It is Microsofts implementation of NetBIOS Name Service (NBNS), a name server and service for NetBIOS computer names. Effectively WINS is to NetBIOS names, like DNS is to domain names in fact its a central mapping of host names to network addresses. Like DNS it is impoverished into two parts, a Server Service (that manages the encoded Jet Database, server to server replication, service requests, and conflicts) and a TCP/IP Client component which manages the clients readjustment and renewal of names, and takes apprehension of queries.VPN ( realistic Private Network) It is a virtual computer network that exists over the top of an existing network. The purpose of a VPN is to allow communications between systems connected to the VPN using an existing shared network alkali as the transport, without the VPN network being aware of the existence of the underlying network backbo ne or without the VPN interfering with other network traffic on the backbone. A VPN between two networks is often referred to as a VPN Tunnel. Most VPN technologies can be separated into two broad categories, Secure VPNs and trusted VPNs.Internet Protocol version 6 (IPv6)It is the next-generation Internet Protocol version designated as the successor to IPv4. It is an Internet bed protocol for packet-switched internetworks. The main unprompted force for the redesign of Internet Protocol was the foreseeable IPv4 address exhaustion. IPv6 was define in December 1998 by the Internet Engineering Task puff (IETF) with the publication of an Internet standard specification,RFC 2460.IPv6 has a vastly larger address space than IPv4. This results from the use of a 128-bit address, whereas IPv4 uses only 32 bits. This expansion provides flexibility in allocating addresses and routing traffic and eliminates the primary need for network address exposition (NAT), which gained widespread deploy ment as an effort to alleviate IPv4 address exhaustion. Due to its security and flexibility entire Internet will be deployed byIPv6 in 2012 as expected.TunnellingIn computer networks tunnelling protocol (delivery protocol) encapsulates the different payload protocol i.e., It carries a payload over an incompatible delivery-network. It can also provide a secure path through an untrusted network without any data sledding. stockpile tier Security (TLS) deportation stage Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographical protocols that provide security for communications over networks such as the Internet. TLS and SSL encrypt the segments of network connections at the Transport Layer end-to-end.EncryptionIn cryptography, encryption is the process of transforming information (referred to as plaintext) using an algorithm (called cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information (in cryptography, referred to as cipher text).In many contexts, the word encryption also implicitly refers to the reverse process, decryption.Internet Key ExchangeInternet Key Exchange (IKE or IKEv2) is the protocol used to set up a security association (SA) in the IPSec protocol suite. IKE uses a Diffie-Hellman key exchange to set up a shared session secret, from which cryptographic keys are derived. Public key techniques or, alternatively, a pre-shared key, are used to mutually authenticate the communicating parties.4.IPSec System ArchitectureAuthentication Header and Encapsulating Security burden are commonly called protocols, though this is other(prenominal) case where the validity of this term is debatable. They are not really different protocols but are implemented as minds that are inserted into IP datagrams, as we will see. They thus do the grunt work of IPSec, and can be used to take a crapher to provide both authentication and privac y.IPSec protocolsThe IPSec protocol family consists of two protocols Authentication Header (AH) andEncapsulated Security lode (ESP). Both these protocols are autonomous IP. AH is the IP protocol 51 and ESP is the IP protocol 50Authentication HeaderThis is a member of the IPSec protocol suite. Authentication Header provides connectionless data integrity and data origin authentication of IP packets. Further, it can also provide protection against the replay attacks by using the slew window technique and by discarding the old packets. Authentication Header also gives protection for the IP payload and all the forefront domains of an IP datagram.AH generally operates on the stop of IP, by using the IP protocol number 51.An AH packet diagram is shown below which describes how an AH packet can be constructed and interpretedField meaningsNext headerThis range is an 8-bit written report that in general identifies the type of the next payload obtained after the Authentication Header. The value of this bowl can be chosen from the set of be IP Protocol Numbers.RESERVEDThese fields are usually reserved for the future use. shipment lengthThis defines the size of Authentication Header packet.Sequence numberThis field represents a monotonically increasing number which is used to prevent certain replay attacks.Security parameters index (SPI)This field is used to identify the security parameters, in combination with the IP address, and then identify the security association techniques implemented with this packet.Authentication dataThis field contains the integrity check value (ICV) which is demand to authenticate the packet. This field may also contain padding.Encapsulating Security PayloadESP which can be expanded as Encapsulating Security Payload is a member belonging of the IPSec protocol suite. IPSec achieves integrity, origin authenticity, and confidentiality protection of packets. This protocol also supports encryption-only and authentication-only configuratio ns. However usage of only encryption technique without