Encapsulating Security Payload (ESP): Ensuring Data Confidentiality and Integrity

 ESP (Encapsulating Security Payload)

An Encapsulating Security Payload (ESP) is a security protocol within the IPsec suite that provides encryption and authentication for data packets transmitted over a network, essentially safeguarding the confidentiality and integrity of the information by encrypting the payload and verifying its origin, preventing unauthorized access and tampering with the data while in transit; it operates by adding a header and trailer to the IP packet, allowing for secure communication between two devices through encryption with a shared secret key, and can be used in both "transport mode" (encrypting only the data portion) or "tunnel mode" (encrypting the entire IP packet including the header) depending on the desired security level.

Key points about ESP:

• Function: ESP primarily provides data confidentiality by encrypting the payload of an IP packet, ensuring only the intended recipient can decipher the information.
• Authentication: While encryption is the primary function, ESP can provide optional data origin authentication through integrity checks, verifying the sender's identity and preventing spoofing attacks.
• Integrity Check: ESP utilizes a cryptographic hash function to generate an Integrity Check Value (ICV) that is added to the packet. This allows the receiver to verify whether the data has been tampered with during transmission.
• Replay Protection: Sequence numbers in the ESP header help prevent replay attacks, in which an attacker attempts to resend a captured packet to gain unauthorized access.
• Encryption Algorithm: ESP utilizes symmetric encryption algorithms like AES (Advanced Encryption Standard), which allow both the sender and receiver to share the same secret key for encryption and decryption.

How ESP works:

1. Encapsulation: When a device wants to send data, it creates an ESP header containing encryption parameters and an ICV, then adds it to the beginning of the data payload.

2. Encryption: The entire data payload (including the ESP header) is encrypted using the shared secret key between the sender and receiver.

3. ESP Trailer: An ESP trailer containing authentication information is added at the end of the encrypted data.

4. Transmission: The encapsulated packet is then transmitted over the network.

5. Decryption: Upon receiving the packet, the recipient uses the shared secret key to decrypt the data, verifying the ICV to ensure data integrity.

Modes of operation:

• Transport Mode: In this mode, only the data payload within the IP packet is encrypted, leaving the IP header visible.
• Tunnel Mode: In tunnel mode, the entire IP packet, including the header, is encapsulated and encrypted, providing a higher level of security. This mode is typically used for network-to-network communication.

Key points to remember about ESP:

• ESP is a core component of the IPsec protocol suite.
• It provides confidentiality and optional authentication for data packets.
• ESP uses symmetric encryption with a shared secret key.
• It operates in transport and tunnel modes, depending on the security requirements.

This is covered in CompTIA Network+ and Security+.

 CVSS Metrics

This is covered in the CompTIA CySA+ course.

Here are some examples of metrics used in the Common Vulnerability Scoring System (CVSS):

Attack Vector (AV)

How an attack can be executed, with higher scores for remote attacks:

Network (N): Remotely exploitable

Adjacent (A): Requires network adjacency for exploitation

Local (L): Not exploitable over a network

Physical (P): Requires physical interaction with the target system

Attack Complexity (AC)

How difficult it is to execute the attack:

Low: Easier to exploit

High: More challenging to exploit

Privileges Required (PR)

The level of access needed to exploit the vulnerability:

None: Unauthenticated

User Interaction (UI)

Whether the attacker needs to involve a user in the exploit:

Passive: The user needs to do something, like accidentally visiting a malicious website

Active: The user needs to do something, like executing a malicious office macro

Scope (S) indicates whether the exploit affects only the local security context

(U) Unchanged or not (C) Changed

Confidentiality (C)

High (H), Low (L), or None (N)

Integrity (I)

High (H), Low (L), or None (N)

Availability (A)

High (H), Low (L), or None (N)

Score Categories

Score                Description

0	None
0.1+	Low
4.0+	Medium
7.0+	High
9.0+	Critical

Here is a link to a CVSS calculator: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator

This is covered in CompTIA CySA+.

C - I - A: Confidentiality - Integrity - Availability

CIA 

Confidentiality: Making certain information (data) is only viewable by certain people.

1. Encryption is the main method for confidentiality. Whether it is file encryption, full disk encryption, or full device encryption for mobile devices. The user needing to read the information would need a decryption key to decipher the encryption first. 

2. ACL (Access Control Lists) is another method of providing confidentiality. This is not as secure as using encryption. There are different access control methods such as MAC (Mandatory Access Control), DAC ( Discretionary Access Control), Role-BAC (Role-Based Access Control), Rule-BAC (Rule-Based Access Control), and ABAC (Attribute Access Control). These methods and examples will be discussed in a different post.

3. Steganography: With this method, you could hide a document inside of another document, inside a photo, video file, or audio file. The carrier (the file used as the hiding method has to be larger than the file you are trying to hide) looks the same, in the case of the audio or video file they still play. 

Steganography is "Security through Obscurity"

Steganography can be used in some cases to bypass security controls such as DLP (Data Loss Prevention) systems. One way to detect this activity would be to employ file integrity monitoring. That way you would have the original hash and any modification to the file would produce a different hash. 

For the "Use Case" of confidentiality, encryption is used.

Integrity: Making sure that the data has not been altered, changed, corrupted, or modified by intentional or accidental means. 

Verifying integrity is provided through hashing. Hashing is a one-way function that produces a fixed-length output that cannot be reversed to produce the original input.

For the use case of integrity, hashing is used

Availability: This means that the information/data is accessible when the information is needed to modify or view the data.

Many things provide availability such as Load Balancing, Fault Tolerance, Alternate Sites (Hot, Warm, Cold, Mobile), Alternate Power (Generator, UPS), Backups, Patching, RAID, and HVAC.