IPsec (AH, ESP), IKE. Guevara Noubir CSG254: Network Security

Similar documents
CIS 6930/4930 Computer and Network Security. Topic 8.2 Internet Key Management

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

IP Security IK2218/EP2120

Internet security and privacy

IP Security Discussion Raise with IPv6. Security Architecture for IP (IPsec) Which Layer for Security? Agenda. L97 - IPsec.

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

INFS 766 Internet Security Protocols. Lectures 7 and 8 IPSEC. Prof. Ravi Sandhu IPSEC ROADMAP

Virtual Private Network

Chapter 11 The IPSec Security Architecture for the Internet Protocol

IPSec. Overview. Overview. Levente Buttyán

The IPSec Security Architecture for the Internet Protocol

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

CSC/ECE 574 Computer and Network Security. Outline. Key Management. Key Management. Internet Key Management. Why do we need Internet key management

Outline. Key Management. Security Principles. Security Principles (Cont d) Escrow Foilage Protection

Outline. CSC/ECE 574 Computer and Network Security. Key Management. Security Principles. Security Principles (Cont d) Internet Key Management

Outline. Key Management. CSCI 454/554 Computer and Network Security. Key Management

CSCI 454/554 Computer and Network Security. Topic 8.2 Internet Key Management

CSCE 715: Network Systems Security

Chapter 6. IP Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

IP Security II. Overview

Introduction to IPsec. Charlie Kaufman

CSC Network Security

The IPsec protocols. Overview

IP Security. Have a range of application specific security mechanisms

Chapter 6/8. IP Security

Cisco Live /11/2016

The Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME,

Configuration of an IPSec VPN Server on RV130 and RV130W

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Secure channel, VPN and IPsec. stole some slides from Merike Kaeo

CSC Network Security

CONTENTS. vii. Chapter 1 TCP/IP Overview 1. Chapter 2 Symmetric-Key Cryptography 33. Acknowledgements

Virtual Private Networks

8. Network Layer Contents

Cryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption

CSC 6575: Internet Security Fall 2017

VPN, IPsec and TLS. stole slides from Merike Kaeo apricot2017 1

Chapter 5: Network Layer Security

Internet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho

Lecture 13 Page 1. Lecture 13 Page 3

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1415/ Chapter 16: 1

Lecture 9: Network Level Security IPSec

IP Security Part 1 04/02/06. Hofstra University Network Security Course, CSC290A

Lecture 12 Page 1. Lecture 12 Page 3

Table of Contents 1 IKE 1-1

IPsec and SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, /43

IPSec Site-to-Site VPN (SVTI)

VPN and IPsec. Network Administration Using Linux. Virtual Private Network and IPSec 04/2009

The EN-4000 in Virtual Private Networks

Network Security (NetSec) IN2101 WS 16/17

Network Security IN2101

INTERNET PROTOCOL SECURITY (IPSEC) GUIDE.

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1516/ Chapter 16: 1

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

COSC4377. Chapter 8 roadmap

Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München. ilab. Lab 8 SSL/TLS and IPSec

CIS 6930/4930 Computer and Network Security. Topic 8.1 IPsec

IP Security. Cunsheng Ding HKUST, Kong Kong, China

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

Configuring Security for VPNs with IPsec

IPSec VPN Setup with IKE Preshared Key and Manual Key on WRVS4400N Router

Cryptography and Network Security. Sixth Edition by William Stallings

Advanced IKEv2 Protocol Jay Young, CCIE - Technical Leader, Services. Session: BRKSEC-3001

Real-time protocol. Chapter 16: Real-Time Communication Security

VPN Overview. VPN Types

Firewalls, Tunnels, and Network Intrusion Detection

Network Security: IPsec. Tuomas Aura

IPsec NAT Transparency

IPsec NAT Transparency

CIS 6930/4930 Computer and Network Security. Final exam review

IPSec Guide. ISAKMP & IKE Formats

BCRAN. Section 9. Cable and DSL Technologies

IPsec and Secure VPNs

show crypto group summary, page 1 show crypto ikev2-ikesa security-associations summary spi, page 2

Configuring Internet Key Exchange Security Protocol

VPNs and VPN Technologies

Transport Level Security

IKE and Load Balancing

Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP,

CS 494/594 Computer and Network Security

AIT 682: Network and Systems Security

CLEARPASS CONFIGURING IPsec TUNNELS

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

IPsec and ISAKMP. About Tunneling, IPsec, and ISAKMP

VPN Ports and LAN-to-LAN Tunnels

Security for VPNs with IPsec Configuration Guide, Cisco IOS XE Release 3S

IPsec and ISAKMP. About Tunneling, IPsec, and ISAKMP

Network Encryption 3 4/20/17

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance

iii PPTP... 7 L2TP/IPsec... 7 Pre-shared keys (L2TP/IPsec)... 8 X.509 certificates (L2TP/IPsec)... 8 IPsec Architecture... 11

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

Virtual Tunnel Interface

Protocol Architecture (2) Suguru Yamaguchi Nara Institute of Science and Technology Department of Information Science