authentication is not recommended because it is termed insecure.ESP does not protect the IP packet header like the Authentication Header (AH) does. The packet diagram below shows how an ESP packet is constructed and interpretedField meaningsSecurity parameteNetwork System for Secure CommunicationNetwork System for Secure CommunicationMethodologyThe main methodology involved behind this research project is to provide the importance of such technology from professionals and well referred articles. Some of the general interviews will be added to the project with details showing their interest towards the current technology and also the change they see in communicating with the new technology.It on the detainment of the components of IP Security that contribute to this level of secure communicationThe IP Security (IPSec) Driver is used to monitor, filter, and secures the traffic throughout the system.The (ISAKMP/Oakley) abbreviated as Internet Security Association Key Management Protocol performs key exchange and management functions that oversee security issues between hosts, and provide keys which can be used with security algorithms.The IP Security Policy and the Security Associations are derived from those policies that define the security environment where two hosts can communicate.The function of Security Association API is to provide the interface between the IPSec driver, the Policy broker and the ISAKMP.The function of the management tools is to create policies, monitor IP Security statistics, and log IP Security events.The main methodologies which are under consideration for this project are Classical encryption technologies, IP sec Tunnel, IP sec VPN, Internet Key Exchange methods, Block Cipher Data Encryption, mod Encryption, Symmetric ciphers, Public private key functions, Digital signature etc, which have suggested me to design a better system.ImplementationThe main reason behind selecting I PSec is that it so powerful that it provides security to IP layer, and also forms the basis for all the other TCP/IP protocols. This is generally composed of two protocolsAuthentication Header (AH)Encapsulating Security Payload (ESP)IPSec Implementation MethodsIPSec is comprised of several implementations architectures which are defined in RFC 2401. The IPSec implementation also depends on various factors including the version of IP used (v4 versus v6), the basic requirements of the application and other factors.End Host ImplementationImplementing IPSec in all host devices provides the most flexibility and security. It enables end-to-end security between any two devices on the network.Router ImplementationRouter implementation however is a much simpler task since we only make changes to a few routers instead of hundreds or thousands of clients. It only provides protection between pairs of routers that implement IPSec, but this may be sufficient for certain applications such as virtu al private networks (VPNs).The idea will be implemented after decent testing of various available methodologies. The current strategy for implementation is as follows. We use certain blossom source softwares which provide encryption and decryption methods and authentication. In the actual system, the user is asked to enter details of files to be sent and also some other details about the password and the public keys if included. The required software are used in a way which helps to run a smooth process and secure operation.CONTENTS identificationI owe many thanks to people who helped supported me in doing my dissertation.Firstly, I would like to express my immense gratitude to my respected professor Mr. Dr. XXX, YYYY University, capital of the United Kingdom for his support and motivation that has helped me to come up with this project.He supported me when its undeniable and suggested me in understanding various methodologies in my project. He also took care of my project with attention to achieve my goal.I thank to my Institution and mental faculty members for giving me an opportunity to do my dissertation and also for library, computer lab facilities for doing my dissertation to achieve practical results which can resolve my project related issues.I also extend my Heart full thanks to my family friends.I owe my special thanks to my Dad and his colleagues who gave me suggestions on doing my Dissertation.AbstractIn the present system the network helps a particular organization to share the data by using external devices. The external devices are used to carry the data. The existing system cannot provide security, which allows an unauthorized user to access the secret files. It also cannot share a single costly printer. Many interrupts may occur within the system. Though it is advantageous we have numerous disadvantageous, somebody writes a program and can make the costly printer to misprint the data. Similarly some unauthorized user may get access over the network and may perform any illegal functions like deleting some of the sensitive informationSecurity is the term that comes into picture when some important or sensitive information must be protected from an unauthorized access. Hence there must be some way to protect the data from them and even if he hacks the information because he should not be able to understand whats the actual information in the file, which is the main intention of the project. The project is designed to protect the sensitive information while it is in transaction in the network. There are many chances that an unauthorized person can have an access over the network in some way and can access this sensitive information. My main topic focuses onIPSec(Internet Protocol Security) is an extension to the IP protocol contract byIETFwhich provides security to the IP and the upper-layer protocols and cryptography in a network sharing system. It was first developed for the new IPv6 standard and then back ported t o IPv4. The IPSec architecture is described in theIPSecuses two different protocols AH (Authentication Header) and ESP (Encapsulating security payload) to ensure the authentication, integrity and confidentiality of the communication. It uses strong cryptography to provide both authentication and encryption services. Authentication ensures that packets are from the right sender and have not been altered in transit. Encryption prevents unauthorised reading of packet contents. 