CIS 6930/4930 Computer and Network Security. Topic 8.2 Internet Key Management

Similar documents
CSC/ECE 574 Computer and Network Security. Outline. Key Management. Key Management. Internet Key Management. Why do we need Internet key management

Outline. CSC/ECE 574 Computer and Network Security. Key Management. Security Principles. Security Principles (Cont d) Internet Key Management

Outline. Key Management. Security Principles. Security Principles (Cont d) Escrow Foilage Protection

Outline. Key Management. CSCI 454/554 Computer and Network Security. Key Management

CSCI 454/554 Computer and Network Security. Topic 8.2 Internet Key Management

CSC Network Security

CSC Network Security

IPsec (AH, ESP), IKE. Guevara Noubir CSG254: Network Security

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

INFS 766 Internet Security Protocols. Lectures 7 and 8 IPSEC. Prof. Ravi Sandhu IPSEC ROADMAP

IP Security II. Overview

AIT 682: Network and Systems Security

CIS 6930/4930 Computer and Network Security. Final exam review

IP Security Discussion Raise with IPv6. Security Architecture for IP (IPsec) Which Layer for Security? Agenda. L97 - IPsec.

IP Security IK2218/EP2120

CSCE 715: Network Systems Security

Cisco Live /11/2016

Internet Engineering Task Force Mark Baugher(Cisco) Expires: April, 2003 October, 2002

Chapter 6. IP Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

Advanced IKEv2 Protocol Jay Young, CCIE - Technical Leader, Services. Session: BRKSEC-3001

Configuration of an IPSec VPN Server on RV130 and RV130W

Chapter 6/8. IP Security

Virtual Private Networks

Table of Contents 1 IKE 1-1

IPSec Guide. ISAKMP & IKE Formats

Real-time protocol. Chapter 16: Real-Time Communication Security

CS 494/594 Computer and Network Security

IPSec VPN Setup with IKE Preshared Key and Manual Key on WRVS4400N Router

The Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME,

Chapter 11 The IPSec Security Architecture for the Internet Protocol

The IPSec Security Architecture for the Internet Protocol

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Virtual Private Network

ECC Based IKE Protocol Design for Internet Applications

L13. Reviews. Rocky K. C. Chang, April 10, 2015

VPN Ports and LAN-to-LAN Tunnels

Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers

Internet security and privacy

show crypto group summary, page 1 show crypto ikev2-ikesa security-associations summary spi, page 2

The EN-4000 in Virtual Private Networks

Advanced IPSec Algorithms and Protocols

Advanced IKEv2 Protocol

Securify, Inc. M. Schneider. National Security Agency. J. Turner RABA Technologies, Inc. November 1998

VPN Overview. VPN Types

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

8. Network Layer Contents

Cryptography and Network Security. Sixth Edition by William Stallings

VPNs and VPN Technologies

Configuring Security for VPNs with IPsec

CONTENTS. vii. Chapter 1 TCP/IP Overview 1. Chapter 2 Symmetric-Key Cryptography 33. Acknowledgements

IKE and Load Balancing

Configuring Internet Key Exchange Security Protocol

Network Security: IPsec. Tuomas Aura

Lecture 9: Network Level Security IPSec

Chapter 5: Network Layer Security

Sample excerpt. Virtual Private Networks. Contents

IPsec and Secure VPNs

IPSec Transform Set Configuration Mode Commands

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

Auth. Key Exchange. Dan Boneh

IPSec Site-to-Site VPN (SVTI)

Virtual Tunnel Interface

Introduction to IPsec. Charlie Kaufman

Outline. 0 Topic 4.1: Securing Real-Time Communications 0 Topic 4.2: Transport Layer Security 0 Topic 4.3: IPsec and IKE

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

Network Security 2. Module 4 Configure Site-to-Site VPN Using Pre-Shared Keys

YANG Data Model for Internet Protocol Security (IPSec) dra:- tran- ipecme- yang- ipsec- 00 K. Tran, Ericsson

Best Practices: Provisioning of Mobile VPN certificate based policy from Nokia DM server for accessing Nokia IP VPN gateway

BCRAN. Section 9. Cable and DSL Technologies

IPSec Transform Set Configuration Mode Commands

Key Encryption as per T10/06-103

Secure channel, VPN and IPsec. stole some slides from Merike Kaeo

Securing Networks with Cisco Routers and Switches

BiGuard C01 BiGuard VPN Client Quick Installation Guide (BiGuard series VPN enabled devices) Secure access to Company Network

