Internet Protocol Authentication Header
There are two main advantages that Authentication Header provides,
- Message Integrity – It means, message is not modified while coming from the source.
- Source Authentication – It means, the source is exactly the source from whom we were expecting data.
Prerequisite: Internet Protocol version 6 (IPv6) Header IP Authentication Header is used to provide connection-less integrity and data origin authentication.
When packet is sent from source A to Destination B, it consists of data that we need to send and header which consist of information regarding packet. Authentication Header verifies origin of data and also payload to confirm if there has been modification done in between, during transmission between source and destination. However, in transit, values of some IP header fields might change (like- Hop count, options, extension headers). So, values of such fields cannot be protected from Authentication header. Authentication header cannot protect every field of IP header. It provides protection to fields which are essential to be protected.
Authentication Header : The question may arise, that how IP header will know that adjacent Extension header is Authentication Header. Well, there is protocol field in IP Header which tells type of header that is present in packet. So, protocol field in IP Header should have value of “51” in order to detect Authentication Header.
- Next Header – Next Header is 8-bit field that identifies type of header present after Authentication Header. In case of TCP, UDP or destination header or some other extension header it will store correspondence IP protocol number . Like, number 4 in this field will indicate IPv4, number 41 will indicate IPv6 and number 6 will indicate TCP.
- Payload Length – Payload length is length of Authentication header and here we use scaling factor of 4. Whatever be size of header, divide it by 4 and then subtract by 2. We are subtracting by 2 because we’re not counting first 8 bytes of Authentication header, which is first two row of picture given above. It means we are not including Next Header, Payload length, Reserved and Security Parameter index in calculating payload length. Like, say if payload length is given to be X. Then (X+2)*4 will be original Authentication header length.
- Reserved – This is 16-bit field which is set to “zero” by sender as this field is reserved for future use.
- Security Parameter Index (SPI) – It is arbitrary 32-bit field. It is very important field which identifies all packets which belongs to present connection. If we’re sending data from Source A to Destination B. Both A and B will already know algorithm and key they are going to use. So for Authentication, hashing function and key will be required which only source and destination will know about. Secret key between A and B is exchanged by method of Diffie Hellman algorithm. So Hashing algorithm and secret key for Security parameter index of connection will be fixed. Before data transfer starts security association needs to be established. In Security Association, both parties needs to communicate prior to data exchange. Security association tells what is security parameter index, hashing algorithm and secret key that are being used.
- Sequence Number – This unsigned 32-bit field contains counter value that increases by one for each packet sent. Every packet will need sequence number. It will start from 0 and will go till – 1 and there will be no wrap around. Say, if all sequence numbers are over and none of it is left but we cannot wrap around as it is not allowed. So, we will end connection and re-establish connection again to resume transfer of remaining data from sequence number 0. Basically sequence numbers are used to stop replay attack. In Replay attack, if same message is sent twice or more, receiver won’t be able to know if both messages are sent from a single source or not. Say, I am requesting 100$ from receiver and Intruder in between asked for another 100$. Receiver won’t be able to know that there is intruder in between.
- Authentication Data (Integrity Check Value) – Authentication data is variable length field that contains Integrity Check Value (ICV) for packet. Using hashing algorithm and secret key, sender will create message digest which will be sent to receiver. Receiver on other hand will use same hashing algorithm and secret key. If both message digest matches then receiver will accept data. Otherwise, receiver will discard it by saying that message has been modified in between. So basically, authentication data is used to verify integrity of transmission. Also length of Authentication data depends upon hashing algorithm you choose.
Modes of operations in Authentication Header:
There are two modes in the authentication header
- Authentication Header Transport Mode:
- Authentication Header Tunnel Mode:
- Authentication Header Transport Mode: In the authentication header transport mode, it is lies between the original IP Header and IP Packets original TCP header.
- Authentication Header Tunnel Mode: In this authentication header tunnel mode, the original IP packet is authenticated entire and the authentication header is inserted between the original IP header and new outer IP header. Here, the inner IP header contains the ultimate source IP address and destination IP address. whereas the outer IP header contains different IP address that is IP address of the firewalls or other security gateways.
How does the header deals with Replay attack?
- In a replay attack, the attacker a copy of an authenticated packet and then send to the intended destination. As the same packet received twice, the destination user can face some problems. To reduce this problem, the authentication header use a sequence number field.
- At this initial stage, the value of this field is set to 0. whenever the sender sends the packets to the same receiver over the same SA, it increments the fields value by 1. If the number of packets over the same increase this number, then communication with the receiver sender must establishing a new SA with the receiver.
- At the receiver side, the receiver maintains a sliding window size to W. The default value of W is 64. This window right edge represents the highest sequence number N received so far for a valid packet. When the receiver gets a packet from the sender, it perform some action. The appropriate action depends on the sequence number of the packet.
Conclusion: How Authentication Header can be useful?
- Message Integrity is also known as Connection-less Integrity
- Source Authentication
- Replay attack protection
Please Login to comment...