2Cryptography is the technique used to secure the data while they are in transactions. Encryption and Decryption are two techniques used under cryptography technology. Data cryptography is the art of securing the resource that is shared among the applications. The main idea behind the design is to provide a secured communication between the networks showing network level performance practically by differentiating different operating system which can ensure the security, authenticity by considering, analyzing an d testing any best available methodologies.1. IntroductionBusinesses today are focused on the importance of securing customer and business data. Increasing regulatory requirements are unprompted need for security of data.There have been many methods which have evolved over the years to address the need for security. Many of the methods are focused at the higher layers of the OSI protocol stack, thus compensating the IPs lack in resolving security issues. These solutions can be implemented in certain situations, but they cannot be generalized because they are particularly too many applications. For example, Secure Sockets Layer (SSL) can be used for certain applications like World full(a) Web access or FTP, but there are many other applications which cannot be resolved with this type of security.A solution is required to allow security at the IP level was very unavoidable so that all higher-layer protocols in TCP/IP could take advantage of it. When the decision was made to develop a new version of IP (IPv6), this was the golden opportunity to resolve not just the addressing problems in the senior(a) IPv4, but also resolve lack of security issues as well. after a new security technology was developed with IPv6 in mind, but since IPv6 has taken long time to develop, and thus a solution was designed to be usable for both IPv4 and IPv6.The technology which brings a secure communications to the Internet Protocol is known as IP Security, commonly abbreviated as IPSec.IPSecservices allow users to build secure tunnels through certain networks. All the data that passes through the entrusted net is encrypted by theIPSECgateway machine and decrypted by the gateway at the other end. The result obtained is a Virtual Private Network or VPN. This network is effectively private even though it includes machines at several different sites which are connected by the insecure Internet.Cryptography technique is used to secure the data while they are in transactions. Encryption and Decryption are two techniques which are used under cryptography technology. Data cryptography is the art of securing the resource that is shared among the applications.The Encryption and Decryption are termed as two powerful security technologies that are widely implemented to protect the data from loss and deliberate compromise. In this project the networking allows the company to share files or data without using certain external devices. Some unauthorized users may get access over the network and perform some illegal functions in certain cases like deleting files while the transaction is still on at that time encryption and then decryption techniques are implemented to secure the data. Many other attacks in cryptography are considered which lead me to research on different types of IPSec implementation methodologies in order to design the best model such that it may be suitable for the present campaign of networking systems also form a platform to enable communication to the distant world. Thus in orders to implement IPSec, certain modifications are required to the systems communications routines and certain new systems processes conduct secret key negotiations.What is IPSec?An extension to the IP protocol is considered as IPSec which provides high level security to the IP and to the upper-layer protocols. This was initially developed for the new IPv6 standard and then was back ported to IPv4. IPSec provides the following security services data origin authentication, connectionless integrity, replay protection, data confidentiality, limited traffic flow confidentiality, and key negotiation and management. It has been made mandatory by the IETF for the use of IPSec wherever feasible the standards documents are close to completion, and there are numerous implementations.Overview of IPSec ArchitectureThe IPSec suite defined as a framework of open standards. The following protocols are used by IPSec to perform various functions. 23IPSecprovides three main facilities which are explained belowInternet key exchange(IKE and IKEv2) This is used to set up a security association (SA) which can be done by handling negotiation of protocols and algorithms and generating the encryption and authentication keys which can be used by IPSec.45Authentication Header (AH)This is used to provide connectionless integrity and data origin authentication for IP datagrams and also provides protection against replay attacks.67Encapsulating Security Payload (ESP)This is used to provide confidentiality, data origin authentication, connectionless integrity, anti-replay service, and limited traffic flow confidentiality. 