CSCI 454/554 Computer and Network Security. Topic 8.2 Internet Key Management

Similar documents
Outline. Key Management. CSCI 454/554 Computer and Network Security. Key Management

Outline. Key Management. Security Principles. Security Principles (Cont d) Escrow Foilage Protection

Outline. CSC/ECE 574 Computer and Network Security. Key Management. Security Principles. Security Principles (Cont d) Internet Key Management

CSC/ECE 574 Computer and Network Security. Outline. Key Management. Key Management. Internet Key Management. Why do we need Internet key management

CSC Network Security

CSC Network Security

CIS 6930/4930 Computer and Network Security. Topic 8.2 Internet Key Management

INFS 766 Internet Security Protocols. Lectures 7 and 8 IPSEC. Prof. Ravi Sandhu IPSEC ROADMAP

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

IP Security II. Overview

IPsec (AH, ESP), IKE. Guevara Noubir CSG254: Network Security

Cisco Live /11/2016

IP Security IK2218/EP2120

Internet Engineering Task Force Mark Baugher(Cisco) Expires: April, 2003 October, 2002

CS 494/594 Computer and Network Security

IPSec Guide. ISAKMP & IKE Formats

AIT 682: Network and Systems Security

Real-time protocol. Chapter 16: Real-Time Communication Security

IPsec and Secure VPNs

IP Security Discussion Raise with IPv6. Security Architecture for IP (IPsec) Which Layer for Security? Agenda. L97 - IPsec.

Chapter 6. IP Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

Chapter 11 The IPSec Security Architecture for the Internet Protocol

draft-ietf-ipsec-isakmp-oakley-03.txt February 1997 Expire in six months The resolution of ISAKMP with Oakley <draft-ietf-ipsec-isakmp-oakley-03.

Advanced IKEv2 Protocol Jay Young, CCIE - Technical Leader, Services. Session: BRKSEC-3001

The IPSec Security Architecture for the Internet Protocol

Chapter 6/8. IP Security

Advanced IPSec Algorithms and Protocols

Network Security: IPsec. Tuomas Aura

draft-ietf-ipsec-nat-t-ike-00.txt W. Dixon, B. Swander Microsoft V. Volpe Cisco Systems L. DiBurro Nortel Networks 10 June 2001

Table of Contents 1 IKE 1-1

CSCE 715: Network Systems Security

Cryptography and Network Security. Sixth Edition by William Stallings

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

Virtual Private Networks

draft-ietf-ipsec-nat-t-ike-01.txt W. Dixon, B. Swander Microsoft V. Volpe Cisco Systems L. DiBurro Nortel Networks 23 October 2001

The Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME,

IP Security Protocol Working Group (IPSEC) draft-ietf-ipsec-nat-t-ike-03.txt. B. Swander Microsoft V. Volpe Cisco Systems 24 June 2002

8. Network Layer Contents

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

VPN and IPsec. Network Administration Using Linux. Virtual Private Network and IPSec 04/2009

Virtual Private Network

Network Security: IPsec. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

show crypto group summary, page 1 show crypto ikev2-ikesa security-associations summary spi, page 2

L13. Reviews. Rocky K. C. Chang, April 10, 2015

CIS 6930/4930 Computer and Network Security. Final exam review

Configuration of an IPSec VPN Server on RV130 and RV130W

Securify, Inc. M. Schneider. National Security Agency. J. Turner RABA Technologies, Inc. November 1998

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

ECC Based IKE Protocol Design for Internet Applications

Some optimizations can be done because of this selection of supported features. Those optimizations are specifically pointed out below.

draft-ietf-ipsec-isakmp-oakley-00.txt June 1996 Expire in six months The resolution of ISAKMP with Oakley <draft-ietf-ipsec-isakmp-oakley-00.

