A Security Architecture for the Internet Protocol

  title={A Security Architecture for the Internet Protocol},
  author={Pau-Chen Cheng and Juan A. Garay and Amir Herzberg and Hugo Krawczyk},
  journal={IBM Syst. J.},
In this paper we present the design, rationale, and implementation of a security architecture for protecting the secrecy and integrity of Internet traffic at the Internet Protocol (IP) layer. The design includes three components: (1) a security policy for determining when, where, and how security measures are to be applied; (2) a modular key management protocol, called MKMP, for establishing shared secrets between communicating parties and meta-information prescribed by the security policy; and… 

An architecture for the Internet Key Exchange Protocol

  • P. Cheng
  • Computer Science
    IBM Syst. J.
  • 2001
This protocol is used to create and maintain Internet Protocol Security associations and secure tunnels in the IP layer and has been transferred to IBM's AIX, Application System/400®, and System/390® products.

Security issues in networks with Internet access

  • C. LandwehrDavid M. Goldschlag
  • Computer Science
    Proc. IEEE
  • 1997
The principles of designing and administering a relatively secure network are illustrated by describing the security issues a hypothetical company faces as the networks that support its operations evolve from strictly private, to a final state in which the Internet is finally integrated into its operations and the company participates in international electronic commerce.

Transparent Network Security Policy Enforcement

The OpenBSD ethernet bridge is extended to perform simple IP packet filtering and IPsec processing for incoming and outgoing packets on behalf of a protected node, completely transparently to both the protected and the remote communication endpoint.

Internet security architecture

  • R. Molva
  • Computer Science
    Comput. Networks
  • 1999

Internet Security Association and Key Management Protocol (ISAKMP)

A Security Association protocol that negotiates, establishes, modifies and deletes Security Associations and their attributes is required for an evolving Internet, where there will be numerous security mechanisms and several options for each security mechanism.

Implementing Mandatory Network Security In A Policy-Flexible System

This work deals with the design and implementation of a more comprehensive and exible network security architecture that enforces a mandatory access control policy on network-related operations and a mandatory cryptographicpolicy on network tra c.

C-ISCAP ( Controlled Internet Secure Connectivity Assurance Platform ) : Design , Implementation and Evaluation

The design and implementation of C-ISCAP is proposed, which is IPsec-based Internet information security system and also the data of performance measurement is shown.

A Framework for Network Security System Design ∗

This work presents a framework for network security system development that introduces a new phase in the usual procedure: the network security design . The main goal of this phase is to bridge the

Modeling advanced security aspects of key exchange and secure channel protocols

This thesis introduces a new model for multi-stage key exchange to capture that recent designs for secure connections establish several cryptographic keys for various purposes and with differing levels of security, and introduces a formalism for key confirmation.

Transport Layer Security ( TLS ) – A Network Security Protocol for E-commerce

An overview of the design and workings of the TLS protocol and how it enables network security for E-commerce is provided and a comparison between the IPSec security protocol and TLS in the context of Ecommerce applications is compared.



Internet Security Association and Key Management Protocol (ISAKMP)

A Security Association protocol that negotiates, establishes, modifies and deletes Security Associations and their attributes is required for an evolving Internet, where there will be numerous security mechanisms and several options for each security mechanism.

Design and Implementation of Modular Key Management Protocol and IP Secure Tunnel on AIX

This paper presents the design principles, architecture, implementation and performance of our modular key management protocol (MKMP) and an IP secure tunnel protocol (IPST) which protects the

The Internet IP Security Domain of Interpretation for ISAKMP

This document defines the Internet IP Security DOI (IPSEC DOI), which instantiatesISAKMP for use with IP when IP uses ISAKMP to negotiate security associations.

IP Security Document Roadmap

The interrelationship and organization of the various documents covering the IPsec protocol are discussed and an explanation of what to find in which document, and what to include in new Encryption Algorithm and Authentication Algorithm documents are described.

The KryptoKnight family of light-weight protocols for authentication and key distribution

The paper argues that key distribution may require substantially different approaches in different network environments and shows that the proposed family of protocols offers a flexible palette of compatible solutions addressing many different networking scenarios.

Systematic Design of a Family of Attack-Resistant Authentication Protocols

A methodology for systematically building and testing the security of a family of cryptographic two-way authentication protocols that are as simple as possible yet resistant to a wide class of attacks, efficient, easy to implement and use, and amenable to many different networking environments is described.

SKEME: a versatile secure key exchange mechanism for Internet

  • H. Krawczyk
  • Computer Science
    Proceedings of Internet Society Symposium on Network and Distributed Systems Security
  • 1996
SKEME constitutes a compact protocol that supports a variety of realistic scenarios and security models over Internet and provides clear tradeoffs between security and performance as required by the different scenarios without incurring in unnecessary system complexity.

Network (In)Security Through IP Packet Filtering

The utility of IP packet filtering as a network security measure is examined, and it is contrasted to alternative network security approaches such as application-level gate-based approaches.

IP Encapsulating Security Payload (ESP)

This document describes an updated version of the Encapsulating Security Payload (ESP) protocol, which is designed to provide a mix of security services in IPv4 and IPv6. ESP is used to provide

The OAKLEY Key Determination Protocol

The OAKLEY protocol supports Perfect Forward Secrecy, compatibility with the ISAKMP protocol for managing security associations, user-defined abstract group structures for use with the Diffie-Hellman algorithm, key updates, and incorporation of keys distributed via out-of-band mechanisms.