Configuring IPsec and ISAKMP

CSC/ECE 774 Advanced Network Security

IPSec Network Applications

Firepower Threat Defense Site-to-site VPNs

Configuring LAN-to-LAN IPsec VPNs

Security Association Creation

Security for VPNs with IPsec Configuration Guide, Cisco IOS XE Release 3S

Network Security: IPsec. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

CSC 774 Network Security

UNIT - IV Cryptographic Hash Function 31.1

Chapter 8 Lab Configuring a Site-to-Site VPN Using Cisco IOS

Network Security IN2101

draft-ietf-ipsec-isakmp-oakley-03.txt February 1997 Expire in six months The resolution of ISAKMP with Oakley <draft-ietf-ipsec-isakmp-oakley-03.

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

IPsec and ISAKMP. About Tunneling, IPsec, and ISAKMP

CSC 6575: Internet Security Fall 2017

IPsec and ISAKMP. About Tunneling, IPsec, and ISAKMP

CS 161 Computer Security

IPsec and ISAKMP. About Tunneling, IPsec, and ISAKMP

Cryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption

Virtual Tunnel Interface

IPSec. Overview. Overview. Levente Buttyán

CLEARPASS CONFIGURING IPsec TUNNELS

Transcription:

CIS 6930/4930 Computer and Network Security Topic 8.2 Internet Key Management 1

Key Management Why do we need Internet key management AH and ESP require encryption and authentication keys Process to negotiate and establish IPsec SAs between two entities 2

Security Principles Basic security principle for session keys Compromise of a session key Doesn t permit reuse of the compromised session key. Doesn t compromise future session keys and longterm keys. 3

Security Principles (Cont d) Perfect forward secrecy (PFS) Compromise of current keys (session key or long-term key) doesn t compromise past session keys. Concern for encryption keys but not for authentication keys. 4

Perfect Forward Secrecy Example Alice Bob [Alice, g S A mod p] Alice [Bob, g S B mod p] Bob hash( g S A S B mod p ) hash(1, g S A S B mod p ) 5

Examples of Non Perfect Forward Secrecy Alice sends all messages with Bob s public key, Bob sends all messages with Alice s public key Kerberos Alice chooses session keys, and sends them to Bob, all encrypted with Bob s public key 6

Internet Key Management Manual key management Mandatory Useful when IPsec developers are debugging Keys exchanged offline (phone, email, etc.) 7

Internet Key Management Automatic key management Two major competing proposals Simple Key Management for Internet Protocols (SKIP) Internet Security Association and Key Management Protocol (ISAKMP) + OAKLEY 8

Automatic Key Management Key establishment and management combined SKIP Key establishment protocol Oakley focus on key exchange Key management Internet Security Association & Key Management Protocol (ISAKMP) Focus on SA and key management Clearly separated from key exchange. 9

SKIP Idea Use sessionless key establishment and management Pre-distributed and authenticated D-H public key Packet-specific encryption keys are included in the IP packets 10

SKIP (Cont d) Two types of keys: 1. KEK 2. Packet key Certificate repository Bob s certificate Alice s certificate Alice Bob K p encrypted with KEK. Payload encrypted with K p. 11

SKIP (Cont d) KEK should be changed periodically Minimize the exposure of KEK Prevent the reuse of compromised packet keys SKIP s approach KEK = h (K AB, n), where h is a one-way hash function, K AB is the the long term key between A and B, and n is a counter. 12

SKIP (Cont d) Limitations No Perfect Forward Secrecy No concept of SA; difficult to work with the current IPsec architecture Not the standard, but remains as an alternative. 13

Oakley Oakley is a refinement of the basic Diffie- Hellman key exchange protocol. Why need refinement? Resource clogging attack Replay attack Man-in-the-middle attack Choice of D-H groups 14

Resource Clogging Attack Many bogus requests With false source IPs Busy computing Stopping requests is difficult We need to provide services. Ignoring requests is dangerous Denial of service attacks 15

Resource Clogging Attack Counter measure (Cont d) If we cannot stop bogus requests, at least we should know from where the requests are sent. Cookies are used to thwart resource clogging attack Thwart, not prevent 16

Resource Clogging Attack Cookie (Cont d) Each side sends a pseudo-random number, the cookie, in the initial message, which the other side acknowledges. The acknowledgement must be repeated in the following messages. Do not begin D-H calculation until getting acknowledgement for the other side. 17

