Upload
disha-shrivastava
View
245
Download
0
Embed Size (px)
Citation preview
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
1/50
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
111 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
2 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
Advanced IPSecAlgorithms and Protocols
Session SEC-4010
Saadat Malik
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
2/50
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
333 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
Agenda
Analysis of Baseline IPSec Functionality
IKE: IPSec Negotiation Protocol Flow
PKI: IPSec Authentication Architecture
SHA and MD5: IPSec Hashing Mechanisms
DES and AES: IPSec Encryption Techniques
Analysis of the Enhancements in IPSec
Remote Access Features
Tunnel End Point Discovery (TED)
IPSec NAT Traversal
Dead Peer Discovery (DPD)
IPSec Work in Progress: IKE v2, Multicast IPSec
444 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
Agenda Analysis of Baseline IPSec Functionality
IKE: IPSec Negotiation Protocol Flow
PKI: IPSec Authentication Architecture
SHA and MD5: IPSec Hashing Mechanisms
DES and AES: IPSec Encryption Techniques
Analysis of the Enhancements in IPSec
Remote Access Features
Tunnel End Point Discovery (TED)IPSec NAT Traversal
Dead Peer Discovery (DPD)
IPSec Work in Progress: IKE v2, Multicast IPSec
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
3/50
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
555 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
IPSec Composition
IPSec Combines Three Main Protocols into a
Cohesive Security Framework
IKEProvides Framework for the Negotiationof Security Parameters and
Establishment of Authenticated Keys
ESPProvides Framework for theEncrypting, Authenticating and
Securing Data
AHProvides Framework for theAuthenticating and Securing Data
666 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
What Is IKE?
IKE (Internet Key Exchange) (RFC 2409)Is a Hybrid Protocol
Oakley
Modes-Based Mechanism forArriving at an Encryption Key
between Two Peers
SKEME
Mechanism for UtilizingPublic Key Encryption
for Authentication
ISAKMP
Architecture for MessageExchange Including Packet
Formats and State Transitionsbetween Two Peers
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
4/50
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
777 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
Why IKE?
IKE solves the problems of manualand unscalable implementation ofIPSec by automating the entire keyexchange process
Negotiation of SA characteristics
Automatic key generation
Automatic key refreshManageable manual configuration
888 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
How Does IKE Work?
Phase 1 ExchangePeers Negotiate a Secure, Authenticated Channel with which to
Communicate Main Modeor Aggressive Mode Accomplish a Phase I Exchange
Phase 2 Exchange
Security Associations Are Negotiated on Behalf of IPSec Services;Quick Mode Accomplishes a Phase II Exchange
IKE Is a TWO Phase Protocol
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
5/50
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
999 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
How Does IKE Work?
Quick Mode Quick Mode
Phase I SA (ISAKMP SA)
Phase II SA(IPSec SA)
Phase II SA(IPSec SA)
New IPSec Tunnel or Rekey
Protected DataA B Protected DataC D
Main Mode
(6 Messages)
Aggressive Mode
(3 Messages)
101010 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
Digital Signature Authentication
(Last 2 Messages of Main Mode)
Presentation Flow
Main Mode
(First 4 Messages)
Quick Mode (3 Messages)
Pre-Shared Key Authentication
(Last 2 Messages of Main Mode)
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
6/50
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
111111 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
Goal: Negotiation of IKE SA Parameters
IKE Phase 1 (Main Mode): Preparationfor Sending Message 1 and 2
Generation of Initiator Cookie
A 8 Byte Pseudo-Random Number Used for Anti-Clogging
CKY-I = md5{(src_ip, dest_ip), Random Number}
Generation of Responder Cookie
A 8 Byte Pseudo-Random Number Used for Anti-Clogging
CKY-R = md5{(src_ip, dest_ip), Random Number}
121212 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
Transform Payload
Transform Payload10
Proposal Payload
Proposal Payload1Next Payload
IKE Phase 1 (Main Mode):
Sending Message 1The Initiator Proposes a Set of Attributes to Base the SA on
DOI Identifies the ExchangeTo Be Occurring to Setup IPSec
SPI = 0 For All Phase1 MessagesIncludes Proposal #,Protocol ID, SPI Size,# of Transforms, SPI(Two Proposals Shown Here)
Includes Transform #,Transform ID, SA Attributes,For Example, DES, MD5,DH 1, Pre Share, Timeout(Two Transform SetsShown Here)
Transform Payload1Next Payload
Transform Payload
Proposal Payload1Next Payload
Proposal Payload
SA Payload1Next Payload
SA Payload (Includes DOI and Situation)
Total Message Length
Message ID
FlagsExchange
Initiator Cookie (Calculated and Inserted Here)
VersionSA
Responder Cookie (Left 0 for Now)
Length
Length
Length
Length
Length
Initiator Responder
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
7/50
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
131313 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
IKE Phase 1 (Main Mode):Sending Message 2
The Responder Sends Back the One Set of Attributes Acceptable to It
DOI Identifies the ExchangeTo Be Occurring toSetup IPSec
PROTO_ISAKMP,SPI = 0 for All Phase1 Messages
KEY_OAKLEY = typeDES, MD5, DH 1Pre-Share
Transform Payload10
Transform Payload (Includes Transform #, TransformID, SA Attributes)
Proposal Payload1Next Payload
Proposal Payload (Includes Proposal #, Protocol ID,