9Both authentication and encryption are generally desired in this mechanism.Assure that unauthorized users do not come in the virtual private networkAssure that eavesdroppers on the Internet cannot read messages sent over the virtual private network.Since both the above features are generally desirable, most implementations are likely to use ESP rather than AH.Security AssociationThe security Association mechanism is used for authentication (AH) and confidentiality (ESP)A one way relationship between a sender and a receiver that affords security services to the traffic carried on it.Security services are afforded to an SA for the use of AH or ESP but not both.SA identified by three parametersSecurity Parameter Index (SPI)IP destination addressSecurity protocol identifierOverview of IPSec Services and FunctionsIPSec is not only assumed as a single protocol, but is rather considered as a set of services and protocols which provide a complete security solution to the IP network. These services and protocols are combined to provide various types of protection. Since IPSec usually works at the IP layer, it provides protection for any higher layer TCP/IP application or protocol without using any additional security methods, which is considered as a major authority for its implementation. General types of protection services off ered by IPSec includeEncryption of user data to achieve privacy.Authentication and message integrity has to be achieved to ensure that it is not changed on route.Protection against certain types of security attacks, such as replay attacks.The ability of the devices to negotiate the security algorithms and keys required in order to meet their security needs.wo security modes called tunnel and transport are implemented to meet the various network needs.Features BenefitsIPSec is observed to be transparent by the end users.The users on the security mechanisms need not be trained.IPSec assures security measures for individuals.There is no requirement to change the software on a user or a server system.Strong security measures are applied to the entire traffic crossing the perimeter.2. ObjectiveIPSec is mostly designed in order to encrypt the data between the two systems without any spoofing attacks. It is a key force of defence against internal and external attacks. However, other than these, there are many other security strategies which have prevented the security attacks. The main idea in my research is to provide a better approach to the implementation of IP Security by analyzing the present methodologies. In the implementation of this design, I am also considering different operating systems to provide a better approach towards security which can prove to be good in ideal ways. The design of such an approach is facilitative in restricting any unauthorised access to the network and also helps in providing a secure and authenticated access.The main idea behind the design is to provide a secured communication between the networks independent of the operating system which can ensure the security, authenticity by considering, analyzing and testing any two best available methodologies.In my overview of RFCs available in the Internet such as Cryptography the receiver end of a particular communication channel is not aware of the sender unless the sender transmits so me information with private and public keys with cipher text which can prove his authenticity. Now the receiver sends the same package with his signature and then the receiver is also authenticated mutually.Attacks may occur in different ways. There are also many ways where in such communications can be detected and using techniques like eavesdropping or sniffing or man in the middle attack. These are the three major problems for secure communications. In my research, I will attempt to design a operation which can be easily followed in order to overcome such problems.There are many techniques available now which are better than normal communication. The major problem in such techniques is the implementation of man in the middle attack. There have been many advances to try and find out the problems but there has always been a flaw in the design. My research is to design a system using the current technologies used to encrypt and authenticate. These techniques play a major role in t he implementation of IP Security.The major interest would be in areas like encryption, decryption and authentication. Additions will be done to this research as it is implemented. The goal is to use research existing systems and to suggest a system which makes it even hard to break. It is not 100% immune to attacks but the attack may take longish to break the system than the present rate. This system will also be very safe and will be easy to use in daily life rather than something with a dozen processing move to be followed.2.2 SCOPEWith the rapid development of Multimedia data management technologies over the internet there is need to concern about the internet there is need to concern about the security and privacy of information. In multimedia document, dissipation and sharing of data is becoming a common practice for internet based application and enterprises.As the internet forms the open source the present for all users securityForms the critical issue. Hence the conveyanc e of information over the internet forms the critical issue. At the present situations the cryptographic techniques are used for providing SECURITY.2.3 PROJECT PERSPECTIVEThe project Network system for Secure Communication is totally enhanced with the features that enable us to sapidity the real-time environment.Todays world is mostly employing the latest networking techniques instead of using complete PCs. IPSec tunnelling or Encryption, information scrambling technology is