Upload
rafa-alcaide-alcaide
View
235
Download
1
Embed Size (px)
DESCRIPTION
IP Security
Citation preview
IPSecAn Overview Somesh Jha University of Wisconsin
Outlinewhy IPSec?IPSec ArchitectureInternet Key Exchange (IKE)IPSec Policydiscussion
IP is not Secure!IP protocol was designed in the late 70s to early 80sPart of DARPA Internet ProjectVery small networkAll hosts are known!So are the users!Therefore, security was not an issue
Security Issues in IPsource spoofingreplay packetsno data integrity or confidentiality DOS attacks Replay attacks Spying and moreFundamental Issue: Networks are not (and will never be) fully secure
Goals of IPSecto verify sources of IP packetsauthenticationto prevent replaying of old packetsto protect integrity and/or confidentiality of packetsdata Integrity/Data Encryption
OutlineWhy IPsec?IPSec ArchitectureInternet Key Exchange (IKE)IPsec PolicyDiscussion
The IPSec Security ModelSecureInsecure
IPSec ArchitectureESPAHIKEIPSec Security PolicyEncapsulating SecurityPayloadAuthentication HeaderThe Internet Key Exchange
IPSec ArchitectureIPSec provides security in three situations: Host-to-host, host-to-gateway and gateway-to-gatewayIPSec operates in two modes:Transport mode (for end-to-end)Tunnel mode (for VPN)
IPsec ArchitectureTunnel ModeRouterRouterTransport Mode
Various PacketsIP headerIP headerIP headerTCP headerTCP headerTCP headerdatadatadataIPSec headerIPSec headerIP headerOriginalTransportmodeTunnelmode
IPSecA collection of protocols (RFC 2401)Authentication Header (AH)RFC 2402Encapsulating Security Payload (ESP)RFC 2406Internet Key Exchange (IKE)RFC 2409IP Payload Compression (IPcomp)RFC 3137
Authentication Header (AH)Provides source authenticationProtects against source spoofingProvides data integrityProtects against replay attacksUse monotonically increasing sequence numbersProtects against denial of service attacksNO protection for confidentiality!
AH DetailsUse 32-bit monotonically increasing sequence number to avoid replay attacksUse cryptographically strong hash algorithms to protect data integrity (96-bit)Use symmetric key cryptographyHMAC-SHA-96, HMAC-MD5-96
AH Packet DetailsAuthentication DataSequence NumberSecurity Parameters Index (SPI)NextheaderPayloadlengthReservedOld IP header (only in Tunnel mode)TCP headerNew IP headerAuthenticatedDataEncapsulatedTCP or IP packetHash of everythingelse
Encapsulating Security Payload (ESP)Provides all that AH offers, andin addition provides data confidentialityUses symmetric key encryption
ESP DetailsSame as AH:Use 32-bit sequence number to counter replaying attacksUse integrity check algorithmsOnly in ESP:Data confidentiality:Uses symmetric key encryption algorithms to encrypt packets
ESP Packet DetailsAuthentication DataSequence NumberSecurity Parameters Index (SPI)NextheaderPayloadlengthReservedTCP headerAuthenticatedIP headerInitialization vectorData
PadPad lengthNextEncrypted TCP packet
Question?Why have both AH and ESP?Both AH and ESP use symmetric key based algorithmsWhy not public-key cryptography?How are the keys being exchanged?What algorithms should we use?Similar to deciding on the ciphersuite in SSL
OutlineWhy IPsec?IPsec ArchitectureInternet Key Exchange (IKE)IPsec PolicyDiscussion
Internet Key Exchange (IKE)Exchange and negotiate security policies Establish security sessionsIdentified as Security AssociationsKey exchangeKey managementCan be used outside IPsec as well
IPsec/IKE AcronymsSecurity Association (SA)Collection of attribute associated with a connectionIs asymmetric!One SA for inbound traffic, another SA for outbound trafficSimilar to ciphersuites in SSLSecurity Association Database (SADB)A database of SAs
IPsec/IKE AcronymsSecurity Parameter Index (SPI)A unique index for each entry in the SADBIdentifies the SA associated with a packetSecurity Policy Database (SPD)Store policies used to establish SAs
How They Fit TogetherSPDSADBSA-2SPISPISA-1
SPD and SADB ExampleTunnel ModeTransport ModeACBAs SPDAs SADBDCs SPDCs SADBAsubBsubAsubBsub
FromToProtocolSPISA RecordABAH12HMAC-MD5 key
FromToProtocolPortPolicyTunnel DestAnyAnyESP[3DES]D
FromToProtocolSPISA RecordESP143DES key
How It WorksIKE operates in two phasesPhase 1: negotiate and establish an auxiliary end-to-end secure channelUsed by subsequent phase 2 negotiationsOnly established once between two end points!Phase 2: negotiate and establish custom secure channelsOccurs multiple timesBoth phases use Diffie-Hellman key exchange to establish a shared key
IKE Phase 1Goal: to establish a secure channel between two end pointsThis channel provides basic security features:Source authenticationData integrity and data confidentialityProtection against replay attacks
IKE Phase 1Rationale: each application has different security requirementsBut they all need to negotiate policies and exchange keys!So, provide the basic security features and allow application to establish custom sessions
ExamplesAll packets sent to address mybank.com must be encrypted using 3DES with HMAC-MD5 integrity checkAll packets sent to address www.forum.com must use integrity check with HMAC-SHA1 (no encryption is required)
Phase 1 ExchangeCan operate in two modes:Main modeSix messages in three round tripsMore optionsQuick modeFour messages in two round tripsLess options
Phase 1 (Main Mode)InitiatorResponder[Header, SA1]
Phase 1 (Main Mode)InitiatorResponder[Header, SA1][Header, SA2]Establish vocabulary for further communication
Phase 1 (Main Mode)InitiatorResponder[Header, SA1][Header, SA2][Header, KE, Ni, {Cert_Reg} ]
Phase 1 (Main Mode)InitiatorResponderHeader, SA1[Header, SA1][Header, KE, Ni { , Cert_Req} ][Header, KE, Nr {, Cert_Req}]Establish secret key using Diffie-Hellman key exchangeUse nonces to prevent replay attacks
Phase 1 (Main Mode)InitiatorResponder[Header, SA1][Header, SA1][Header, KE, Ni {,Cert_Req} ][Header, KE, Nr {,Cert_Req}][Header, IDi, {CERT} sig]
Phase 1 (Main Mode)InitiatorResponder[Header, SA1][Header, SA1][Header, KE, Ni {, Cert_req}][Header, KE, Nr {, Cert_req}][Header, IDi, {CERT} sig][Header, IDr, {CERT} sig]Signed hash of IDi (without Cert_req , just send the hash)
Phase 1 (Aggressive Mode)InitiatorResponder[Header, SA1, KE, Ni, IDi]
Phase 1 (Aggressive Mode)InitiatorResponder[Header, SA1, KE, Ni, IDi][Header, SA2, KE, Nr, IDr, [Cert]sig][Header, [Cert]sig]First two messages combined into one(combine Hello and DH key exchange)
IPSec (Phase 1)Four different way to authenticate (either mode)Digital signatureTwo forms of authentication with public key encryptionPre-shared keyNOTE: IKE does use public-key based cryptography for encryption
IPSec (Phase 2)Goal: to establish custom secure channels between two end pointsEnd points are identified by :e.g. Or by packet:e.g. All packets going to 128.124.100.0/24Use the secure channel established in Phase 1 for communication
IPSec (Phase 2)Only one mode: Quick ModeMultiple quick mode exchanges can be multiplexedGenerate SAs for two end pointsCan use secure channel established in phase 1
IP Payload CompressionUsed for compressionCan be specified as part of the IPSec policyWill not cover!
OutlineWhy IPsec?IPsec ArchitectureInternet Key Exchange (IKE)IPSec PolicyDiscussion
IPsec PolicyPhase 1 policies are defined in terms of protection suitesEach protection suiteMust contain the following:Encryption algorithmHash algorithmAuthentication methodDiffie-Hellman GroupMay optionally contain the following:Lifetime
IPSec PolicyPhase 2 policies are defined in terms of proposalsEach proposal:May contain one or more of the followingAH sub-proposalsESP sub-proposalsIPComp sub-proposalsAlong with necessary attributes such asKey length, life time, etc
IPSec Policy ExampleIn English: All traffic to 128.104.120.0/24 must be:Use pre-hashed key authenticationDH group is MODP with 1024-bit modulusHash algorithm is HMAC-SHA (128 bit key)Encryption using 3DESIn IPSec:[Auth=Pre-Hash; DH=MODP(1024-bit); HASH=HMAC-SHA; ENC=3DES]
IPsec Policy ExampleIn English:All traffic to 128.104.120.0/24 must use one of the following:AH with HMAC-SHA or,ESP with 3DES as encryption algorithm and (HMAC-MD5 or HMAC-SHA as hashing algorithm)In IPsec:[AH: HMAC-SHA] or, [ESP: (3DES and HMAC-MD5) or (3DES and HMAC-SHA)]
Virtual Private Networks (VPNs)VirtualIt is not a physically distinct networkPrivateTunnels are encrypted to provide confidentialityCS dept might have a VPNI can be on this VPN while traveling
Alice is TravelingAlice works for the mergers and acquisitions (M&A) department of takeover.comShe is at Hicktown taking over a meat-packing plantShe wants to access the M&A server at her company (confidentially of course)
Alice is Traveling
OutlineWhy IPsec?IPsec ArchitectureInternet Key Exchange (IKE)IPsec PolicyDiscussion
DiscussionIPSec is not the only solution!Security features can be added on top of IP!e.g. Kerberos, SSLConfused?IP, IPSec protocols are very complex!Two modes, three sub protocolsComplexity is the biggest enemy of security
DiscussionHas it been used?Yesprimarily used by some VPN vendorsBut not all routers support itNoit is not really an end-to-end solutionAuthentication is too coarse (host based)Default encryption algorithm too weak (DES)Too complex for applications to use
ResourcesIP, IPsec and related RFCs:http://www.ietf.org/html.charters/ipsec-charter.htmlIPsec: RFC 2401, IKE: RFC 2409www.freeswan.org
Google search