SPI Size, # of Transforms, SPI)
SA Payload1Next Payload
SA Payload (Includes DOI and Situation)
Total Message Length
Message ID
FlagsExchange
Initiator Cookie (Same as Before)
VersionSA
Responder Cookie (Calculated and Inserted Here)
Length
Length
Length
Initiator Responder
141414 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
IKE Phase 1 (Main Mode): Preparation
for Sending Message 3 and 4
Generation of DH Public Value by Initiator
DH Public Value = XaXa = g
a mod p
Where g Is the Generator and p a Large Prime Number
and a Is a Private Secret Known Only to the Initiator
Generation of DH Public Value by Responder
DH Public Value = XbXb = g
b mod p
Where g Is the Generator and p a Large Prime Number
and b Is a Private Secret Known Only to the Responder
Goal: Exchange of Information Required for KeyGeneration Using DH Exchange
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
8/50
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
151515 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
IKE Phase 1 (Main Mode): Preparationfor Sending Message 3 and 4
Generation of a Nonce by Initiator
Nonce Is a Very Large Random NumberInitiator Nonce = Ni
Generation of a Nonce by Responder
Nonce Is a Very Large Random NumberResponder Nonce = Nr
161616 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
IKE Phase 1 (Main Mode):
Sending Message 3
The Initiator Sends Its DH Public Value Xa and Nonce N i
DH Public Value = Xa
Nonce = NiNonce Payload Length00
Nonce Payload (Includes Nonce)
KE Payload0Next Payload
KE Payload (Includes DH Public Value)
Total Message Length
Message ID
FlagsExchange
Initiator Cookie (Same as Before)
VersionNext Payload
Responder Cookie (Same as Before)
Initiator Responder
Length
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
9/50
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
171717 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
IKE Phase 1 (Main Mode):Sending Message 4
DH Public Value = Xb
Nonce = Nr
Initiator Responder
The Responder Sends Its DH Public Value Xb and Nonce Nr
Nonce Payload Length00
Nonce Payload (Includes Nonce)
KE Payload0Next Payload
KE Payload (Includes DH Public Value)
Total Message Length
Message ID
FlagsExchange
Initiator Cookie (Same as Before)
VersionNext Payload
Responder Cookie (Same as Before)
Length
181818 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
IKE Phase 1 (Main Mode): Preparation
for Sending Message 5 and 6
Calculation of the Shared DH Secret by Initiator
Shared Secret = (Xb)a mod p
Calculation of the Shared DH Secret by Responder
Shared Secret = (Xa)b mod p
Goal: Exchange of AuthenticationInformation Using DH
(Xb)a mod p =
(Xa)b mod p
=gab
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
10/50
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
191919 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
Presentation Flow
Main Mode
(First 4 Messages)
Quick Mode (3 Messages)
Pre-Shared Key Authentication
(Last 2 Messages of Main Mode)
202020 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
Calculation of Three Keys (Initiator)
SKEYID_dUsed to Calculate Subsequent IPSec Keying Material
SKEYID_aUsed to Provide Data integrity and Authenticationto IKE Messages
SKEYID_eUsed to Encrypt IKE Messages
IKE Phase 1 (Main Mode): (Pre-Shared Keys)
Preparation for Sending Message 5 and 6
SKEYID_a =PRF (SKEYID, SKEYID_d | gab | CKY-I | CKY-R | 1)
SKEYID_e =PRF (SKEYID, SKEYID_a | gab | CKY-I | CKY-R | 2)
SKEYID_d = PRF (SKEYID, gab | CKY-I | CKY-R | 0)
SKEYID = PRF (Pre-Shared Key, Ni | Nr)
PRF = A Pseudo
Random Function
Based on the
Negotiated Hash
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
11/50
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
212121 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
IKE Phase 1 (Main Mode): (Pre-Shared Keys)Preparation for Sending Message 5 and 6
Calculation of Three Keys (Responder)
SKEYID_dUsed to Calculate Subsequent IPSec Keying Material
SKEYID_aUsed to Provide Data integrity and Authenticationto IKE Messages
SKEYID_eUsed to Encrypt IKE Messages
SKEYID = PRF (Pre-Shared Key, Ni | Nr)
SKEYID_d = PRF (SKEYID, g
ab
| CKY-I | CKY-R | 0)
SKEYID_a =PRF (SKEYID, SKEYID_d | gab | CKY-I | CKY-R | 1)
SKEYID_e =PRF (SKEYID, SKEYID_a | gab | CKY-I | CKY-R | 2)
222222 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
IKE Phase 1 (Main Mode):
(Pre-Shared Keys) Sending Message 5
Identification of Initiator(ID_I)Such as Host Name orIP Address
Hash_I=PRF (SKEYID, CKY-I,CKY-R, Pre-shared Key(PK-I), SA Payload,Proposals+Transforms,ID_I)
DOI Specific ID DataID Type
Hash Payload Length00
Hash Payload
Identity Payload0Next Payload
Identity Payload
Total Message Length
Message ID
FlagsExchange
Initiator Cookie (Same as Before)
VersionNext Payload
Responder Cookie (Same as Before)
Initiator Responder
The Initiator Sends Its Authentication Material and ID
Length
SKEYID_
e
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
12/50
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
232323 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
IKE Phase 1 (Main Mode):(Pre-Shared Keys) Sending Message 6
Identification of Responder(ID_R)Such as Host Name orIP Address
Hash_R=
PRF (SKEYID, CKY-I,CKY-R, Pre-Shared Key(PK-R), SA Payload,Proposals+Transforms,ID_R)
Initiator Responder
The Responder Sends Its Authentication Material and ID
DOI Specific ID DataID Type
Hash Payload Length00
Hash Payload
Identity Payload0Next Payload
Identity Payload
Total Message Length
Message ID
FlagsExchange
Initiator Cookie (Same as Before)
VersionNext Payload
Responder Cookie (Same as Before)
Length
SKEYID_
e
242424 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
IKE Phase 1 (Main Mode):
Completion of Phase 1
ISAKMP SA
Established!
Initiator Authenticates the Responder
1. Decrypt message using SKEYID_E
2. Find configured PK-R using ID_R
3. Calculate Hash_R on its own
4. If received Hash_R = self-generated Hash_R thenauthentication = successful!!
Responder Authenticates the Initiator
1. Decrypt message using SKEYID_E
2. Find configured PK-I using ID_I
3. Calculate Hash_I on its own
4. If received Hash_I = self-generated Hash_I thenauthentication = successful!!
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
13/50
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
252525 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
Presentation Flow
Digital Signature Authentication
(Last 2 Messages of Main Mode)
Main Mode
(First 4 Messages)
Quick Mode (3 Messages)
262626 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
IKE Phase 1 (Main Mode): (Digital Signatures)
Preparation for Sending Message 5 and 6Calculation of Three Keys (Initiator)
SKEYID_dUsed to Calculate Subsequent IPSec Keying MaterialSKEYID_aUsed to Provide Data Integrity and Authentication
to IKE MessagesSKEYID_eUsed to Encrypt IKE Messages
SKEYID_d = PRF (SKEYID, gab | CKY-I | CKY-R | 0)
SKEYID = PRF (Ni | Nr gab)
SKEYID_a =PRF (SKEYID, SKEYID_d | gab | CKY-I | CKY-R | 1)
SKEYID_e =PRF (SKEYID, SKEYID_a | gab | CKY-I | CKY-R | 2)
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
14/50
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
272727 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
Calculation of Three Keys (Responder)
SKEYID_dUsed to Calculate Subsequent IPSec Keying MaterialSKEYID_aUsed to Provide Data Integrity and Authentication
to IKE MessagesSKEYID_eUsed to Encrypt IKE Messages
IKE Phase 1 (Main Mode): (Digital Signatures)Preparation for Sending Message 5 and 6
SKEYID = PRF (Ni | Nr gab)
SKEYID_d = PRF (SKEYID, g
ab
| CKY-I | CKY-R | 0)
SKEYID_a =PRF (SKEYID, SKEYID_d | gab | CKY-I | CKY-R | 1)
SKEYID_e =PRF (SKEYID, SKEYID_a | gab | CKY-I | CKY-R | 2)
282828 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
Certificate DataCertificate Encoding
0 Certificate Payload Length
Signature Data
0
DOI Specific ID DataID Type
0Next Payload
Certificate Data
Identity Payload0Next Payload
Identity Payload
Total Message Length
Message ID
FlagsExchange
Initiator Cookie (Same as Before)
VersionKE
Responder Cookie (Same as Before)
Signature Payload
IKE Phase 1 (Main Mode):
(Digital Signatures) Sending Message 5
Identification of Responder
(ID_I)
Such as Host Name or
IP Address
Signature
=Hash_I Encrypted with Priv_I
=
Priv_I {PRF (SKEYID, CKY-I,
CKY-R, SA Payload,
Proposals+Transforms,
ID_I)}
The Initiator Sends Its Authentication Material and ID
Initiator Responder
Length
Length
SKEYID_
e
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
15/50
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
292929 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
Certificate DataCertificate Encoding
0 Certificate Payload Length
Signature Data
0
DOI Specific ID DataID Type
0Next Payload
Certificate Data
Identity Payload0Next Payload
Identity Payload
Total Message Length
Message ID
FlagsExchange
Initiator Cookie (Same as Before)
VersionKE
Responder Cookie (Same as Before)
Signature Payload
Length
Length
IKE Phase 1 (Main Mode):(Digital Signatures) Sending Message 6
Identification of Responder
(ID_I)
Such as Host Name or
IP Address
Signature
=
Hash_I Encrypted with Priv_I=
Priv_I {PRF (SKEYID, CKY-I,
CKY-R, SA Payload,
Proposals+Transforms,
ID_I)}
The Responder Sends Its Authentication Material and ID
Initiator Responder
SKEYID_e
303030 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
IKE Phase 1 (Main Mode): (Digital Signatures)
Completion of Phase 1
ISAKMP SAEstablished!
Initiator Authenticates the Responder
1. Decrypt message using SKEYID_E
2. Decrypt Hash_R using Pub_R
3. Calculate Hash_R on its own
4. If received Hash_R = self-generated Hash_R thenauthentication = successful!!
Responder Authenticates the Initiator
1. Decrypt message using SKEYID_E
2. Decrypt Hash_I using Pub_I
3. Calculate Hash_I on its own
4. If received Hash_I = self-generated Hash_I thenauthentication = successful!!
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
16/50
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
17/50
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
333333 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
IKE Phase 2 (Quick Mode):Sending Message 1
Transform Payload
Transform Payload Length0
Proposal Payload0Next Payload
Proposal Payload
Next Payload
Transform Payload
Hash Payload
Hash Payload0SA
Transform Payload Length0Next Payload
Proposal Payload0Next Payload
Proposal Payload
SA Payload Length0Next Payload
SA Payload (Includes DOI and Situation)
Nonce Payload (Ni)
Nonce Payload Length0Next Payload
KE Payload
Keyload Payload0Next Payload
Identity Payload = ID-s
DOI Specific ID DataID Type
Identity Payload0Next Payload
Identity Payload = ID-d
DOI Specific ID DataID Type
Identity Payload00
Hash =PRF (SKEYID_a,Message ID, Ni, Proposals+Transforms, Xa)
Proposal:ESP or AH, SHA or MD5,DH 1 or 2, SPI(Two ProposalsShown Here)
Transform:Tunnel or Transport,IPSec Timeout
KE Payload = Xa
ID-s = Source ProxyID-d = Destination Proxy
Length
Length
Length
Length
Length
SKEYID_
e
343434 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
IKE Phase 2 (Quick Mode):
Sending Message 2
Total Message Length
Message ID
FlagsExchange
Initiator Cookie (Same as Before)
VersionKE
Responder Cookie (Same as Before)
Initiator Responder
The Responder Sends Authentication/Keying Materialand Proposes a Set of Attributes to Base the SA on
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
18/50
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
353535 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
IKE Phase 2 (Quick Mode):Sending Message 2
Transform Payload (Accepted Transform)
Hash Payload
Hash Payload0Next Payload
Proposal Payload Length0Next Payload
Transform Payload Length0Next Payload
Proposal Payload (Accepted Proposal)
SA Payload0Next Payload
SA Payload (Includes DOI and Situation)
Nonce Payload (Nr)
Nonce Payload0Next Payload
KE Payload
KE Payload0Next Payload
Identity Payload = ID-s (Generally Similar to ID-d for Initiator)DOI Specific ID DataID Type
Identity Payload0Next Payload
Identity Payload = ID-d (Generally Similar to ID-s for Initiator)
DOI Specific ID DataID Type
Identity Payload00
Hash =
PRF (SKEYID_a, Message ID
Ni, Nr, Accepted Proposal+
Transform, Xb)
Proposal:
with Responders SPI
KE Payload = Xb
Length
Length
Length
Length
Length
Length
SKEYID_
e
363636 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
IKE Phase 2 (Quick Mode):
Completion of Phase 2
Initiator Generates IPSec Keying Material
1. Generate new DH shared sSecret = (Xb)a mod p
2. IPSec session key =PRF (SKEYID_d, protocol (ISAKMP),new DH shared secret, SPIr, Ni, Nr)
Responder Generates IPSec Keying Material
1. Generate new DH shared secret = (Xa
)b mod p
2. IPSec session key =PRF (SKEYID_d, protocol (ISAKMP),new DH shared secret, SPIi, Ni, Nr)
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
19/50
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
373737 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
IKE Phase 2 (Quick Mode):Sending Message 3
Hash Payload Length00
Hash Payload
Total Message Length
Message ID
FlagsExchange
Initiator Cookie (Same as Before)
VersionKE
Responder Cookie (Same as Before)
IPSec SAEstablished!