an important security tool. By justly applying, it can provide a secure communication channel even when the underlying system and network infrastructure is not secure. This is particularly important when data passes through the shared systems or network segments where multiple people may have access to the information. In these situations, sensitive data and especially passwords should be encrypted in order to protect it from unintended disclosure or modification.2.4 PROPOSED SYSTEMIn this system security is the term that comes into picture when some important or sensitive information must be protected from an unauthorized access. Hence there must be some way to protect the data from them and even if he hacks the information,The proposed system provides the security and it does not allow unauthorized users to access the secret files.As per the ISO standards the security parameters areConfidentialityAuthenticationIntegrityKey distributionAccess controlCONFIDENTIALITYConfidentiality is the protection of transmitted data from passive attacks. It can protect the data from unauthorized disclosure.AUTHENTICATIONA process used to verify the integrity of the transmitted data, especially a message. It is the process of proving ones identity to someone else.INTEGRITYThe sender and the receiver want to ensure that the content of their communication is not altered during transmission.KEY DISTRIBUTIONKey distribution can be defined as a term that refers to means of delivering a key to the communicat ing parties, without allowing others to see the key.ACCESS CONTROLIt is a ability to limit and control the access to host systems and applications via communication links.3.Literature ReviewThis project emphasis design and evaluates a computer-based system using appropriate process and tools. Most of the manufacturing wide routers in the network implement their functionality in hardware and wherefore we believe that hardware based routers are more efficient than a software-based router implementation besides that most of the work is in the research residential area which will be performed, using software-based routers utilizing off-the-shelf PCs. Various works have to be attempted which evaluates different protocol stack, however none of them use hardware-based routers, has such a wide range of metrics, and none investigated mechanisms.My research methodology emphasis surveys, forums from the internet and articles from IEEE (Institute of Electrical and Electronics EngineersorIEEE ) a quantitative approach in advance technology. I also consider various other thesis and books which are best suitable for my project.Here following are the network related definitions, and few protocols from application layer, network and internet layer also discussed which actually gives clear idea of understanding the concepts.3.1 IPSec StandardsIPSec is actually a collection of techniques and protocols it is not defined in a single Internet standard. Instead, a collection of RFCs defines the architecture, services and specific protocols used in IPSec. Some of the most important of these are shown belowRFC 2401 Security Architecture for the Internet Protocol(IPSec overview)The main IPSec document describes the architecture and general operation of the technology, and showing how the different components fit together.RFC 2402 IP Authentication HeaderIt defines the IPSec Authentication Header (AH) protocol used for ensuring data integrity and origin verification.RFC 2403 The Use o f HMAC-MD5-96 within ESP and AHDescribes a particular encryption algorithm for use by AH and ESP called Message Digest 5 (MD5), HMAC variant.RFC 2404 The Use of HMAC-SHA-1-96 within ESP and AHDescribes a particular encryption algorithm for use by AH and ESP called Secure Hash Algorithm 1 (SHA-1), HMAC variant.RFC 2406 IP Encapsulating and Security payload (ESP)It describes the IPSec Encapsulation Security Payload (ESP) protocol that provides data encryption for confidentiality.RFC 2408 Internet Security Association and Key Management Protocol (ISAKMP)It defines methods for exchanging keys and negotiating security associations.RFC 2409 The Internet Key Exchange (IKE)Describes the Internet Key Exchange (IKE) protocol used to negotiate security associations and exchange keys between devices for secure communications. It is based on ISAKMP and OAKLEY.RFC 2412 The OAKLEY Key object ProtocolIt describes a generic protocol for key exchange.RFC 2131 Dynamic Host Configuration Protocol (DHC P) DHCP allows a host to obtain an IP address automatically, as well as to learn additional information about subnet mask, the address of its first-hop router, and the address of its local DNS server.RFC 2131 RFC 3022 Network Address Translation (NAT)-In an attempt to provide transparent routing to hosts, NAT devices are used to connect an discriminate address realm with private unregistered addresses to an external realm with globally unique registered addresses.Domain Name System (DNS) It is a hierarchical assignment system for computers, services, or any resource connected to the Internet or a private network. It associates various other information with domain names assigned to each of the participants. Most importantly, it translates domain names meaningful to earthly concern into the numerical (binary) identifiers associated with networking equipment for the purpose of locating and addressing these devices worldwide. For example, www.example.com translates to 208.77.188.166 .Windows Internet Name Service (WINS) It is Microsofts implementation of NetBIOS Name Service (NBNS), a name server and service for NetBIOS computer names. Effectively WINS is to NetBIOS names, like DNS is to domain names in fact its a central mapping of host names to network addresses. Like