Upload
dennis-hickman
View
78
Download
5
Embed Size (px)
DESCRIPTION
Cryptography and Network Security Chapter 19. Fifth Edition by William Stallings Lecture slides by Lawrie Brown. Chapter 19 – IP Security. If a secret piece of news is divulged by a spy before the time is ripe, he must be put to death, together with the man to whom the secret was told. - PowerPoint PPT Presentation
Citation preview
Cryptography and Cryptography and Network SecurityNetwork Security
Chapter 19Chapter 19
Fifth EditionFifth Edition
by William Stallingsby William Stallings
Lecture slides by Lawrie BrownLecture slides by Lawrie Brown
Chapter 19 – IP SecurityChapter 19 – IP Security
If a secret piece of news is divulged by a spy If a secret piece of news is divulged by a spy before the time is ripe, he must be put to before the time is ripe, he must be put to death, together with the man to whom the death, together with the man to whom the secret was told.secret was told.
——The Art of WarThe Art of War, Sun Tzu, Sun Tzu
IP SecurityIP Security
Many application have implemented Many application have implemented specific security mechanisms:specific security mechanisms: S/MIME, PGP, Kerberos, SSL/HTTPSS/MIME, PGP, Kerberos, SSL/HTTPS
however there are security concerns that however there are security concerns that cut across protocol layerscut across protocol layers
We would like security implemented by the We would like security implemented by the network for all applicationsnetwork for all applications
IP SecurityIP Security general IP Security mechanismsgeneral IP Security mechanisms providesprovides
authenticationauthentication confidentialityconfidentiality key managementkey management
applicable to use over LANs, across public applicable to use over LANs, across public & private WANs, & for the Internet& private WANs, & for the Internet
need identified in 1994 reportneed identified in 1994 report need authentication, encryption in IPv4 & IPv6need authentication, encryption in IPv4 & IPv6
IP Security UsesIP Security Uses
Benefits of IPSecBenefits of IPSec
in a firewall/router:in a firewall/router: provides strong security to all traffic crossing provides strong security to all traffic crossing
the perimeterthe perimeter resistant to bypassresistant to bypass
It is below transport layer, hence It is below transport layer, hence transparent to applicationstransparent to applications
It can be transparent to end usersIt can be transparent to end users It can provide security for individual usersIt can provide security for individual users It secures routing architectureIt secures routing architecture
IP Security ArchitectureIP Security Architecture specification is quite complex, with groups:specification is quite complex, with groups:
ArchitectureArchitecture• RFC4301 RFC4301 Security Architecture for Internet ProtocolSecurity Architecture for Internet Protocol
Authentication Header (AH)Authentication Header (AH)• RFC4302 RFC4302 IP Authentication HeaderIP Authentication Header
Encapsulating Security Payload (ESP)Encapsulating Security Payload (ESP)• RFC4303 RFC4303 IP Encapsulating Security Payload (ESP)IP Encapsulating Security Payload (ESP)
Internet Key Exchange (IKE)Internet Key Exchange (IKE)• RFC4306RFC4306 Internet Key Exchange (IKEv2) Protocol Internet Key Exchange (IKEv2) Protocol
Cryptographic algorithmsCryptographic algorithms Other Other
IPSec ServicesIPSec Services
Access controlAccess control Connectionless integrityConnectionless integrity Data origin authenticationData origin authentication Rejection of replayed packetsRejection of replayed packets
a form of partial sequence integritya form of partial sequence integrity Confidentiality (encryption)Confidentiality (encryption) Limited traffic flow confidentialityLimited traffic flow confidentiality
Transport ModeTransport Mode Transport ModeTransport Mode
to encrypt & optionally to encrypt & optionally authenticate IP dataauthenticate IP data
can do traffic analysis but is can do traffic analysis but is efficientefficient
good for ESP host to host good for ESP host to host traffictraffic
Tunnel ModeTunnel Mode Tunnel ModeTunnel Mode
encrypts entire encrypts entire IP packetIP packet
add new header add new header for next hopfor next hop
no routers on no routers on way can way can examine inner examine inner IP headerIP header
good for VPNs, good for VPNs, gateway to gateway to gateway gateway securitysecurity
Security AssociationsSecurity Associations IPsec policy is determined primarily by the interaction of two IPsec policy is determined primarily by the interaction of two
databases: databases: the the security association database (SAD) security association database (SAD) and and the the security policy database (SPD).security policy database (SPD).
a one-way relationship between sender & receiver that affords a one-way relationship between sender & receiver that affords security for traffic flowsecurity for traffic flow
defined by 3 parameters:defined by 3 parameters: Security Parameters Index (SPI)Security Parameters Index (SPI) IP Destination AddressIP Destination Address Security Protocol IdentifierSecurity Protocol Identifier
has a number of other parametershas a number of other parameters seq no, AH & EH info, lifetime etcseq no, AH & EH info, lifetime etc
have a database of Security Associationshave a database of Security Associations
Security Policy DatabaseSecurity Policy Database relates IP traffic to specific SAsrelates IP traffic to specific SAs
match subset of IP traffic to relevant SAmatch subset of IP traffic to relevant SA use selectors to filter outgoing traffic to mapuse selectors to filter outgoing traffic to map based on: local & remote IP addresses, next based on: local & remote IP addresses, next
layer protocol, name, local & remote ports layer protocol, name, local & remote ports
Encapsulating Security Payload Encapsulating Security Payload (ESP)(ESP)
provides provides message content confidentiality, message content confidentiality, data data origin authentication, connectionless integrity, an origin authentication, connectionless integrity, an anti-replay serviceanti-replay service, limited traffic flow , limited traffic flow confidentialityconfidentiality
services depend on options selected when services depend on options selected when establish Security Association (SA), net locationestablish Security Association (SA), net location
can use a variety of encryption & authentication can use a variety of encryption & authentication algorithmsalgorithms
Encapsulating Security Encapsulating Security PayloadPayload
Encryption & Authentication Encryption & Authentication Algorithms & PaddingAlgorithms & Padding
ESP can encrypt payload data, padding, ESP can encrypt payload data, padding, pad length, and next header fieldspad length, and next header fields if needed have IV at start of payload dataif needed have IV at start of payload data
ESP can have optional ICV for integrityESP can have optional ICV for integrity is computed after encryption is performedis computed after encryption is performed
ESP uses paddingESP uses padding to expand plaintext to required lengthto expand plaintext to required length to align pad length and next header fieldsto align pad length and next header fields to provide partial traffic flow confidentialityto provide partial traffic flow confidentiality
Anti-Replay ServiceAnti-Replay Service replay is when attacker resends a copy of replay is when attacker resends a copy of
an authenticated packetan authenticated packet use sequence number to thwart this attackuse sequence number to thwart this attack sender initializes sequence number to 0 sender initializes sequence number to 0
when a new SA is establishedwhen a new SA is established increment for each packetincrement for each packet must not exceed limit of 2must not exceed limit of 23232 – 1 – 1
receiver then accepts packets with seq no receiver then accepts packets with seq no within window of (within window of (N –W+1N –W+1))
Combining Security Combining Security AssociationsAssociations
SA’s can implement either AH or ESPSA’s can implement either AH or ESP to implement both need to combine SA’sto implement both need to combine SA’s
form a security association bundleform a security association bundle may terminate at different or same endpointsmay terminate at different or same endpoints combined bycombined by
• transport adjacencytransport adjacency• iterated tunnelingiterated tunneling
combining authentication & encryptioncombining authentication & encryption ESP with authentication, bundled inner ESP & ESP with authentication, bundled inner ESP &
outer AH, bundled inner transport & outer ESPouter AH, bundled inner transport & outer ESP
Combining Security Combining Security AssociationsAssociations
IPSec Key ManagementIPSec Key Management
handles key generation & distributionhandles key generation & distribution typically need 2 pairs of keystypically need 2 pairs of keys
2 per direction for AH & ESP2 per direction for AH & ESP manual key managementmanual key management
sysadmin manually configures every systemsysadmin manually configures every system automated key managementautomated key management
automated system for on demand creation of automated system for on demand creation of keys for SA’s in large systemskeys for SA’s in large systems
has Oakley & ISAKMP elementshas Oakley & ISAKMP elements
OakleyOakley a key exchange protocola key exchange protocol based on Diffie-Hellman key exchangebased on Diffie-Hellman key exchange adds features to address weaknessesadds features to address weaknesses
no info on parties, man-in-middle attack, costno info on parties, man-in-middle attack, cost1.1. cookies, cookies,
2.2. groups (global params), groups (global params),
3.3. nonces, nonces,
4.4. DH key exchangeDH key exchange
5.5. authenticationauthentication
can use arithmetic in prime fields or elliptic curve can use arithmetic in prime fields or elliptic curve fieldsfields
ISAKMPISAKMP Internet Security Association and Key Internet Security Association and Key
Management ProtocolManagement Protocol provides framework for key managementprovides framework for key management defines procedures and packet formats to defines procedures and packet formats to
establish, negotiate, modify, & delete SAsestablish, negotiate, modify, & delete SAs independent of key exchange protocol, independent of key exchange protocol,
encryption alg, & authentication methodencryption alg, & authentication method IKEv2 no longer uses Oakley & ISAKMP IKEv2 no longer uses Oakley & ISAKMP
terms, but basic functionality is sameterms, but basic functionality is same
IKEV2 ExchangesIKEV2 Exchanges
ISAKMPISAKMP
IKE Payloads & ExchangesIKE Payloads & Exchanges
have a number of ISAKMP payload types:have a number of ISAKMP payload types: Security Association, Key Exchange, Security Association, Key Exchange,
Identification, Certificate, Certificate Request, Identification, Certificate, Certificate Request, Authentication, Nonce, Notify, Delete, Vendor Authentication, Nonce, Notify, Delete, Vendor ID, Traffic Selector, Encrypted, Configuration, ID, Traffic Selector, Encrypted, Configuration, Extensible Authentication ProtocolExtensible Authentication Protocol
payload has complex hierarchical structurepayload has complex hierarchical structure may contain multiple proposals, with may contain multiple proposals, with
multiple protocols & multiple transformsmultiple protocols & multiple transforms
Cryptographic SuitesCryptographic Suites variety of cryptographic algorithm typesvariety of cryptographic algorithm types to promote interoperability haveto promote interoperability have
RFC4308 defines VPN cryptographic suitesRFC4308 defines VPN cryptographic suites• VPN-A matches common corporate VPN security VPN-A matches common corporate VPN security
using 3DES & HMACusing 3DES & HMAC• VPN-B has stronger security for new VPNs VPN-B has stronger security for new VPNs
implementing IPsecv3 and IKEv2 using AESimplementing IPsecv3 and IKEv2 using AES RFC4869 defines four cryptographic suites RFC4869 defines four cryptographic suites
compatible with US NSA specscompatible with US NSA specs• provide choices for ESP & IKEprovide choices for ESP & IKE• AES-GCM, AES-CBC, HMAC-SHA, ECP, ECDSAAES-GCM, AES-CBC, HMAC-SHA, ECP, ECDSA
SummarySummary
have considered:have considered: IPSec security frameworkIPSec security framework IPSec security policyIPSec security policy ESPESP combining security associationscombining security associations internet key exchangeinternet key exchange cryptographic suites usedcryptographic suites used