Hash
=
PRF (SKEYID_a, Message ID,
Ni, N
r)
Initiator Responder
The Initiator Sends across a Proof of Liveness
SKEY
ID_
e
383838 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
Generate
DH Public Value
and Nonce
One Page Summary:
Pre-Shared Main Mode
HDR, SAchoice
Phase I SA Parameter Negotiation Complete
IDs Are Exchanged, HASH Is Verified for Authentication
ID and HASH Are Encrypted by Derived Shared Secret
HDR, KEI, Nonce I
HDR, KER, NonceR
DH Key Exchange Complete, Share Secret SKEYIDe
Derived
Nonce Exchange Defeat Replay
HDR, SAProposal
HDR*, IDR, HASHR
HDR*, IDI, HASHI
Generate
DH Public Value
and Nonce
DES
MD5
DH 1
Pre-Share
DES
MD5
DH 1
Pre-Share
DES
SH A
DH 2
Pre-Share
HASH I=HMAC(SKEYID,KEI|KER|cookieI|
cookieR|SA|IDI)
HASHR=HMAC(SKEYID,
KER|KEI|cookieR|cookieI|SA|IDR)
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
20/50
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
393939 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
IKE
One Page Summary:Signatures Main Mode
Initiator Responder
DES
MD5DH 1
Rsa-sig
DES
MD5DH 1
Rsa-sig
Phase I SA Parameter Negotiation Complete
HDR*, IDI [,certI], Signature I
IDs Are Exchanged, Signature Is Verified for Authentication
ID and Signature Are Encrypted by Derived Shared Secret
HDR, KEI, Nonce I [,cert_req]
HDR*, IDR [,certR],signature
HDR, KER, NonceR [,cert_req]
DH Key Exchange Complete, Share Secret Derived
Nonce Exchange Defeat Replay, Optional cert_req
Generate
DH Public Value
and Nonce
Generate
DH Public Value
and Nonce
HASHI=HMAC(SKEYID,
KE I|K ER|cookieI|cookie
R|SA|ID
I)
HASHR=HMAC(SKEYID,
KER|K E
I|cookie
R|
cookieI|SA|ID
R)
DES
SHADH 2
Pre-ShareHDR, SAchoice
HDR, SAProposal
404040 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
One Page Summary: Quick Mode
HDR*, HASH2, SA
choice, Nonce
R, [,KE
R] [,ID
CI,ID
CR]
HDR*, HASH3
ESP
DES
SHAPFS 1
ESP
DES
SHAPFS 1
HDR*, HASH1, Sa
proposal, Nonce
I[,KE
I] [,ID
CI,ID
CR]
Initiator IPSec Responder
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
21/50
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
22/50
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
444444 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
PKI: IKE Authentication Architecture
Certificate
Authority
Key
Recovery
Certificate
Revocation
Registration and
Certification Issuance
Certificate
Distribution
Support for Non-Repudiation
Key StorageTrusted
Time Service
Key
Generation
474747 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
Message
Hash of
MessageIf Hashes Are
Equal, Signature
Is Authentic
Hash
Function
Hash Message
Re-Hash the
Received
Message
Message
Message with
Appended
Signature
Signature
Decrypt the
Received
Signature
Decrypt Using
Alices Public Key
Signature Verification
Alice
Signature
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
23/50
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
484848 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
Sign
4
Alice
Hash
Message Digest
CAsPrivate Key
Digital Certification
Alice
Certificate Authority
1
Requestfo
rCAs
Publi
cKey
Bob Trusts Alices
Public Key after Verifies
Her Signature Using CAs
Public Key
CASendsItsPubli
cKey
2
Alice
..
5
Bob(Already Has CAs Public Key)
7
3
Cert Req .
Alice
Convey Trust in Her Public Key
6Alice
..