Outline. 0 Topic 4.1: Securing Real-Time Communications 0 Topic 4.2: Transport Layer Security 0 Topic 4.3: IPsec and IKE

Internet security and privacy

VPN Ports and LAN-to-LAN Tunnels

Introduction to IPsec. Charlie Kaufman

Advanced IKEv2 Protocol

The EN-4000 in Virtual Private Networks

Chapter 5: Network Layer Security

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

IPSec VPN Setup with IKE Preshared Key and Manual Key on WRVS4400N Router

Lecture 9: Network Level Security IPSec

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers

Configuring Internet Key Exchange Security Protocol

VPNs and VPN Technologies

COSC4377. Chapter 8 roadmap

Network Working Group. November 1998

Securing Networks with Cisco Routers and Switches

Sample excerpt. Virtual Private Networks. Contents

CIS 6930/4930 Computer and Network Security. Topic 8.1 IPsec

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1415/ Chapter 16: 1

IKE and Load Balancing

Network Security IN2101

Configuring Security for VPNs with IPsec

Firepower Threat Defense Site-to-site VPNs

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Virtual Tunnel Interface

Secure channel, VPN and IPsec. stole some slides from Merike Kaeo

iii PPTP... 7 L2TP/IPsec... 7 Pre-shared keys (L2TP/IPsec)... 8 X.509 certificates (L2TP/IPsec)... 8 IPsec Architecture... 11

Lecture 12 Page 1. Lecture 12 Page 3

Configuring an IPSec Tunnel Between a Cisco VPN 3000 Concentrator and a Checkpoint NG Firewall

Key Encryption as per T10/06-103

Best Practices: Provisioning of Mobile VPN certificate based policy from Nokia DM server for accessing Nokia IP VPN gateway

Network Security (NetSec) IN2101 WS 16/17

Internet Engineering Task Force (IETF) Request for Comments: ISSN: Check Point P. Eronen Independent September 2010

Lecture 13 Page 1. Lecture 13 Page 3

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1516/ Chapter 16: 1

CIS 4360 Secure Computer Systems Applied Cryptography

CONTENTS. vii. Chapter 1 TCP/IP Overview 1. Chapter 2 Symmetric-Key Cryptography 33. Acknowledgements

3. Use the RF material for authentication. 4. Carry an acknowledgment material derived from the reconstructed RF material by Acknowledgment Message ((

David Wetherall, with some slides from Radia Perlman s security lectures.

Cryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption

Configuring IPSec tunnels on Vocality units

Key Establishment and Authentication Protocols EECE 412

IP Security. Cunsheng Ding HKUST, Kong Kong, China

BCRAN. Section 9. Cable and DSL Technologies

VPN, IPsec and TLS. stole slides from Merike Kaeo apricot2017 1

IPSec Network Applications

An Executable Model for JFKr

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Transcription:

CSCI 454/554 Computer and Network Security Topic 8.2 Internet Key Management

Outline Key Management Security Principles Internet Key Management Manual Exchange SKIP Oakley ISAKMP IKE 2

Key Management Why do we need Internet key management AH and ESP require encryption and authentication keys Process to negotiate and establish IPsec SAs between two entities 3

Security Principles Basic security principle for session keys Compromise of a session key Doesn t permit reuse of the compromised session key. Doesn t compromise future session keys and long-term keys. 4

Security Principles (Cont d) Perfect forward secrecy (PFS) Compromise of current keys (session key or long-term key) doesn t compromise past session keys. Concern for encryption keys but not for authentication keys. Not really perfect in the same sense as perfect secrecy for one-time pad. 5

Escrow Foilage Protection Key escrow: communicating parties have to store their long-term keys with a third-party (authorities, etc.) Escrow-foilage: key stored at the third party is used maliciously Escrow Foilage Protection: the conversation between Alice and Bob can still be made secret against a passive eavesdropper with prior knowledge of Alice and Bob s long-term keys. Anything with PFS will also have escrow-foilage against a passive attacker. 6

