Internet Protocol Safety(IPSec)

Internet Protocol Security (IPsec) 

It is a set of protocols defined by the Internet Engineering Task Force (IETF) to secure packet exchange over unprotected IP/IPv6 networks such as Internet by authentication and encryption of IP packets during a session. 
IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite(IPS). It can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host).

IPS mainly consists of 6 member protocols, which are the Encapsulating Security Payload(EPS), Authentication Header(AH), Data Encryption Standard (DES), Message Digest 5 (MD5), Secure Hash Algorithm (SHA) and Diffie-Hellman(DH).


Encapsulating Security Payload(EPS)



Encapsulating Security Payload (ESP) is a key protocol in the IPsec (Internet Security) architecture, which is designed to provide a mix of security services in IPv4 and IPv6. The IP Encapsulating Security Payload (ESP) seeks to provide confidentiality and integrity by encrypting data to be protected and placing the encrypted data in the data portion of the IP ESP.

Depending on the user's security requirements, this mechanism may be used to encrypt either a transport-layer segment (e.g., TCP, UDP, ICMP, IGMP) or an entire IP datagram. Encapsulating the protected data is necessary to provide confidentiality for the entire original datagram.


Authentication Header(AH)


AH is a protocol that provides authentication of either all or part of the contents of a datagram through the addition of a header that is calculated based on the values in the datagram. What parts of the datagram are used for the calculation, and the placement of the header, depends whether tunnel or transport mode is used.

The presence of the AH header allows to verify the integrity of the message, but doesn't encrypt it. Thus, AH provides authentication but not privacy(ESP is used to provide encryption).


Data Encryption Standard (DES)

DES is a block cipher encryption protocol that uses a 56-bit key. A block cipher is an encryption algorithm that operates on a fixed size block of data. DES encrypts data in 64-bit blocks using a 64-bit key. The key appears to be a 64-bit key, but one bit in each of the 8 bytes is used for error checking, resulting in 56 bits of usable key.


Message Digest 5 (MD5)

  
This is a one way hashing algorithm that produces a 128-bit hash. Both MD5 and Secure Hash Algorithm (SHA) are variations on MD4, which is designed to strengthen the security of this hashing algorithm. SHA is more secure than MD4 and MD5. Cisco uses hashes for authentication within the IPsec framework.

Secure Hash Algorithm (SHA)


This is a one way hash put forth by NIST. SHA is closely modeled after MD4 and produces a 160-bit digest. Because SHA produces a 160-bit digest, it is more resistant to brute-force attacks than 128-bit hashes (such as MD5), but it is slower.


Diffie-Hellman (DH)
This is a method of the establishment of a shared key over an insecure medium. Diffie-Hellman is a component of Oakley. Oakley this is a key exchange protocol that defines how to acquire authenticated keying material.



References:
http://en.wikipedia.org/wiki/IPsec
http://en.wikipedia.org/wiki/MD5
http://www.javvin.com/protocolESP.html
http://wiki.mikrotik.com/wiki/Manual:IP/IPsec
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203.shtml