505050 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
X.509 v3 Certificate
CA Digital Signature
Subject Unique ID
Issuer Unique ID
Subject PublicKey Info
Subject X.500 Name
Validity Period
Issuer (CA) X.500 Name
Signature Algorithm ID
Serial Number
Version
Algorithm ID
Public Key Value
Extension
Signing Algorithme.g. SHA1withRSA
CAs Identity
Users Identitye.g. cn, ou, o
Users Public Key (Boundto Users Subject Name)
Other User Infoe.g. subAltName, CDP
Signed by CAs Private Key
Lifetime of this Cert
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
24/50
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
565656 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
Simple Certificate EnrollmentProtocol (SCEP)
A PKI communication protocol that supportssecure issuance certificates to network devicein a scalable manner
Use existing PKCS standards:
PKCS #1, RSA algorithms
PKCS #7, digital signature, digital envelop
PKCS #10, certificate request syntax
Uses HTTP as transport for certificateenrollment, access
Uses LDAP or HTTP for CRL support
575757 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
SCEP Overview
Getting CAs Certificate
Get CA/RA Cert: HTTP Request Message
Send CA/RA Cert: HTTP Response Message
Compute Fingerprint and
Call CA Operator Operator Check Fingerprint
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
25/50
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
26/50
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
616161 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
Message Authenticationand Integrity Check Using Hash
MAC (Message Authentication Code): cryptographic checksum
generated by passing data thru a message authentication algorithm MAC is often used for message authentication and integrity check
HMACkeyed hashed-based MAC
?Insecure Channel
Sender Receiver
Message
MAC
Hash
Message
Hash Output
Hash
Message
MAC
MAC
Secret Key Only Known by Sender and Receiver
626262 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
Commonly Used Hash Functions
(MD5 and SHA)
Both MD5 and SHA are derived based on MD4
MD5 provides 128-bit output, SHA provide 160-bit output;(only first 96 bits used in IPSec)
Both of MD5 and SHA are considered one-way stronglycollision-free hash functions
SHA is computationally slower than MD5, but more secure
Message Padding
Block1
(512 Bits)
Block2
(512 Bits)
Block n
(512 Bits)
IV
Last
Block
Hash128 Bits
128 Bits
H H H H
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
27/50
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
636363 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
Agenda
Analysis of Baseline IPSec Functionality
IKE: IPSec Negotiation Protocol Flow
PKI: IPSec Authentication Architecture
SHA and MD5: IPSec Hashing Mechanisms
DES and AES: IPSec Encryption Techniques
Analysis of the Enhancements in IPSec
Remote Access Features
Tunnel End Point Discovery (TED)
IPSec NAT Traversal
Dead Peer Discovery (DPD)
IPSec Work in Progress: IKE v2, Multicast IPSec
656565 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
Data Encryption Standard (DES)
Symmetric key encryption algorithm
Block cipher: works on 64-bit data block, use56-bit key (last bit of each byte used for parity)
Mode of operation: how to apply DES to encryptblocks of data
Electronic Code Book (ECB)
Cipher Block Chaining (CBC)K-bit Cipher FeedBack (CFB)
K-bit Output FeedBack (OFB)
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
28/50
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
666666 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
DES CBC Mode
DES Encrypt( ) DES Encrypt( )DES Encrypt( )K K K
m 1 m 2 mn
C1 C2 Cn
IV
XOR XOR XORCn-1
mn
DES Decrypt( )Encrypt( )
DES Decrypt( )K K K
m 1 m 2
C1 C2 Cn
IV
XOR XOR XOR
DES Decrypt( )
Cn-1
676767 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
Triple-DES
168-bit total key length
Mode of operation decides how to process DESthree times
Normally: encrypt, decrypt, encrypt More secure than DES but slower
So is 3DES optimally the fastest, the easiest toimplement and the securest algorithm out there?
DES DES DES
64-bitPlaintext Block
56-bit 56-bit 56-bit
64-bitCipher Text
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
29/50
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
686868 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
Rijndaelthe chief drawback to thiscipher is the difficulty Americanshave pronouncing itThe designers,Vincent Rijmen and Joan Daemen,know what they are doing.
Bruce Schneier
696969 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
AES: the New Encryption Standard
Advanced Encryption Standard formerly knownas Rijndael
Successor to DES and 3DES
Will ultimately become the default ESP cipher
Symmetric key block cipher
Strong encryption with long expected life
AES can support 128, 192 and 256 keys
strengths but 128 is considered safe
HMAC-SHA-1 and HMAC-MD5 can serve as theIKE generators of the 128 bit AES keys
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
30/50
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
707070 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
AES: Pseudo Code
Cipher(byte in[4*Nb], byte out[4*Nb], word w[Nb*(Nr+1)])
begin
byte state[4,Nb]
state = in
AddRoundKey(state, w[0, Nb-1])
for round = 1 step 1 to Nr 1
SubBytes(state)
ShiftRows(state)
MixColumns (state)
AddRoundKey(state, w[round*Nb, (round+1)*Nb-1])
end for
SubBytes(state)
ShiftRows(state)AddRoundKey(state, w[Nr*Nb, (Nr+1)*Nb-1])
out = state
end
717171 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
AES: The Complete Cipher
Input
Output
KeySchedule
Key 1
Key 2
Key Nr
Round 0
Round 1
Round Nr
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
31/50
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
727272 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
AES: Individual Rounds
Input
Output
Note: Last Round Is Slightly Different
from the Rest of the Rounds
Add RoundKey
MixColumns
SubBytes
Shift
Rows
737373 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
AES Functions:
SubBytes and ShiftRows
s15
s11
s7
s3
s14
s10
s6
s2
s13
s9s5s1
s12
s8
s4
s0,
s5
s'15
s'11
s'7
s'3
s'14
s'10
s'6
s'2
s'13
s'9
s'5
s'1
s'12
s'8
s'4
s'0
s'5
s15
s11
s7
s3
s14
s10
s6
s2
s13
s9
s5
s1
s12s8s4s0
s11
s7
s3
s15
s6
s2
s14
s10
s1
s13
s9
s5
s12s8s4s0
SubBytes
ShiftRows
S-Box
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
32/50
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
747474 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
AES Functions:MixColumns and AddRoundKey
Word fromKey
Schedules'15s'11s'7s'3
s'14s'10s'6s'2
s'13s'9s'5s'1
s'12s'8s'4s'0
s'5
s4
s6
s7
XOR
MixColumns
s15
s11
s7
s3
s14
s10
s6
s2
s13
s9s5s1
s12
s8
s4
s0, s4
s6
s5
s6s'
15s'
11s'
7s'
3
s'14
s'10
s'6
s'2
s'13
s'9
s'5
s'1
s'12
s'8
s'4
s'0 s4
s6
s7
s'5
MixColumns
s15
s11
s7
s3
s14
s10
s6
s2
s13s9s5s1
s12
s8
s4
s0 s4
s6
s5
s6
AddRoundKey
757575 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
Agenda Analysis of Baseline IPSec Functionality
IKE: IPSec Negotiation Protocol Flow
PKI: IPSec Authentication Architecture
SHA and MD5: IPSec Hashing Mechanisms
DES and AES: IPSec Encryption Techniques
Analysis of the Enhancements in IPSec
Remote Access Features
Tunnel End Point Discovery (TED)IPSec NAT Traversal
Dead Peer Discovery (DPD)
IPSec Work in Progress: IKE v2, Multicast IPSec
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
33/50
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
767676 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
Remote Access Features
Mode config
Extended authentication
777777 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
Placement of Mode Config
and X-auth in IKE
Quick Mode Quick Mode
Phase I SA (ISAKMP SA)
Phase II SA(IPSec SA)
Phase II SA(IPSec SA)
New IPSec Tunnel or Rekey
Protected DataA B Protected DataC D
Main Mode
(6 Messages)
Aggressive Mode
(3 Messages)
Phase 1.5: X-auth and/or Mode Config
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
34/50
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
787878 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
Mode Config
IPSec Gateway
Mechanism Used to Push Attributes to Remote Access IPSec Clients
Public
Network
Remote AccessIPSec Client
Internal IP Address
DNS Server
DHCP Server
Net Bios Name Server
Optional Attributes
PrivateNetwork
797979 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
InitiatorRemote Client
Attribute Request
0 Hash PayloadLength
Attributes (0 Length Attributes in Request)
0
IdentifierReserved = 0Type = 1
Attributes Payload
ISAKMP HEADER
Reserved =0
NextPayload
Hash
Type =
ISAKMP_CFG_REQUEST = 1or
ISAKMP_CFG_REPLY = 2or
ISAKMP_CFG_SET = 3or
ISAKMP_CFG_ACK = 4
Hash=
Prf (SKEYID_a,ISAKMP Header M-ID |
Attribute Payload)
Length
Mode Config Protocol Specifications
ResponderIPSec Gateway
Attribute Reply
Attributes =
INTERNAL_IP4_ADDRESS 1INTERNAL_IP4_NETMASK 2INTERNAL_IP4_DNS 3INTERNAL_IP4_NBNS 4INTERNAL_ADDRESS_EXPIRY 5INTERNAL_IP4_DHCP 6
Other Allowed but Not Mandatory
ISAKMP HEADER
0 Hash PayloadLength
Attributes (Set to the Values for One orMore of the Attributes to Be Pushed)
0
IdentifierReserved = 0Type = 2
Hash
Attributes PayloadLength
Reserved = 0NextPayload
ISAKMP HEADER
0 Hash Payload Length
Attributes (Set to the Values for One or
More of the Attributes to Be Pushed)
0
IdentifierReserved = 0Type = 2
Hash
Attributes PayloadReserved = 0NextPayload Length
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
35/50
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
808080 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
X-auth
AAA Server
IPSec GatewayPrivateNetwork
Public
Network
Remote AccessIPSec Client
Mechanism Used to Perform Per User Authentication for RA Clients
Chap
OTP
Generic Username/Password
S/Key
818181 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
X-auth Protocol Specifications
InitiatorIPSec Gateway
Attribute Request
0 Hash PayloadLength
Attributes (0 Length Attributes in Request)
0
IdentifierReserved = 0Type = 1
Attributes Payload
ISAKMP HEADER
Reserved =0
NextPayload
Hash
Type =
ISAKMP_CFG_REQUEST = 1or
ISAKMP_CFG_REPLY = 2or
ISAKMP_CFG_SET = 3or
ISAKMP_CFG_ACK = 4
Hash=
Prf (SKEYID_a,ISAKMP Header M-ID |
Attribute Payload)
Length
Attributes =
XAUTH_TYPE 16520XAUTH_USER_NAME 16521XAUTH_USER_PASSWORD 16522XAUTH_PASSCODE 16523XAUTH_MESSAGE 16524XAUTH_CHALLENGE 16525XAUTH_DOMAIN 16526XAUTH_STATUS 16527
ResponderIPSec Client
Attribute Reply
ISAKMP HEADER
0 Hash PayloadLength
Attributes (Set to the Values for One orMore of the Attributes to Be Pushed)
0
IdentifierReserved = 0Type = 2
Hash
Attributes PayloadLength
Reserved = 0NextPayload
ISAKMP HEADER
0 Hash Payload Length
Attributes (Set to the Values for One or
More of the Attributes to Be Pushed)
0
IdentifierReserved = 0Type = 2
Hash
Attributes PayloadReserved = 0NextPayload Length
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
36/50
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
828282 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
X-auth Protocol Specifications
0 Hash PayloadLength
Attributes (X-auth_Status = OK or FAIL)
0
IdentifierReserved = 0Type = 3
Attributes Payload
ISAKMP HEADER
Reserved =0
Hash
Hash
Type =
ISAKMP_CFG_REQUEST = 1or
ISAKMP_CFG_REPLY = 2or
ISAKMP_CFG_SET = 3or
ISAKMP_CFG_ACK = 4
Length
InitiatorIPSec Gateway
Attribute SetResponderIPSec Client
Attribute Ack
ISAKMP HEADER
0 Hash PayloadLength
Attributes (Set to the Values for One orMore of the Attributes to Be Pushed)
0
IdentifierReserved = 0Type = 2
Hash
Attributes Payload
Length
Reserved = 0Next
Payload
ISAKMP HEADER
0 Hash Payload Length
Attributes (None Included)
0
IdentifierReserved = 0Type = 4
Hash
Attributes PayloadReserved = 0HashLength
838383 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
Agenda Analysis of Baseline IPSec Functionality
IKE: IPSec Negotiation Protocol Flow
PKI: IPSec Authentication Architecture
SHA and MD5: IPSec Hashing Mechanisms
DES and AES: IPSec Encryption Techniques
Analysis of the Enhancements in IPSec
Remote Access Features
Tunnel End Point Discovery (TED)IPSec NAT Traversal
