Internet Protocol Authentication Header

The Internet Protocol Authentication Header (AH) is a component of the IPsec (Internet Protocol Security) suite that provides data integrity, data origin authentication, and optional anti-replay protection for IP packets. Authentication Header ensures that the data was not modified during transmission and verifies the identity of the sender. In this article, we will discuss Authentication Header.

What is an Authentication Header?

The Authentication Header (AH) is a security protocol used within the IPsec suite. Its primary function is to ensure that the message remains unmodified during transmission from the source and it confirms that the data originates from the expected source. Authentication Header achieves this by adding a header to IP packets, containing a checksum and a digital signature. Its main functions are:

• Message Integrity - It means, the message is not modified while coming from the source.
• Source Authentication - It means, the source is exactly the source from whom we were expecting data.

When a packet is sent from source A to Destination B, it consists of data that we need to send and a header that consists of packet information. The Authentication Header verifies the origin of data and also the payload to confirm if there has been modification done in between, during transmission between source and destination. However, in transit, values of some IP header fields might change (like- Hop count, options, extension headers). So, the values of such fields cannot be protected from Authentication header. Authentication header cannot protect every field of IP header. It provides protection to fields which are essential to be protected.

Authentication Header Format

• Next Header - Next Header is 8-bit field that identifies type of header present after Authentication Header. In case of TCP, UDP or destination header or some other extension header it will store correspondence IP protocol number . Like, number 4 in this field will indicate IPv4, number 41 will indicate IPv6 and number 6 will indicate TCP.
• Payload Length - Payload length is length of Authentication header and here we use scaling factor of 4. Whatever be size of header, divide it by 4 and then subtract by 2. We are subtracting by 2 because we’re not counting first 8 bytes of Authentication header, which is first two row of picture given above. It means we are not including Next Header, Payload length, Reserved and Security Parameter index in calculating payload length. Like, say if payload length is given to be X. Then (X+2)*4 will be original Authentication header length.

• Reserved - This is 16-bit field which is set to “zero” by sender as this field is reserved for future use.
• Security Parameter Index (SPI) - It is arbitrary 32-bit field. It is very important field which identifies all packets which belongs to present connection. If we’re sending data from Source A to Destination B. Both A and B will already know algorithm and key they are going to use. So for Authentication, hashing function and key will be required which only source and destination will know about. Secret key between A and B is exchanged by method of Diffie Hellman algorithm. So Hashing algorithm and secret key for Security parameter index of connection will be fixed. Before data transfer starts security association needs to be established. In Security Association, both parties needs to communicate prior to data exchange. Security association tells what is security parameter index, hashing algorithm and secret key that are being used.
• Sequence Number - This unsigned 32-bit field contains counter value that increases by one for each packet sent. Every packet will need sequence number. It will start from 0 and will go till 2^{32}     – 1 and there will be no wrap around. Say, if all sequence numbers are over and none of it is left but we cannot wrap around as it is not allowed. So, we will end connection and re-establish connection again to resume transfer of remaining data from sequence number 0. Basically sequence numbers are used to stop replay attack. In Replay attack, if same message is sent twice or more, receiver won’t be able to know if both messages are sent from a single source or not. Say, I am requesting 100$ from receiver and Intruder in between asked for another 100$. Receiver won’t be able to know that there is intruder in between.
• Authentication Data (Integrity Check Value) - Authentication data is variable length field that contains Integrity Check Value (ICV) for packet. Using hashing algorithm and secret key, sender will create message digest which will be sent to receiver. Receiver on other hand will use same hashing algorithm and secret key. If both message digest matches then receiver will accept data. Otherwise, receiver will discard it by saying that message has been modified in between. So basically, authentication data is used to verify integrity of transmission. Also length of Authentication data depends upon hashing algorithm you choose.

How Does Authentication Header Work?

When a packet is sent from source A to destination B, it includes both data and a header. The Authentication Header verifies the origin of the data and checks if any modifications occurred during transmission. Note that some IP header fields (such as hop count, options, and extension headers) may change in transit and are not protected by Authentication Header. Authentication Header focuses on protecting essential fields within the IP header.

Modes of Operations in Authentication Header

• Authentication Header Transport Mode:  In the authentication header transport mode, it is lies between the original IP Header and IP Packets original TCP header.
• Authentication Header Tunnel Mode:  In this authentication header tunnel mode, the original IP packet is authenticated entire and the authentication header is inserted between the original IP header and new outer IP header. Here, the inner IP header contains the ultimate source IP address and destination IP address. whereas the outer IP header contains different IP address  that is IP address of the firewalls or other security gateways.

How does the Header Deals with Replay Attack?

• In a replay attack, the attacker a copy of an authenticated packet and then send to the intended destination. As the same packet received twice, the destination user can face some problems. To reduce this problem, the authentication header use a sequence number field. 
• At this initial stage, the value of this field is set to 0. whenever the sender sends the packets to the same receiver over the same SA, it increments the fields value by 1. If the number of packets over the same increase this number, then communication with the receiver sender must establishing a new SA with the receiver.
•  At the receiver side, the receiver maintains a sliding window size to W. The default value of W is 64. This window right edge represents the highest sequence number N received so far for a valid packet. When the receiver gets a packet from the sender, it perform some action. The appropriate action depends on the sequence number of the packet.       

Conclusion

The Internet Protocol Authentication Header (AH) is an important security protocol in the IPsec suite that ensures data integrity, source authentication, and anti-replay protection for IP packets. AH improves IP communication security by assuring data integrity and confirming the sender's identity. It runs in two modes, transit and tunnel, and employs sequence numbers to avoid replay attacks. While AH does not provide encryption, it is critical for ensuring the integrity and validity of data in transmission.