IPSec Abbreviations Flashcards
(45 cards)
1
Q
DES
A
- Data Encryption Standard
- Encryption
2
Q
PSK
A
- Pre-shared Key
- Credential for mutually authenticating peers
3
Q
AES
A
- Advanced Encryption Standard
- Encryption
4
Q
MD5
A
- Message Digest 5
- Hashing algorithm that provides data integrity
5
Q
SHA
A
- Secure Hash Algorithm
- Authentication of packet data
6
Q
What does AH stand for and what are 3 services it provides?
A
- Authentication Header
- Data integrity
- Data Authentication
- Replay protection
7
Q
What does ESP stand for and what 4 services does it provide?
A
- Encapsulating Security Payload
- Data Integrity
- Data authentication
- Replay protection
- Encryption
8
Q
RSA
A
- Rivest Shamir Adelman
- Public Key exchange using digital certificates
- Mutually authenticates peers
9
Q
IKE
A
- Internet Key Exchange
- Authentication between 2 endpoints
- Establishes SAs
- SAs used to carry control and data plane traffic
10
Q
ECDSA
A
- Elliptic Curve Digital Signature Algorithm
- Encryption
11
Q
EAP
A
- Extensible Authentication Protocol
- Authentication method for IKEv2
12
Q
AES-GCM
A
- Advanced Encryption Standard Galois/Counter Model
- Encryption
13
Q
ECDH
A
- Elliptic Curve Diffie Hellman
- Encryption
14
Q
ISAKMP
A
- Internet Security Association Key Management Protocol
- Framework for authentication and key exchanges to build ISAKMP SAs
15
Q
ESP-GCM
A
- Encapsulating Security Payload using Galois/Counter Mode
- Encryption
16
Q
GMAC
A
- Galois/Counter Message Authentication Code
- Message integrity
17
Q
Name two HMAC protocols.
A
- md5
- sha
18
Q
HMAC
A
Hashed Message Authentication Codes
19
Q
DH
A
- Diffie Hellman
- Allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure medium
- The shared secret key then becomes the input used to generate key material that secures the IKE SA.
20
Q
Which 2 transforms provide ESP with data integrity and encryption?
A
- esp-gcm
- esp-gmac
21
Q
What are the 2 modes for IKE phase 1 negotiation and how many messages are used by each mode?
A
- Main mode - 6 messages
- Aggressive mode - 3 messages
22
Q
What is the advantage and disadvantage of Main mode and Aggressive mode?
A
- Main mode takes longer but peer identities are hidden
- Aggressive mode is faster but the peer identities are exposed
23
Q
What are the 6 messages in Main Mode?
A
- MM1 - Initiator sends SA proposals to Responder
- MM2 - Responder replies with SA proposal that matched
- MM3 - Initiator starts DH key exchange
- MM4 - Responder sends its own key to Initiator
- MM5 - Initiator starts authentication by sending its IP address
- MM6 - Responder sends its IP address and completes authentication
24
Q
Name the 5 things that make up the SA proposal.
A
- Hash algorithm - MD5 or SHA
- Encryption algorithm - DES, 3DES, or AES
- Authentication method - PSK or Digital Certificates
- DH group - Group 1, 2, 5, and so on
- Lifetime - how long until Phase 1 tunnel will be torn down
25
What is the default lifetime for the Phase 1 tunnel?
24 hours
26
What are the 3 messages exchanged in Aggressive Mode?
* AM1 - Initiator sends SA, KEi, Ni, and IDi
* AM2 - Responder accepted SAr, KEr, Nr, IDr, and AUTH
* AM3 - Initiator sends AUTH
27
What are the 3 messages sent during phase 2?
* QM1 - initiator sends agreed upon algorithms from phase 1 and Traffic Selector
* QM2 - responder sends agreed upon algorithms from phase 1 and Traffic Selector
* QM3 - acknowledges the responder's previous message
28
What is the name of the mode used during phase 2 IPsec SA establishment?
Quick mode
29
During IKE phase 1 how many tunnels are built?
One single bi-directional tunnel.
30
During phase 2 how many tunnels are built?
2 unidirectional tunnels - one in each direction
31
PFS
* Perfect Forwarding Security
* Optional function for phase 2
* Provides for additional session keys not derived from previous ones
32
At what point during phase 1 main mode is encryption started?
After the DH public key exchange is completed (after MM4)
33
Describe the Main Mode messages from a high level.
* the first pair negotiate cryptographic ciphers
* the second pair exchange key material
* the third pair are encrypted and prove the identity.
34
What are 3 methods the IKE peers can authenticate each other?
* Pre-shared key
* RSA signatures
* RSA encrypted nonces
35
What are 2 values used for IDs?
* IP address
* FQDN
36
SPI
* Security Parameter Index
* Randomly generated 32-bit value that is used by a receiver to identify the SA to which an incoming packet should be bound.
37
How does IPsec provide access control?
By defining Traffic Selectors
38
Another name for anti-replay?
Anti MiTM
39
Another name for encryption?
Confidentiality
40
Data Integrity (2 things)
* Packet hasn't been altered
* Source of the packet has been verified
41
How is Data Integrity accomplished?
* Source device computes a HASH (md5 or SHA) based on shared secret and packet contents
* The keyed HASH inserted in the ICV field of the packet
* Destination decrypts HASH using the shared secret to validate data integrity
42
What are the 3 packet headers for AH in transport mode?
* Original IP header
* AH header
* Original packet
43
What are the 3 packet headers for AH in tunnel mode?
* New IP header
* AH header
* Original packet
44
What are the 5 headers for ESP in transport mode?
* Original IP header
* ESP header
* Original Data
* ESP trailer
* ESP Auth
45
What are the 5 packet headers for ESP in tunnel mode?
* New IP header from IPsec
* ESP header
* Original Packet
* ESP trailer
* ESP auth