Internet Key Management Manual key management Mandatory Useful when IPsec developers are debugging Keys exchanged offline (phone, email, etc.) Set up SPI and negotiate parameters 7

Internet Key Management (Cont d) Automatic key management Two major competing proposals Simple Key Management for Internet Protocols (SKIP) ISAKMP/OAKLEY Photuris Ephemeral D-H + authentication + Cookie The first to use cookie to thwart DOS attacks SKEME (extension to Photuris) Oakley (RFC 2412) ISAKMP (RFC 2408) ISAKMP/OAKLEY IKE (RFC 2409) 8

A Note about IKE IKE v2 was introduced in RFC 4306 (December 2005) IKE v2 does not interoperate with IKE v1 Both version can unambiguously run over the same UDP port IKE v2 combines the contents of previously separate documents ISAKMP IKE v1 DOI NAT 9

Automatic Key Management Key establishment and management combined SKIP Key establishment protocol Oakley focus on key exchange Key management Internet Security Association & Key Management Protocol (ISAKMP) Focus on SA and key management Clearly separated from key exchange. 10

SKIP Simple Key-Management for Internet Prococols Idea IP is connectionless in nature Using security association forces a pseudo session layer underneath IP Proposal: use sessionless key establishment and management Pre-distributed and authenticated D-H public key Packet-specific encryption keys are included in the IP packets 11

SKIP (Cont d) Two types of keys: 1. KEK 2. Packet key Certificate repository Bob s certificate Alice s certificate Alice Bob K p encrypted with KEK. Payload encrypted with K p. 12

SKIP (Cont d) KEK should be changed periodically Minimize the exposure of KEK Prevent the reuse of compromised packet keys SKIP s approach KEK = h (K AB, n), where h is a one-way hash function, K AB is the the long term key between A and B, and n is a counter. 13

SKIP (Cont d) Limitations No Perfect Forward Secrecy Can be modified to provide PFS, but it will lose the sessionless property. No concept of SA; difficult to work with the current IPsec architecture Not the standard, but remains as an alternative. 14

Oakley Oakley is a refinement of the basic Diffie- Hellman key exchange protocol. Why need refinement? Resource clogging attack Replay attack Man-in-the-middle attack Choice of D-H groups 15

Resource Clogging Attack Many bogus requests With false source IPs Busy computing Stopping requests is difficult We need to provide services. Ignoring requests is dangerous Denial of service attacks 16

Resource Clogging Attack (Cont d) Counter measure If we cannot stop bogus requests, at least we should know from where the requests are sent. Cookies are used to thwart resource clogging attack Thwart, not prevent 17

Resource Clogging Attack (Cont d) Cookie Each side sends a pseudo-random number, the cookie, in the initial message, which the other side acknowledges. The acknowledgement must be repeated in the following messages. Do not begin D-H calculation until getting acknowledgement for the other side. 18

Requirements for cookie generation The cookie must depend on the specific parties. Prevent an attacker from reusing cookies. Impossible to forge Use secret values Efficient Cookies are also used for key naming Each key is uniquely identified by the initiator s cookie and the responder s cookie. 19

Replay Attack Counter measure Use nonce 4. Busy computing 1. Cookie exchange 2. Later exchange Observe 20

Man-In-The-Middle Attack Counter measure Authentication Depend on other mechanisms. Pre-shared key. Public key certificates. 21

Oakley Groups How to choose the DH groups? 0 no group (placeholder or non-dh) 1 MODP, 768-bit modulus 2 MODP, 1024-bit modulus 3 MODP, 1536-bit modulus 4 EC2N over GF(2 155 ) 5 EC2N over GF(2 185 ) 22

Ephemeral Diffie-Hellman Short-term public key Short-term public key Session key is computed on the basis of shortterm DH public-private keys. Exchange of these short-term public keys requires authentication and integrity. Digital signatures. Keyed message digests. The only protocol known to support Perfect Forward Secrecy. 23

Ephemeral Diffie-Hellman Question: What happens if the long term key is compromised? 24

ISAKMP Oakley Key exchange protocol Developed to use with ISAKMP ISAKMP Security association and key management protocol Defines procedures and packet formats to establish, negotiate, modify, and delete security associations. Defines payloads for security association, key exchange, etc. 25

ISAKMP Message Fixed format header 64 bit initiator and responder cookies Exchange type (8 bits) Next payload type (8 bits) Flags: encryption, commit, authentication, etc. 32 bit message ID Resolve multiple phase 2 SAs being negotiated simultaneously Variable number of payloads Each has a generic header with Payload boundaries Next payload type (possible none) 26

ISAKMP Formats 27

ISAKMP Phases Phase 1 Establish ISAKMP SA to protect further ISAKMP exchanges Or use pre-established ISAKMP SA ISAKMP SA identified by initiator cookie and responder cookie Phase 2 Negotiate security services in SA for target security protocol or application. 28

ISAKMP Disadvantage Additional overhead due to 2 phases Advantages Same ISAKMP SA can be used to negotiate phase 2 for multiple protocols ISAKMP SA can be used to facilitate maintenance of SAs. ISAKMP SA can simplify phase 2. 29

ISAKMP Domain Of Interpretation (DOI) DOI defines Payload format Exchange types Naming conventions for security policies, cryptographic algorithms DOI for IPsec has been defined. 30

0 none 1 base ISAKMP Exchange Types 2 identity protection 3 authentication only 4 aggressive 5 informational 6-31 reserved 32-239 DOI specific use 240-255private use 31

ISAKMP Exchange Types Base exchange reveals identities Identity protection exchange Protects identities at cost of extra messages. Authentication only exchange No key exchange Aggressive exchange Reduce number of message, but reveals identity Informational exchange One-way transmission of information. 32

0 none ISAKMP Payload Types 1 SA security association 2 P proposal 3 T transform 4 KE key exchange 5 ID identification 6 CERT certificate 7 CR certificate request 33

ISAKMP Payload Types 8 H hash 9 SIG signature 10 NONCE nonce 11 N notification 12 D delete 13 VID vender ID 14-127 reserved 128-255 private use 34

ISAKMP Payload Types 35

ISAKMP Exchanges Basic Exchange 1. I R: SA; NONCE 2. R I: SA; NONCE Begin ISAKMP-SA negotiation Basic SA agreed upon 3. I R: KE; ID I ; AUTH 4. R I: KE; ID R ; AUTH Key generated; Initiator id verified by responder Responder id verified by initiator; key generated; SA established 36

ISAKMP Exchanges (Cont d) Identity Protection Exchange 1. I R: SA 2. R I: SA 3. I R: KE; NONCE 4. R I: KE; NONCE 5. I R: ID I ; AUTH 6. R I: ID R ; AUTH Begin ISAKMP-SA negotiation Basic SA agreed upon Key generated; key generated; Initiator id verified by responder Responder id verified by initiator; SA established Blue messages: Payload encrypted after ISAKMP header 37

ISAKMP Exchanges (Cont d) Authentication Only Exchange 1. I R: SA; NONCE 2. R I: SA; NONCE; ID R ; AUTH 3. I R: ID I ; AUTH Begin ISAKMP-SA negotiation Basic SA agreed upon; Responder id verified by initiator Initiator id verified by responder; SA established 38

ISAKMP Exchanges (Cont d) Aggressive Exchange 1. I R: SA; KE; NONCE; ID I Begin ISAKMP-SA negotiation and key exchange 2. R I: SA; KE; NONCE; ID R ; AUTH 3. I R: AUTH Responder identity verified by responder; Key generated; Basic SA agreed upon; Initiator id verified by responder; SA established Red messages: Payload encrypted after ISAKMP header 39