Dead Peer Discovery (DPD)
IPSec Work in Progress: IKE v2, Multicast IPSec
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
37/50
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
848484 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
TED (Tunnel Endpoint Discovery)
IPSec Peer B
End Host 1 End Host 2
2
4
Host 1 to Host 2
IPSec ACL: 1 to 2 IPSec ACL: 2 to 1
Probe: 1 to 2
3Response: B to A
ISAKMP Negotiation Started
from A to B
Peer A Dynamically
Discovers Peer B
1
Mechanism Used to Dynamically Discover Peer and Negotiate Proxies
IPSec Peer APrivateNetwork
Public
Network
PrivateNetwork
858585 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
TED Protocol Specifications
TED Response Payload=
Protocol Version+Matched ProxiesReserved = 0 Private Payload
TED Response Payload
NP
ID = Responders ID Encoded as IP Address
Reserved = 0 ID Payload
Ciscos Vendor ID Along with Capability Flags
NP
Vendor Payload
ISAKMP HEADER
Reserved = 0NP
ResponderIPSec Client
TED Response
Length
Length
Length
Reserved = 0 Vendor Payload0
Reserved =
0
ID Payload
ID = Initiators Proxy
NP
ID = Initiators ID Encoded as IP Address
Reserved = 0 ID Payload
Ciscos Vendor ID Along with Capability Flags
NP
Special Vendor ID Payload
Vendor Payload
ISAKMP HEADER
Reserved = 0NP Special Vendor Payload=
Hash of Special String+TED Version Number (3)+IPVersion+Src IP and
Port+ IP and Port
InitiatorIPSec Gateway
TED Probe
Length
Length
Length
LengthInitiator Proxy =Configured
Source AddressFor IPSecInteresting
Traffic
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
38/50
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
868686 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
Agenda
Analysis of Baseline IPSec Functionality
IKE: IPSec Negotiation Protocol Flow
PKI: IPSec Authentication Architecture
SHA and MD5: IPSec Hashing Mechanisms
DES and AES: IPSec Encryption Techniques
Analysis of the Enhancements in IPSec
Remote Access Features
Tunnel End Point Discovery (TED)
IPSec NAT Traversal
Dead Peer Discovery (DPD)
IPSec Work in Progress: IKE v2, Multicast IPSec
878787 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
IPSec and NAT: The Problem
PAT Device
Port Address Translation Fails since inESP Packets L4 Port Info Is Encrypted
IPSecGateway
IPSec
RemoteClientPrivate
NetworkPublic
Network
PrivateNetwork
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
39/50
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
888888 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
IPSec and NAT: Three Solutions
Always on IPSec over UDP (most deployed)
Always on IPSec over TCP (an alternate solution)
Need based IPSec NAT traversal (in the works)
Original
IP Header Payload
ESP
Header
ESP
Trailer
TCP/UDP
Header
External
IP Header
ESPHeader
PayloadOriginalIP Header
TCP/UDPHeader
UDPHeader
8 bytes0
ExternalIP Header
ESPTrailer
PAT Device
IPSecGateway
IPSecRemoteClient
PrivateNetwork
PublicNetwork
PrivateNetwork
898989 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
Always on IPSec over UDP:
Part of Mode Config
0 Hash PayloadLength
Attributes (MODECFG_UDP_NAT_PORT = 0)
0
IdentifierReserved = 0Type = 1
Attributes Payload
ISAKMP HEADER
Reserved =0
NextPayload
Hash
Length
Type =
ISAKMP_CFG_REQUEST = 1or
ISAKMP_CFG_REPLY = 2or
ISAKMP_CFG_SET = 3or
ISAKMP_CFG_ACK = 4
Hash=
Prf (SKEYID_a,ISAKMP Header M-ID |
Attribute Payload)
InitiatorRemote Client
Attribute Request
(Optional) Attribute=
MODECFG_UDP_NAT_PORT
Value=
UDP Port Number: 10000 49151
ResponderIPSec Client
Attribute Reply
ISAKMP HEADER
0 Hash PayloadLength
Attributes (Set to the Values for One orMore of the Attributes to Be Pushed)
0
IdentifierReserved = 0Type = 2
Hash
Attributes PayloadLength
Reserved = 0NextPayload
ISAKMP HEADER
0 Hash Payload Length
Attributes (MODECFG_UDP_NAT_PORT = x
0
IdentifierReserved = 0Type = 2
Hash
Attributes PayloadReserved = 0NextPayload Length
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
40/50
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
919191 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
Agenda
Analysis of Baseline IPSec Functionality
IKE: IPSec Negotiation Protocol Flow
PKI: IPSec Authentication Architecture
SHA and MD5: IPSec Hashing Mechanisms
DES and AES: IPSec Encryption Techniques
Analysis of the Enhancements in IPSec
Remote Access Features
Tunnel End Point Discovery (TED)
IPSec NAT Traversal
Dead Peer Discovery (DPD)
IPSec Work in Progress: IKE v2, Multicast IPSec
929292 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
Peer A Peer B
DPD Rules
Passage of IPSec Traffic Is Proof of Liveliness
DPD Is Asynchronous
Each Peer Sets Its Own WORRY METRIC
Check on Peer Only if there Is a Need to Do So
I Wonder if B IsDead, I Have to
Send SomeData to It
I Dont Care if AIs Dead, I DontHave Anything
to Send
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
41/50
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
949494 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
DPD Protocol Specifications
Vendor IDPayload Is
Exchangedin IKE
NegotiationBeforehand
InitiatorR-U-THERE
Notification Data = Sequence Number
Notify Message Type = R-U-THERE
SPI SIZEProtocol ID =ISAKMP
SPI = CKY-I | CKY-R
DOI = IPSec DOI
Notify Payload
ISAKMP HEADER
ReservedNext Payload Length
ResponderR-U-THERE-ACK
Notification Data = Sequence Number
Notify Message Type = R-U-THERE
SPI SIZEProtocol ID =ISAKMP
SPI = CKY-I | CKY-R
DOI = IPSec DOI
Notify Payload
ISAKMP HEADER
ReservedNext Payload Length
959595 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
Agenda Analysis of Baseline IPSec Functionality
IKE: IPSec Negotiation Protocol Flow
PKI: IPSec Authentication Architecture
SHA and MD5: IPSec Hashing Mechanisms
DES and AES: IPSec Encryption Techniques
Analysis of the Enhancements in IPSec
Remote Access Features
Tunnel End Point Discovery (TED)IPSec NAT Traversal
Dead Peer Discovery (DPD)
IPSec Work in Progress: IKE v2, Multicast IPSec
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
42/50
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
