The Authentication Header (AH) security protocol provides integrity for an individual IP datagram, and it authenticates the datagram source, either by the source’s IP address or by the end-system’s domain name. AH provides integrity for selected portions of the IP header in addition to the higher-layer protocol. AH also offers anti-replay service (really a partial sequence integrity service) to the receiver. This service helps counter denial of service attacks. AH does not provide confidentiality.
Originally, the AH integrity check value was computed using either a MD5 or a SHA-1 one-way hash value combined with a symmetric shared secret (i.e., HMAC MD5 or HMAC SHA-1). It’s been updated and now HMAC MD5 is downgraded to MAY, HMAC SHA-1 remains MUST, and AES-XCBC-MAC [RFC3566] has been added as SHOULD+. This AES variation includes extensions to protect variable length messages.
Figure 7-4 illustrates a typical AH protocol data unit. AH contains the following five fields:
Next Header. The next header field tells which higher-layer protocol is encapsulated by AH. In tunnel mode, the next header field will always indicate IP (either IPv4 or IPv6). In transport mode, the next header field will usually indicate TCP, UDP, or ICMP.
Length. The length field tells the size of the AH protocol header. The size depends on the one-way hash function employed since the integrity check value is contained in the only variable length field.
SPI. The security parameter index (SPI) field contains a 32-bit arbitrary value that identifies the security association. The SPI and the destination IP address uniquely identify the AH security association for this data- gram.
Turner c07.tex V3 - 03/26/2008 5:38pm Page 137
Chapter 7 ■ Protecting Email Passwords, Headers, and Commands 137
Sequence Number. The sequence number field contains the anti-replay sequence number. It contains an unsigned 32-bit monotonically increas- ing counter value. The sender must include this value; the receiver may either process it or ignore it.
Authentication Data. The authentication data field contains the integrity check value for this datagram. The field is variable length, but it must be a multiple of 32 bits in length.
Application Protocol Transport Protocol (TCP, UDP, etc) Authentication Header Internet Protocol (IPv4, IPv6)
Next Header Length Reserved (Must be zero)
SPI (Security Parameters Index)
Sequence Number
Authentication Data (Multiples of 32 bits)
Figure 7-4 AH protocol header
On transmission, the sequence number is incremented, and then portions of the IP header and the higher-layer protocol are hashed along with the symmetric shared secret to create the integrity check value. On reception, the same calculation is performed. If the calculated integrity check value does not match the one received in the AH protocol, the datagram is discarded. Also, if the security association indicates that the anti-replay facility is in use, then the sequence number must fall within the expected range and it must not duplicate any prior value. If either check fails, the datagram is discarded.
Encapsulating Security Payload
The Encapsulating Security Payload (ESP) protocol can provide confidentiality, authentication, and integrity. ESP provides confidentiality by encrypting the payload (and part of the ESP Header and ESP Trailer). The strength of the confidentiality service depends primarily on the encryption algorithm employed. ESP provides authentication and integrity using an integrity check value (just like AH). Although both confidentiality and authentication (which
138 Part III ■ Secure Email
encompasses integrity) are optional, at least one of them must be provided in each ESP security association. If authentication is used, an anti-replay service with the same features as the AH anti-replay service is available. ESP provides narrower authentication and integrity protection than does AH. The IP header that carries the ESP header is not covered by the integrity check value.
If tunnel mode ESP using encryption is active between two security gate- ways, then partial traffic flow confidentiality is provided. The use of tunnel mode encrypts the inner IP headers, concealing the identities of the ultimate traffic source and destination. However, the addresses of the security gate- ways are clearly available. Further, the truly paranoid can employ ESP payload padding to hide the size of the datagrams, somewhat concealing the external characteristics of the traffic.
Originally, either DES or Triple DES could be used for encryption. ESP has been updated since, so that DES is SHOULD NOT, Triple DES is SHOULD-, AES-CBC with 128 bit keys is SHOULD+, and AES-CTR is SHOULD.
Originally, the ESP integrity check value was computed using either a MD5 or a SHA-1 one-way hash value combined with a symmetric shared secret (i.e., HMAC MD5 or HMAC SHA-1). It’s been updated, and HMAC MD5 has been downgraded to MAY, HMAC SHA-1 remains MUST, and AES-XCBC-MAC [RFC3566] was added as SHOULD+.
Figure 7-5 illustrates a typical ESP protocol data unit. ESP includes a header and a trailer. The ESP Header contains two fields:
SPI. The security parameter index (SPI) field contains a 32-bit arbitrary value that identifies the security association. The SPI and the destination IP address uniquely identify the ESP security association for this data- gram.
Sequence Number. The sequence number field contains the anti-replay sequence number. It contains an unsigned 32-bit monotonically increas- ing counter value. The sender must include this value; the receiver may either process it or ignore it.
The ESP Trailer contains four fields:
Padding. The padding field ensures that the size of the data to be encryp- ted is a multiple of the cryptographic block size and that the next header field ends on a 32-bit boundary.
Pad Length. The length field tells the size of the padding. The size depends on the encryption algorithm employed and the extent of traffic flow confidentiality that is desired.
Next Header. The next header field tells which higher-layer protocol is encapsulated by ESP. In tunnel mode, the next header field will always indicate IP (either IPv4 or IPv6). In transport mode, the next header field will usually indicate TCP, UDP, or ICMP.
Turner c07.tex V3 - 03/26/2008 5:38pm Page 139
Chapter 7 ■ Protecting Email Passwords, Headers, and Commands 139
Authentication Data. The authentication data field contains the integrity check value for this datagram. The field is a variable length, but it must be a multiple of 32 bits in length. If authentication and integrity are not desired, then the authentication data field is absent (or zero bits long).
Application Protocol Transport Protocol (TCP, UDP, etc) Encapsulating Security Payload (ESP) Header