ISAKMP Exchanges (Cont d) Informational Exchange 1. I R: N/D Error or status notification, or deletion. Red message: Payload encrypted after ISAKMP header 40

IKE Overview IKE = ISAKMP + part of OAKLEY + part of SKEME ISAKMP determines How two peers communicate How these messages are constructed How to secure the communication between the two peers No actual key exchange Oakley Key exchange protocol Combining these two requires a Domain of Interpretation (DOI) RFC 2407 41

IKE Overview (Cont d) A separate RFC has been published for IKE RFC 2409 Request-response protocol Initiator Responder Two phases Phase 1: Establish an IKE (ISAKMP) SA Essentially the ISAKMP phase 1 Bi-directional Phase 2: Use the IKE SA to establish IPsec SAs Key exchange phase Directional 42

IKE Overview (Cont d) Several Modes Phase 1: Main mode: identity protection Aggressive mode Phase 2: Quick mode Other modes New group mode Establish a new group to use in future negotiations Not in phase 1 or 2; Must only be used after phase 1 Informational exchanges ISAKMP notify payload ISAKMP delete payload 43

IPsec Architecture Revisited IPSec module 1 What to establish IPSec module 2 SPD SPD IKE IKE SAD IPSec SA IPSec SAD IKE policies (How to establish the IPsec SAs): 1. Encryption algorithm; 2. Hash algorithm; 3. D-H group; 4. Authentication method. 44

IKE Phase 1 Four authentication methods Digital signature Authentication with public key encryption The above method revised Authentication with a pre-shared key 45

IKE Phase 1 (Cont d) IKE Phase 1 goal: Establish a shared secret SKEYID With signature authentication SKEYID = prf(ni_b Nr_b, g xy ) With public key encryption SKEYID = prf(hash(ni_b Nr_b), CKY-I CKY-R) With pre-shared key SKEYID = prf(pre-shared-key, Ni_b Nr_b) Notations: prf: keyed pseudo random function prf(key, message) CKY-I/CKY-R: I s (or R s) cookie Ni_b/Nr_b: the body of I s (or R s) nonce 46

IKE Phase 1 (Cont d) Three groups of keys Derived key for non-isakmp negotiations SKEYID_d = prf(skeyid, g xy CKY-I CKY-R 0) Authentication key SKEYID_a = prf(skeyid, SKEYID_d g xy CKY-I CKY-R 1) Encryption key SKEYID_e = prf(skeyid, SKEYID_a g xy CKY-I CKY-R 2) 47

IKE Phase 1 (Cont d) To authenticate the established key Initiator generates HASH_I = prf(skeyid, g xi g xr CKY-I CKY-R SAi_b IDii_b) Responder generates HASH_R = prf(skeyid, g xr g xi CKY-R CKY-I SAi_b IDir_b) Authentication with digital signatures HASH_I and HASH_R are signed and verified Public key encryption or pre-shared key HASH_I and HASH_R directly authenticate the exchange. 48

IKE Phase 1 Authenticated with Signatures Main Mode Initiator Responder HDR, SA HDR, SA HDR, KE, Ni HDR, KE, Nr HDR*, IDii, [CERT,] SIG_I HDR*, IDir, [CERT,] SIG_R 49

IKE Phase 1 Authenticated with Signatures Aggressive Mode Initiator Responder HDR, SA, KE, Ni, IDii HDR, SA, KE, Nr, IDir, [CERT,] SIG_R HDR, [CERT,] SIG_I 50

IKE Phase 1 Authenticated with Public Key Encryption Main Mode Initiator Responder HDR, SA HDR, KE, [HASH(1),] <IDii_b>PubKey_r, <Ni_b>PubKey_r HDR*, HASH_I HDR, SA HDR, KE, <IDir_b>PubKey_i, <Nr_b>PubKey_i HDR*, HASH_R 51