969696 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
IKE v2: Replacement forCurrent IKE Specification
Feature preservation
Most of the features and characteristics of the baselineparent IKE v1 protocol are being preserved in v2
Compilation of features and extensions
Quite a few features that were added on top of thebaseline IKE protocol functionality in v1 are beingreconciled into the mainline v2 framework
New features
A few new mechanisms and features are beingintroduced in the IKE v2 protocol as well
(Please Note that This Information Is Current as of February 2003;
Finalization of the Specifications of the IKE V2 Protocol Is Still a Work in Progress)
979797 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
IKE v2: What Is Not Changing
Features in v1 that have been debated but areultimately being preserved in v2
Two phases of negotiation
Use of nonces to ensure uniqueness of keys
v1 extensions and enhancements being mergedinto mainline v2 specification
Use of a configuration payload similar to MODECFG
for address assignment
X-auth type functionality retained through EAP
Use of NAT Discovery and NAT Traversal techniques
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
43/50
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
989898 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
IKE v2: What Is Changing
Significant changes being made to thebaseline functionality of IKE
Use of suites for algorithm negotiation
EAP adopted as the method to provide legacyauthentication integration with IKE
Public Signature keys and pre-shared keys, theonly methods of IKE authentication
Use of stateless cookie to avoid certain typesof DOS attacks on IK
999999 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
Agenda Analysis of Baseline IPSec Functionality
IKE: IPSec Negotiation Protocol Flow
PKI: IPSec Authentication Architecture
SHA and MD5: IPSec Hashing Mechanisms
DES and AES: IPSec Encryption Techniques
Analysis of the Enhancements in IPSec
Remote Access Features
Tunnel End Point Discovery (TED)IPSec NAT Traversal
Dead Peer Discovery (DPD)
IPSec Work in Progress: IKE v2, Multicast IPSec
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
44/50
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
100100100 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
What Is a Multicast Group?
Two or more parties who send and receivethe same data transmitted over a network
Packet delivery can be multicast, orunicast (where identical data is directed toeach group member)
Group members can be routers, PCs,telephones, any IP device
There are many different examples ofgroup topologies
101101101 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
Types of Multicast GroupsSingle-Source Multicast
Multiple-Source Multicast Multipoint Control Unit
Publish-Subscribe
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
45/50
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
46/50
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
104104104 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
GDOI Overview
Distributes keys and policy for groups
Security associations and keys
Can efficiently re-key the groupwhen needed
When a member joins/leaves the group
When an existing SA is about to expire
Quickly and efficiently eject agroup member
105105105 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
GDOI Protocol Flow
Two phases
IKE phase 1 protocol
GDOI registration protocol
Security protections
IKE phase 1 provides authentication,confidentiality, and integrity
GDOI registration provides authorizationand replay protection
IKE Phase 1
GDOI RegistrationGroup
MemberKey
Server
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
47/50
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
106106106 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
GDOI Registration Protocol
Member Requests to Join Group Using an ID Payload
Key Server Returns Keys Using a KD Payload
Key Server Returns Policy in SA Payload
Member Agrees to Policy
Group
Member
KeyServer
107107107 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
GDOI Registration Results
When registration is complete a groupmember has:
Data security SAs and keys
GDOI Rekey SA and keys
(if defined to be part of the group policy)
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
48/50
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
108108108 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
Group
Member
KeyServer
GDOI Rekey Message
One message exchange
Sent from key server to all group members
IP multicast message is the most efficient distribution
Security protections
Authentication/integrity provided by a digital signatureon the message
Confidentiality provided using keys distributed duringGDOI registration
Replay protection through use of a message
sequence number
GDOI Rekey
109109109 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
GDOI Rekey Results
When rekey is complete a group memberhas one or more of the following:
New data security SAs and keys
New GDOI Rekey SA and keys
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
49/50
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
110110110 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
Agenda
Analysis of Baseline IPSec Functionality
IKE: IPSec Negotiation Protocol Flow
PKI: IPSec Authentication Architecture
SHA and MD5: IPSec Hashing Mechanisms
DES and AES: IPSec Encryption Techniques
Analysis of the Enhancements in IPSec
Remote Access Features
Tunnel End Point Discovery (TED)
IPSec NAT Traversal
Dead Peer Discovery (DPD)
IPSec Work in Progress: IKE v2, Multicast IPSec
111111111 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
So, Where Can I Read
in Detail about All This?
Network Security
Principles and Practices
by Saadat Malik
Also Available at the Networkers
CiscoPress Booth
8/6/2019 Article - Advanced Ipsec Algorithms and Protocols (Cisco - 2003)
50/50
112112112 2003, Cisco Systems, Inc. All rights reserved.SEC-40108101_05_2003_c2
Please Complete YourEvaluation Form
Session SEC-4010