Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München. ilab. Lab 8 SSL/TLS and IPSec

Transcription

1 Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München ilab Lab 8 SSL/TLS and IPSec

2 Outlook: On Layer 4: Goal: Provide security for one specific port SSL (Secure Socket Layer) / TLS (Transport Layer Security) ~ SSL Version 1, 2, 3 developed by Netscape 1999: TLS 1.0, 2006: TLS 1.1, 2008: TLS 1.2 developed / standardized by IETF Uses TCP as transport protocol On Layer 3: Goal: Provide security for IP traffic IPSec (IP Security) ~ 1998 Alternative: OpenVPN Often used for Virtual Private Networks (VPN) / Tunnel Internetpraktikum 2

3 SSL/TLS Internetpraktikum 3

4 TLS Properties Used for: Encryption and integrity protection for data sent over a socket Transparent for the application layer protocol E.g.: Protection of HTTP, IMAP HTTPS, IMAPS TCP/IP Modell Applikation Application flow: 1. Key exchange, e.g. with RSA, Diffie Hellman 2. optional server and/or client authentication (server/client certificates and digital signatures used) 3. finally: encryption + authentication for all packets TLS TCP IP Host to Network SSL/TLS uses the reliable transport protocol TCP DTLS is an adaptation that uses the more lightweight protocol UDP Internetpraktikum 4

5 TLS Architecture TLS can be split into two protocol layers: Applikation SSL Handshake Protocol SSL Change Cipherspec Protocol SSL Alert Protocol SSL Application Data Protocol SSL Record Protocol TCP Handshake: Authentication of peers and negotiation of security parameters Change Cipherspec: Signalization of encryption method to be used Alert: Signalization of errors (e.g. certificate could not be validated) Application Data: Transparent transport of application payload All protocols described above communicate via the Record Protocol Internetpraktikum 5

6 SSL Record Protocol Type Ver. (maj.) Ver. (min.) Length Length Data Type: Change Cipherspec: 0x14 (20) Alert: 0x15 (21) Handshake: 0x16 (22) Application Data: 0x17 (23) Version: SSL Version (major = 3, minor = 3 TLS 1.2) Length: Length of payload Data: Payload to transmit (e.g. for Application Data Protocol: encrypted data, MAC, padding) Internetpraktikum 6

7 SSL Record Protocol Is directly built on top of TCP Processing chain (sending): Fragmentation Parts/records are max 2 14 Bit long Compression optional Calculation of authentication data MAC = H(MAC_write_secret + pad_2 + H(MAC_write_secret + pad_1 + seq_num + length + data)) Remark: the sequence number will not be sent inside the SSL header, as the TCP header contains the sequence number Encryption of data and MAC Using the algorithms which were selected and signalized with the current Change Cipherspec Internetpraktikum 7

8 SSL Handshake Protocol (RSA, Server auth.) Overview: 1. random number, set of cryptographic suites 1. random number, chosen cryptographic suite, certificate 1. Key exchange (Pre master secret) Generation of the master secret 1. MAC on all previous messages 2. MAC on all previous messages Client Key Generation Server Key Generation 4 5 Note: 3 and 4 are actually sent together to reduce latency the TLS handshake requires two round trips Internetpraktikum 8

9 SSL Handshake Protocol (Bsp.: RSA, Server auth) Client Server 1 ClientHello(Ver,Random, CipherSuite,Compr) ServerHello(Ver,Random, SessionID,CipherSuite,Compr) ServerCertificate ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished ChangeCipherSpec Finished 5 Internetpraktikum 9

10 SSL Handshake Protocol Client Server 1 ClientHello(Ver,Random, CipherSuite,Compr) 3 [ClientCertificate] ClientKeyExchange [CertificateVerify] ServerHello(Ver,Random, SessionID,CipherSuite,Compr) [ServerCertificate] [CertificateRequest] [ServerKeyExchange] ServerHelloDone 2 4 ChangeCipherSpec Finished ChangeCipherSpec Finished 5 [...] denotes optional message Internetpraktikum 10

11 IPSec Internetpraktikum 11

12 Application of IPSec: Virtual Private Networks 3 typical configurations: End to End (both devices have VPN Software) Site to Site (security gateways apply IPSec to traffic, often used to connect branches of a company) End to Site (road warriors connect to the company) End to End Site to Site Branch A End to Site Branch B Internetpraktikum 12

13 IP Security (IPSec) Shortcomings of IP: IP neither protects authenticity of communication entities or data, or protects data integrity, nor provides confidentiality Services of IPSec: Authentication of client/server Data integrity protection Confidentiality IPSec defines two packet formats AH (RFC 2402) Authentication ESP (RFC 2406) Confidentiality (+ Authentication) A combination of ESP and AH is possible and a key exchange protocol IKE (Internet Key Exchange) provides a safe key exchange mechanism via an insecure channel Internetpraktikum 13

14 Terms Security Policy (SP) / Security Policy Database (SPD) SP is a rule that specify how to protect a specific communication session E.g.: protect confidentiality and authenticity of all packets sent between Host a and Host b using encryption mechanism x and authentication mechanism y Security Policies are quite static and stateless E.g.: A SP does not contain a session key used for encryption Security Association (SA) / Security Association Database (SAD) SAs are the concrete settings that enforce the more abstract policies specified in the SPD SAs are bindings of IPs, encryption / authentication methods, the currently used key, duration, SAs are negotiated by IKE SAs are quite dynamic and stateful Each SA is identified by a SPI (Security Parameter Index) Internetpraktikum 14

15 Authentication Header vs. Encapsulating Security Payload The authentication header (AH): Provides data origin authentication and replay protection Is realized as a header which is inserted between the IP header and the data to be protected IP header AH header protected data authenticated The encapsulating security payload (ESP): Provides data origin authentication, confidentiality, replay protection Is realized with a header and a trailer encapsulating the data to be protected encrypted IP header ESP header protected data ESP trailer authenticated Internetpraktikum 15

16 ESP + AH Combined encrypted IP header AH header ESP header protected data ESP trailer authenticated ESP and AH can be combined for maximum security: Payload is encrypted by ESP Payload and nearly all header fields of the IP header are authenticated by AH Uses two SAs For ESP For AH Internetpraktikum 16

17 Transport Mode vs. Tunnel Mode IPSec works in two modes: Transport mode can be used between end points of a communication: host host Tunnel mode can be used between arbitrary peers security gateway security gateway host security gateway The difference between the two modes is, that: Transport mode just adds a security specific header (+ possibly a trailer): IP header Tunnel mode encapsulates IP packets: New IP header IPSec header IPSec header Old IP header protected data protected data Encapsulation of IP packets allows for a gateway protecting traffic on behalf of other entities (e.g. hosts of a subnetwork, etc.) Internetpraktikum 17

18 Example: IPSec Tunnel between two networks Site to Site Branch A Branch B Internetpraktikum 18

19 AH Header AH authenticates all invariant fields of the IP Header Protocol (IPv4) / Next Header Feld (IPv6): 51 = AH IP Header Next Header Payload Length Reserved Used to identify the currently used SA AH Security Parameter Index (SPI) Sequence Number Authentication Data authenticated Payload Internetpraktikum 19

20 ESP Header Used to identify the currently used SA encrypted Security Parameter Index (SPI) Sequence Number Initialization Vector Protected Data authenticated Pad Pad Length Next Header Authentication Data The ESP Header directly follows the IP header or the AH header Protocol (IPv4) or Next Header (IPv6) field: 50 = ESP The next header field refers to protected data Internetpraktikum 20

21 Example: IPSec Tunnel between two networks Outbound Processing Site to Site Branch A Branch B Internetpraktikum 21

22 Basic Scheme: Processing of Outgoing Packets IPSec outbound processing new incoming packet Lookup appropriate policy deliver packet discard packet IKE yes yes yes No policy? no Policy is discard? no Lookup SAs No SA? no perform outbound processing according to the order given in the SPD Internetpraktikum 22

23 Example: IPSec Tunnel between two networks Inbound Processing Site to Site Branch A Branch B Internetpraktikum 23

24 Basic Scheme: Processing of Incoming Packets IP Inbound processing (1) Wait for Fragments All Fragments Available? yes IPSec header found yes get SPI from the IPSec header no no Does SA for SPI Exist? yes perform ESP/AH inbound processing no Discard Packet Internetpraktikum 24

25 Security of IPSec Currently no working attacks are known Design got criticized by various persons, e.g. Schneier/Ferguson Some concepts are redundant most operational modes are not used/not needed AH+ESP fits all Highly complexity, mainly due to IKE Complex things are prone to errors, i.e. implementation is very difficult Currently the best working security mechanism for securing IP communication (on layer 3) Internetpraktikum 25