DNS it is unordered into two parts, a Server Service (that manages the encoded Jet Database, server to server replication, service requests, and conflicts) and a TCP/IP Client component which manages the clients adjustment and renewal of names, and takes care of queries.VPN (Virtual Private Network) It is a virtual computer network that exists over the top of an existing network. The purpose of a VPN is to allow communications between systems connected to the VPN using an existing shared network infrastructure as the transport, without the VPN network being aware of the existence of the underlying network backbone or without the VPN interfering with other network traffic on the backbone. A VPN between two networks is often referred to as a VPN Tunnel. Most VPN technologies can be separated into two broad categories, Secure VPNs and bank VPNs.Internet Protocol version 6 (IPv6)It is the next-generation Internet Protocol version designated as the successor to IPv4. It is an Internet Layer protocol for packet-switched internetworks. The main driveway force for the redesign of Internet Protocol was the foreseeable IPv4 address exhaustion. IPv6 was defined in December 1998 by the Internet Engineering Task root for (IETF) with the publication of an Internet standard specification,RFC 2460.IPv6 has a vastly larger address space than IPv4. This results from the use of a 128-bit address, whereas IPv4 uses only 32 bits. This expansion provides flexibility in allocating addresses and routing traffic and eliminates the primary need for network address explanation (NAT), which gained widespread deployment as an effort to alleviate IPv4 address exhaustion. Due to its security and f lexibility entire Internet will be deployed byIPv6 in 2012 as expected.TunnellingIn computer networks tunnelling protocol (delivery protocol) encapsulates the different payload protocol i.e., It carries a payload over an incompatible delivery-network. It can also provide a secure path through an untrusted network without any data loss.Transport Layer Security (TLS)Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide security for communications over networks such as the Internet. TLS and SSL encrypt the segments of network connections at the Transport Layer end-to-end.EncryptionIn cryptography, encryption is the process of transforming information (referred to as plaintext) using an algorithm (called cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information (in cryptography, referred to as cipher text).In many co ntexts, the word encryption also implicitly refers to the reverse process, decryption.Internet Key ExchangeInternet Key Exchange (IKE or IKEv2) is the protocol used to set up a security association (SA) in the IPSec protocol suite. IKE uses a Diffie-Hellman key exchange to set up a shared session secret, from which cryptographic keys are derived. Public key techniques or, alternatively, a pre-shared key, are used to mutually authenticate the communicating parties.4.IPSec System ArchitectureAuthentication Header and Encapsulating Security Payload are commonly called protocols, though this is another case where the validity of this term is debatable. They are not really evident protocols but are implemented as headers that are inserted into IP datagrams, as we will see. They thus do the grunt work of IPSec, and can be used together to provide both authentication and privacy.IPSec protocolsThe IPSec protocol family consists of two protocols Authentication Header (AH) andEncapsulated S ecurity Payload (ESP). Both these protocols are independent IP. AH is the IP protocol 51 and ESP is the IP protocol 50Authentication HeaderThis is a member of the IPSec protocol suite. Authentication Header provides connectionless data integrity and data origin authentication of IP packets. Further, it can also provide protection against the replay attacks by using the skid window technique and by discarding the old packets. Authentication Header also gives protection for the IP payload and all the header fields of an IP datagram.AH generally operates on the stop of IP, by using the IP protocol number 51.An AH packet diagram is shown below which describes how an AH packet can be constructed and interpretedField meaningsNext headerThis field is an 8-bit field that in the first place identifies the type of the next payload obtained after the Authentication Header. The value of this field can be chosen from the set of defined IP Protocol Numbers.RESERVEDThese fields are usually reserv ed for the future use.Payload lengthThis defines the size of Authentication Header packet.Sequence numberThis field represents a monotonically increasing number which is used to prevent certain replay attacks.Security parameters index (SPI)This field is used to identify the security parameters, in combination with the IP address, and then identify the security association techniques implemented with this packet.Authentication dataThis field contains the integrity check value (ICV) which is requirement to authenticate the packet. This field may also contain padding.Encapsulating Security PayloadESP which can be expanded as Encapsulating Security Payload is a member belonging of the IPSec protocol suite. IPSec achieves integrity, origin authenticity, and confidentiality protection of packets. This protocol also supports encryption-only and authentication-only configurations. However usage of only encryption technique without authentication is not recommended because it is termed inse cure.ESP does not protect the IP packet header like the Authentication Header (AH) does. The packet diagram below shows how an ESP packet is constructed and interpretedField meaningsSecurity paramete
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment