Encryption Methods - Part 4

IPSEC:

Internet Protocol Security is the fully expanded acronym of this secure IP suite and can best be described as providing complete authentication and encryption of every IP packet in a session. IPsec works at the lower levels of the OSI model - the Internet Layer - and protects all traffic over an IP network as opposed to the upper levels where both TLS and SSH operate(1). IPsec has protocols for mutual authentication between agents (programs, networks, hosts) creating a session and negotiates the cryptographic keys utilized during the communication session.

IPsec can protect data traversing several different communication methods: host-to-host (i.e. one system to another), network-to-network (i.e. one LAN to another LAN) or network-to-host (i.e. LAN to host system). IPsec is commonly used for protection of traffic over the Internet's IP networks. 

Protections of Data afforded by IPsec:

• Network-level peer authentication
• Data-Origin Authentication
• Data Integrity'
• Data Confidentiality (encryption)
• Replay protection

Security from IPsec can be automatically afforded to all traffic over an IP network and provides security to all applications operating over IP. It is an Open Standard certificed by the IETF through a series of RFC documents covering multiple components and specifies the protocol naming convention IPsec (2).

The architecture of IPsec includes:

• Authentication Headers (AH) - Protect against replay attacks and provide both connectionless Data Integrity & Data-Origin Authentication
  
• Encapsulating Security Payloads (ESP) - Confidentiality, Data-Origin Authentication, &  connectionless data Integrity when used with Tunnel mode; This protects the complete IP packet. The whole inner IP packet is protected including the inner header while the outer header including any outer IPv4 options or IPv6 extension headers remains unprotected. ESP operates directly on top of IP.
  
• Security Associations (SA) - algorithms and data parameters for AH / ESP operations.
  These are used to encrypt and authenticate a particular data flow in one direction which results in a pair of security associations for normal bi-directional traffic. These use Internet Security Association and Key Management Protocol (ISAKMP), which is implemented by manual configuration with pre-shared secrets IKE and IKEv2, KINK, and the use of IPSECKEY DNS records. RFC 5386 defines Better-Than-Nothing Security as an unauthenticated mode of IPsec using an extended IKE protocol (3).

Transport Mode = host-to-host

Transport mode presents the payload of the IP packet as either encrypted or authenticated with the routing not modified as the header remains unchanged and encrypted. If the authentication header is used, NAT cannot be used as the IP addresses of the system are part of the hashing algorithm. For home users, this presents a problem as most systems in the home are connected via a home router which is performing IPv4 Network Address Translation routing.

Tunnel Mode = network tunneling mode

When using this mode, the complete IP packet is encrypted and authenticated and this is in turn encapsulated into a new IP packet (with a new IP header). VPNs utilize Tunnel mode to create network-to-network communications (e.g. between routers or host to network communications.  This method is useful for individuals wishing to maintain privacy while using unsecured networks such as open wireless network hotspots (wifi hotspots) as the tunnel remotes into a more secure network. This allows the user to work using a known and trusted network.

1 - https://en.wikipedia.org/wiki/IPsec
2 - http://tools.ietf.org/html/rfc4301#page-4
3 - https://tools.ietf.org/html/rfc5386