Requirements for cookie generation An attacker cannot reuse cookies. Impossible to predict Use secret values Efficient Cookies are also used for key naming Each key is uniquely identified by the initiator s cookie and the responder s cookie. 18

Replay Attack Counter measure Use nonce 1. Cookie exchange 2. Later exchange Observe 19

Man-In-The-Middle Attack Counter measure Authentication Depend on other mechanisms. Pre-shared key. Public key certificates. 20

Oakley Groups How to choose the DH groups? 0 no group (placeholder or non-dh) 1 MODP, 768-bit modulus 2 MODP, 1024-bit modulus 3 MODP, 1536-bit modulus 21

Ephemeral Diffie-Hellman Short-term public key Short-term public key Session key is computed on the basis of shortterm DH public keys. Exchange of these short-term public keys requires authentication and integrity. Digital signatures. Keyed message digests. Perfect forward secrecy? 22

Ephemeral Diffie-Hellman Question: What happens if the long term key is compromised? 23

Oakley ISAKMP Key exchange protocol Developed to use with ISAKMP ISAKMP Internet security association and key management protocol Defines procedures and packet formats to establish, negotiate, modify, and delete security associations. Defines payloads for security association, key exchange, etc. 24

ISAKMP Message Fixed format header 64 bit initiator and responder cookies Exchange type (8 bits) Next payload type (8 bits) Flags: encryption, authentication, etc. 32 bit message ID Variable number of payloads Each has a generic header with Payload boundaries Next payload type (possible none) 25

ISAKMP Phases Phase 1 Establish ISAKMP SA to protect further ISAKMP exchanges Or use pre-established ISAKMP SA ISAKMP SA identified by initiator cookie and responder cookie Phase 2 Negotiate security services in SA for target security protocol or application. 26

ISAKMP Exchange Types 0 none 1 base 2 identity protection 3 authentication only 4 aggressive 5 informational 27

ISAKMP Exchange Types Base exchange reveals identities Identity protection exchange Protects identities at cost of extra messages. Authentication only exchange No key exchange Aggressive exchange Reduce number of messages, but reveals identity Informational exchange One-way transmission of information. 28

ISAKMP Payload Types 0 none 1 SA security association 2 P proposal 3 T transform 4 KE key exchange 5 ID identification 6 CERT certificate 7 CR certificate request 29

ISAKMP Payload Types 8 H hash 9 SIG signature 10 NONCE nonce 11 N notification 12 D delete 30

IKE Overview IKE = ISAKMP + part of OAKLEY ISAKMP determines How two peers communicate How these messages are constructed How to secure the communication between the two peers No actual key exchange Oakley Key exchange protocol 31

IKE Overview (Cont d) Request-response protocol Initiator Responder Two phases Phase 1: Establish an IKE (ISAKMP) SA Phase 2: Use the IKE SA to establish IPsec SAs 32

IKE Overview (Cont d) Several Modes Phase 1: Main mode: identity protection Aggressive mode Phase 2: Quick mode Other modes New group mode Establish a new group to use in future negotiations Not in phase 1 or 2; Must only be used after phase 1 Informational exchanges 33

IPSEC Architecture IPSec module 1 What to establish IPSec module 2 SPD SPD IKE IKE SAD IPSec SA IPSec SAD IKE policies (How to establish the IPsec SAs): 1. Encryption algorithm; 2. Hash algorithm; 3. D-H group; 4. Authentication method. 34

A Clarification About PFS In RFC 2409: Perfect Forward Secrecy (PFS) refers to the notion that compromise of a single key will only permit access to data protected by a single key. The key used to protect transmission of data MUST NOT be used to derive any additional keys. If the key used to protect transmission of data was derived from some other keying material, that material MUST NOT be used to derive any more keys. 35

IKE Phase 1 Negotiating cryptographic parameters Specifies suites of acceptable algorithms: {(3DES, MD5, RSA public key encryption, DH), (AES, SHA-1, pre-shared key, elliptic curve), } Specifies a MUST be implemented set of algorithms: Encryption=DES, hash=md5/sha-1, authentication=preshared key/dh The lifetime of the SA can also be negotiated 36

IKE Phase 1 Four authentication methods Authentication with public signature key Authentication with public key encryption Authentication with public key encryption, revised Authentication with a pre-shared key 37

IKE Phase 1: Public Signature Keys, Main Mode Alice CP Bob CPA g a mod p, nonce A g b mod p, nonce B Compute K = f(g ab mod p, nonce A, nonce B ) K{ Alice, proof I am Alice, [certificate]} K{ Bob, proof I am Bob, [certificate]} 39

IKE Phase 1: Public Signature Keys, aggressive Alice Mode Bob CP, g a mod p, nonce A, Alice CPA, g b mod p, nonce B, Bob, proof I am Bob, [certificate] proof I am Alice, [certificate] 40

IKE Phase 1: Public Encryption Keys, Main Mode Alice CP Bob CPA g a mod p, {nonce A } Bob,{ Alice } Bob g b mod p, {nonce B } Alice,{ Bob } Alice Compute K = f(g ab mod p, nonce A, nonce B ) K{proof I am Alice} K{proof I am Bob} 41

IKE Phase 1: Public Encryption Keys, aggressive Alice Mode Bob CP, g a mod p, {nonce A } Bob,{ Alice } Bob CPA, g b mod p, {nonce B } Alice,{ Bob } Alice, proof I am Bob proof I am Alice 42

IKE Phase 1: Public Encryption Keys(revised), Main Alice Mode CP Bob CPA K A = hash(nonce A, cookie A ) {nonce A } Bob, K A {g a mod p}, K A { Alice }, K A {Alice cert } K B = hash(nonce B, cookie B ) {nonce B } Alice, K B {g b mod p}, K B { Bob } Compute K = f(g ab mod p, nonce A, nonce B, cookie A, cookie B ) K{proof I am Alice} K{proof I am Bob} 43

IKE Phase 1: Public Encryption Keys(revised), Aggessive Mode Alice Bob K A = hash(nonce A, cookie A ) CP, {nonce A } Bob, K A {g a mod p}, K A { Alice }, K A {Alice cert } K B = hash(nonce B, cookie B ) CPA, {nonce B } Alice, K B {g b mod p}, K B { Bob }, proof I am Bob Compute K = f(g ab mod p, nonce A, nonce B, cookie A, cookie B ) K{proof I am Alice} 44

IKE Phase 1: Pre-shared Secret, Main Mode Alice (share a secret J) Bob CP CPA g a mod p, nonce A g b mod p, nonce B Compute K = f(j, g ab mod p, nonce A, nonce B, cookie A, cookie B ) K{ Alice, proof I am Alice} K{ Bob, proof I am Bob} 45

IKE Phase 1: Pre-Shared secret, aggressive Mode Alice (share a secret J) Bob CP, g a mod p, nonce A, Alice CPA, g b mod p, nonce B, proof I am Bob, Bob proof I am Alice 46

IKE Phase 1: Establish a Shared Key Establish a shared secret SKEYID With signature authentication SKEYID = prf(ni_b Nr_b, g xy ) With public key encryption SKEYID = prf(hash(ni_b Nr_b), CKY-I CKY-R) With pre-shared key SKEYID = prf(pre-shared-key, Ni_b Nr_b) Notations: prf: keyed pseudo random function prf(key, message) CKY-I/CKY-R: I s (or R s) cookie Ni_b/Nr_b: I s (or R s) nonce 47

IKE Phase 1: Establish a Shared Key (Cont d) Three groups of keys Derived key for non-isakmp negotiations SKEYID_d = prf(skeyid, g xy CKY-I CKY-R 0) Authentication key SKEYID_a = prf(skeyid, SKEYID_d g xy CKY-I CKY-R 1) Encryption key SKEYID_e = prf(skeyid, SKEYID_a g xy CKY-I CKY-R 2) 48

IKE Phase 2 -- Quick Mode Negotiates parameters for the phase-2 SA Information exchanged with quick mode must be protected by the phase-1 SA Essentially a SA negotiation and an exchange of nonces Used to derive keying materials for IPsec SAs 49

IKE Phase 2 -- Quick Mode (Cont d) 3-messages protocol X, Y, CP, traffic, SPI A, nonce A, g a mod p X, Y, CPA, traffic, SPI B, nonce B, g b mod p X, Y, ack 50

IKE Phase 2 -- Quick Mode (Cont d) All messages are encrypted using SKEYID_e, and integrity protected using SKEYID_a (except X, Y) Parameters: X: pair of cookies generated during phase 1 Y: 32-bit number unique to this phase 2 session chosen by the initiator DH is optional and could be used to provide PFS 51

Conclusion Perfect forward secrecy (PFS) SKIP long term shared keys, no PFS Oakley a refinement of the basic Diffi-Hellman key exchange protocol. ISAKMP Internet security association and key management protocol IKE Two phases, main and aggressive modes 52

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback