1
00:00:01,370 --> 00:00:06,740
Welcome to the lecture on protocols and services designed to ensure the security of computer systems

2
00:00:10,020 --> 00:00:15,270
the subject is very important because the bulk of protocols still in use today are more than 30 years

3
00:00:15,270 --> 00:00:15,910
old.

4
00:00:18,210 --> 00:00:24,630
These protocols were not designed with security in mind examining individual layers of the OS model.

5
00:00:24,720 --> 00:00:31,580
We have noted that some security measures are present only from the third layer up the first secure

6
00:00:31,580 --> 00:00:40,500
protocol is the IP SEC which is used by the fall with IP version 6 even when there are mechanisms allowing

7
00:00:40,500 --> 00:00:44,610
to improve security of a computer system or a computer network.

8
00:00:44,610 --> 00:00:47,990
They are often used.

9
00:00:48,060 --> 00:00:52,190
There are a number of solutions but the number of those news is smaller still.

10
00:00:54,440 --> 00:00:57,580
What could you do to improve the security of a computer network.

11
00:00:59,590 --> 00:01:04,440
You could ensure the confidentiality and authenticity of the data sent over the network.

12
00:01:06,220 --> 00:01:11,280
You can also make sure that you exchange data with the host you actually intended to or authenticate

13
00:01:11,290 --> 00:01:20,930
the remote computer doing these three things would improve security greatly due to confidentiality and

14
00:01:20,930 --> 00:01:26,570
authenticity and the identity of the remote computer can be insured by implementing the secure Internet

15
00:01:26,570 --> 00:01:30,900
Protocol or IP sec.

16
00:01:30,940 --> 00:01:36,820
Actually this is a whole suite of protocols which will now examine each of them individually

17
00:01:41,900 --> 00:01:50,190
the first and most widely used as the ESPN protocol encapsulating security payload all the protocols

18
00:01:50,190 --> 00:01:56,550
that make up the IP Senge operate at that third layer of the same model.

19
00:01:56,580 --> 00:02:02,280
One of the basic advantages of the ESPN is that the protocol will not effect in any way the functionality

20
00:02:02,340 --> 00:02:10,160
of applications running in a given network the IP set can be enabled from the third layer and not from

21
00:02:10,160 --> 00:02:13,750
the session layer or higher.

22
00:02:13,930 --> 00:02:19,720
We can secure communication between hosts or groups of hosts in a manner not requiring any changes to

23
00:02:19,720 --> 00:02:22,560
the infrastructure and software running on your network.

24
00:02:25,690 --> 00:02:31,420
Yes P is used for encryption and digital signing of the transmitted data.

25
00:02:31,640 --> 00:02:36,800
If you use both features of the protocol the data will first be encrypted and then there cryptograms

26
00:02:36,800 --> 00:02:38,090
will be digitally signed

27
00:02:41,080 --> 00:02:49,420
the implementation of VSP required to add the ESPN header to the IP header the first header field contains

28
00:02:49,420 --> 00:02:56,300
information about security parameters and about security associations negotiated for the protocol.

29
00:02:56,320 --> 00:03:00,760
The header also includes the package sequence number.

30
00:03:00,760 --> 00:03:09,120
This means that the IP SEC and the ISP protect against replay attacks and a replay attack the attacker

31
00:03:09,120 --> 00:03:18,020
uses a stolen password instead of cracking one ESPN automatically eliminates this threat.

32
00:03:18,050 --> 00:03:23,210
The packet footer contains information about the amount of pseudo random data needed for the encryption

33
00:03:23,210 --> 00:03:29,930
with a given algorithm encryption algorithms have certain requirements concerning the amount of data

34
00:03:29,930 --> 00:03:39,080
to be encrypted the information about the amount of data that was supplemented is sent to the final

35
00:03:39,080 --> 00:03:44,360
part of the header contains the information about the protocol protected by the ISP and the information

36
00:03:44,360 --> 00:03:46,790
confirming the identity of the remote host

37
00:03:52,100 --> 00:04:00,490
the ESPN protocol can operate in one of two modes the transport mode is used most often.

38
00:04:00,540 --> 00:04:02,880
This is the mode shown in the diagram below.

39
00:04:04,280 --> 00:04:09,710
Its function is to ensure the confidentiality and authenticity of communication between two hosts

40
00:04:12,400 --> 00:04:16,990
everything that is above the third layer of the oocyte model gets encrypted.

41
00:04:16,990 --> 00:04:20,170
In addition the ESB header is signed as well.

42
00:04:20,170 --> 00:04:27,840
The authenticity of the header is verified.

43
00:04:27,870 --> 00:04:31,530
The second mode is the tunnel mode in the picture below.

44
00:04:31,540 --> 00:04:38,850
You can see its schematic representation this mode is used to secure the communication between routers.

45
00:04:38,990 --> 00:04:40,940
That is to say between subnets

46
00:04:43,570 --> 00:04:48,520
the same kind of data that is encrypted and signed in transport mode is encrypted and signed in tunnel

47
00:04:48,520 --> 00:04:49,570
mode as well.

48
00:04:51,140 --> 00:04:58,660
In addition the IP header is attached the original IP header is replaced with a router header.

49
00:04:58,710 --> 00:05:10,350
The router establishes a secure connection channel between two networks.

50
00:05:10,350 --> 00:05:16,150
The second protocol of the IP six suite is the authentication header.

51
00:05:16,210 --> 00:05:20,880
It allows you to confirm the authenticity of data and the protocol headers contained in this data

52
00:05:23,360 --> 00:05:27,670
authenticity is confirmed by attaching a signature to the data being transmitted.

53
00:05:30,060 --> 00:05:38,620
We had a chance to examine this when we discussed calculating S.H. one or M.D five file hashes thanks

54
00:05:38,620 --> 00:05:39,290
to this.

55
00:05:39,310 --> 00:05:44,460
Any change in the data will change the hash value in IP protocols headers.

56
00:05:44,470 --> 00:05:51,680
There are fields the values of which are inherently variable and example of such a field is the TTL

57
00:05:51,800 --> 00:05:52,910
time to live.

58
00:05:53,060 --> 00:05:59,320
Whose value is reduced by one for each rodder through which the packet is transmitted.

59
00:05:59,440 --> 00:06:04,890
If the TTL field was signed its endpoint value would certainly not match its initial value.

60
00:06:07,630 --> 00:06:12,550
A solution to this problem is that all header fields with variable values are reset before getting a

61
00:06:12,550 --> 00:06:13,370
signature.

62
00:06:15,180 --> 00:06:18,620
This information must be recorded at the age protocol header.

63
00:06:20,810 --> 00:06:26,150
In the header you will find for example the information about the protocol of the package whose data

64
00:06:26,150 --> 00:06:30,450
has been protected by the H protocol.

65
00:06:30,450 --> 00:06:35,310
Moreover there is also the information about the data length and security parameter index.

66
00:06:35,310 --> 00:06:40,370
That is the information about the IPv6 Security Association.

67
00:06:40,390 --> 00:06:47,800
This is the information concerning the hash function that has been negotiated and used as in the case

68
00:06:47,800 --> 00:06:49,110
with the ISP.

69
00:06:49,120 --> 00:06:52,710
You also find the sequence number of the remote host and its credentials

70
00:06:56,710 --> 00:07:05,200
the authentication header just like the espie can run in one of two modes a similar transport mode is

71
00:07:05,200 --> 00:07:12,420
used to confirm the authenticity of communication between two hosts in the picture below you can see

72
00:07:12,480 --> 00:07:15,640
all the data except the variable header fields are assigned

73
00:07:18,920 --> 00:07:25,850
the tunnel mode is used to confirm the authenticity of data transferred between networks.

74
00:07:25,880 --> 00:07:31,190
In this case to the IP header with the address pointing to the router that sent the packet is added

75
00:07:33,640 --> 00:07:36,060
that can easily be encrypted and digitally signed.

76
00:07:36,070 --> 00:07:39,610
As long as both communicating parties have access to the shared secret

77
00:07:42,490 --> 00:07:47,600
the problem is how to establish a shared secret key over an insecure communications channel.

78
00:07:49,120 --> 00:07:55,000
In the case of the secure Internet Protocol IP Seck this problem has been solved by the Diffie Helman

79
00:07:55,000 --> 00:07:57,490
protocol.

80
00:07:57,500 --> 00:08:04,760
This is a protocol for the exchange of cryptographic keys using asymmetric key encryption scheme.

81
00:08:04,840 --> 00:08:11,940
The designers of the solution also took into consideration the FS perfect forward security role.

82
00:08:12,160 --> 00:08:17,350
According to this rule disclosure of the key should not allow access to all the data encrypted in this

83
00:08:17,350 --> 00:08:22,760
key regardless of whether the data has been encrypted before or after the key was disclosed.

84
00:08:25,310 --> 00:08:31,610
This is a simple requirement to me and the solution is not technologically complex.

85
00:08:31,640 --> 00:08:35,330
The key must be dynamically generated.

86
00:08:35,440 --> 00:08:40,030
The master key is used to secure the establishment of one or more session keys.

87
00:08:41,650 --> 00:08:46,190
The Diffie Helman protocol is computationally complex.

88
00:08:46,350 --> 00:08:53,420
If it was used regularly it would have a perceptible impact on the efficiency of communication.

89
00:08:53,420 --> 00:08:59,150
Moreover it cannot be used repeatedly for a long time because it would fail to meet FS requirements

90
00:09:01,430 --> 00:09:04,130
to create an efficient and secure solution.

91
00:09:04,130 --> 00:09:09,870
It was decided that the IPv6 security associations would be negotiated in a two faced process

92
00:09:12,690 --> 00:09:13,780
during the first phase.

93
00:09:13,830 --> 00:09:19,480
A secure connection is established the identity of the remote host is verified and the secure channel

94
00:09:19,480 --> 00:09:27,090
is set up Phase 2 is very fast and computationally cheap but it only allows to renegotiate security

95
00:09:27,090 --> 00:09:29,400
associations and replace the session key.