IKE Phase 1 Authenticated with Public Key Encryption Aggressive Mode Initiator Responder HDR, SA, [HASH(1),] KE, <IDii_b>PubKey_r, <Ni_b>PubKey_r HDR, HASH_I HDR, SA, KE, <IDir_b>PubKey_i, <Nr_b>PubKey_i, HASH_R 52

Observations Authenticated using public key encryption No non-repudiation No evidence that shows the negotiation has taken place. More difficult to break An attacker has to break both DH and public key encryption Identity protection is provided in aggressive mode. Four public key operations Two public key encryptions Two public key decryptions 53

IKE Phase 1 Authenticated with A Revised Mode of Public Key Encryption Main Mode Initiator HDR, SA HDR, [HASH(1),] <Ni_b>PubKey_r <KE_b>Ke_i <IDii_b>Ke_i, [<Cert-I_b>Ke_i] HDR*, HASH_I HDR, SA Responder HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDir_b>Ke_r HDR*, HASH_R 54

IKE Phase 1 Authenticated with A Revised Mode of Public Key Encryption Aggressive Mode Initiator HDR, SA, [HASH(1),] <Ni_b>PubKey_r, <KE_b>Ke_i, <IDii_b>Ke_i [, <Cert-I_b>Ke_i] HDR, HASH_I Responder HDR, SA, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDir_b>Ke_r, HASH_R 55

Further Details Ne_i=prf(Ni_b, CKY-I) Ne_r=prf(Nr_b, CKY-R) Ke_i and Ke_r are taken from Ne_i and Ne_r, respectively. 56

IKE Phase 1 Authenticated with Pre-Shared Key Main Mode Initiator Responder HDR, SA HDR, SA HDR, KE, Ni HDR, KE, Nr HDR*, IDii, HASH_I HDR*, IDir, HASH_R 57

IKE Phase 1 Authenticated with Pre-Shared Key (Cont d) What provide the authentication? Why does it work? 58

IKE Phase 1 Authenticated with Pre-Shared Key Aggressive Mode Initiator Responder HDR, SA, KE, Ni, IDii HDR, SA, KE, Nr, IDir, HASH_R HDR, HASH_I 59

IKE Phase 2 -- Quick Mode Not a complete exchange itself Must be bound to a phase 1 exchange Used to derive keying materials for IPsec SAs Information exchanged with quick mode must be protected by the ISAKMP SA Essentially a SA negotiation and an exchange of nonce Generate fresh key material Prevent replay attack 60

IKE Phase 2 -- Quick Mode (Cont d) Basic Quick Mode Refresh the keying material derived from phase 1 Quick Mode with optional KE payload Transport additional exponentiation Provide PFS 61

IKE Phase 2 -- Quick Mode (Cont d) Initiator HDR*, HASH(1), SA, Ni, [,KE] [, IDci, IDcr] Responder HDR*, HASH(2), SA, Nr, [, KE] [, IDci, IDcr] HDR*, HASH(3) HASH(1) = prf(skeyid_a, M-ID SA Ni [ KE ] [ IDci IDcr ) HASH(2) = prf(skeyid_a, M-ID Ni_b SA Nr [ KE ] [ IDci IDcr ) HASH(3) = prf(skeyid_a, 0 M-ID Ni_b Nr_b) 62

IKE Phase 2 -- Quick Mode (Cont d) If PFS is not needed, and KE payloads are not exchanged, the new keying material is defined as KEYMAT = prf(skeyid_d, protocol SPI Ni_b Nr_b) If PFS is desired and KE payloads were exchanged, the new keying material is defined as KEYMAT = prf(skeyid_d, g(qm) xy protocol SPI Ni_b Nr_b) where g(qm) xy is the shared secret from the ephemeral Diffie-Hellman exchange of this Quick Mode. In either case, "protocol" and "SPI" are from the ISAKMP Proposal Payload that contained the negotiated Transform. 63

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback