IPSEC is very complicated and very extensible system for network security. IPSEC uses symmetric cyphers in encryption and HMAC for data authentication. Internet key exchange is basically an authenticated Diffie-hellman exchange. There are several ways of authentication, one way of authentication is digital signatures, another involves HMAcing a shared secret, third involves public key encryption to authenticate a peer.
IPSEC standard key exchange, IKE has an option for perfect forward secrecy. It adds extra overhead while doing Diffie-Hellman exchange in each rekey interval. Denial of service attacks are possible to force the computer to do unnecessary work while trying to achieve security, which leads to shutting down the computer. DOS can be launched against cryptographic systems, when the attacker cause the system to do more work in response to the attack than is necessary to launch the attack. Thankfully, IPSEC and IKE are constructed with partial defenses against denial of service attacks, but merely increase the cost and complexity to launch them.
No comments:
Post a Comment