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers

Configuring LAN-to-LAN IPsec VPNs

Network Security 2. Module 4 Configure Site-to-Site VPN Using Pre-Shared Keys

Advanced IPSec Algorithms and Protocols

IBM i Version 7.2. Security Virtual Private Networking IBM

Transcription:

IPsec (AH, ESP), IKE Guevara Noubir noubir@ccs.neu.edu

Securing Networks Control/Management (configuration) Applications Layer telnet/ftp: ssh, http: https, mail: PGP (SSL/TLS) Transport Layer (TCP) (IPSec, IKE) Network Layer (IP) Link Layer (IEEE802.1x/IEEE802.10) Physical Layer (spread-spectrum, quantum crypto, etc.) Network Security Tools: Monitoring/Logging/Intrusion Detection

SSL vs. IPsec SSL: Avoids modifying TCP stack and requires minimum changes to the application Mostly used to authenticate servers IPsec Transparent to the application and requires modification of the network stack Authenticates network nodes and establishes a secure channel between nodes Application still needs to authenticate the users

IPsec Protocol Suite (IETF Standard) Provides inter-operable crypto-based security services: Services: confidentiality, authentication, integrity, and key management Protocols: Authentication Header (AH): RFC2402 Encapsulated Security Payload (ESP): 2406 Internet Key Exchange (IKE) Environments: IPv4 and IPv6 Modes: Transport (between two hosts) Tunnel (between hosts/firewalls)

IPsec Assumption: End nodes already established a shared session key: Manually or IKE Security Association: Each secure connection is called a security association (SA) For each SA: key, end-node, sequence number, services, algorithms SA is unidirectional and identified by: Protocols: (destination-address, SPI = Security Parameter Index) Authentication Header: integrity protection Encapsulated Security Payload: encryption and/or integrity

IP Packets 0 4 8 16 19 31 Version HLen TOS Length Ident Flags Offset TTL Protocol Checksum SourceAddr DestinationAddr Options (variable) Data Pad (variable)

AH Formatting IP hdr TCP Data AH Protocol Number = 51 IP hdr AH TCP Data Transport mode IP hdr TCP Data new IP hdr AH IP hdr TCP Data Tunnel mode Next Header Length (8) Reserved (16) Security Parameters Index (32) Sequence Number Field (32) Authentication Data (N*32) SN: for replay detection

ESP Formatting IP hdr TCP Data ESP Protocol Number = 50 IP hdr ESP TCP Data Encrypted Authenticated ESP Trailer ESP Auth Transport mode IP hdr TCP Data new IP hdr ESP IP hdr TCP Data Encrypted Authenticated ESP Trailer ESP Auth Tunnel mode

ESP Header Security Parameters Index (32) Sequence Number Field (32) Initialization Vector (variable) Payload Data (variable) Padding (0-255 bytes) Pad Length (8) Authentication Data Next Header Auth/Integrity coverage confidentiality coverage

Issues NAT boxes: IPsec tunnel mode doesn t easily work Firewalls IPsec encrypts information used by firewalls to filter traffic (e.g., port number) AH mutable/immutable/predictable fields: Some fields get modified by the intermediate routers and can t be protected by the AH Mutable: type of service, flags, fragment offset, TTL, header checksum Why is PAYLOAD-LENGTH considered immutable (even if packets can be fragmented)? Why not fragment offset. Inconsistency! Mutable but predictable fields are included in the AH computation using their expected value at the destination (e.g., destination address even when using source routing)

IPsec: Internet Key Exchange Goal: Mutual authentication and establishment of a shared secret session key using: Pre-shared secret key or public signature-only key, or public encryption key Negotiation of features and cryptographic algorithms Specification documents: ISAKMP (Internet Security Association and Key Management Protocol): RFC 2408 IKE: RFC 2409 DOI (Domain Of Interpretation): RFC 2407

Photuris Photuris goal: signed Diffie-Hellman exchange 1. A -> B: C A 2. B -> A: C A, C B, crypto offered 3. A -> B: C A, C B, g a mod p, crypto selected 4. B -> A: C A, C B,, g b mod p 5. A -> B: C A, C B, g ab mod p{a, signature on previous messages} 6. B -> A: C A, C B,, g ab mod p{b, signature on previous messages} Role of C A, C B, and messages Additional features: SPI selection Why not sign messages 3 & 4?

Simple Key-Management for Internet Protocol (SKIP) Uses long term Diffie-Hellman keys Parties assumed to know each other public keys (i.e., g a mod p) or exchange certificates Session key X = g ab mod p is established in 0 messages Each packet is encrypted using data key S and each packet contains: X{S} Same S can be used for several packets Later on PFS was added by periodically forgetting the keys and doing a new DH

ISAKMP (RFC2408) Proposed by NSA as a framework and accepted by IETF Runs over UDP and allows to exchange fields to create a protocol IKE (RFC2409) based on OAKLEY & SKEME using ISAKMP syntax IKE phases: 1. Mutual authentication and session key establishment (also called ISAKMP SA or IKE SA) 2. AH/ESP SAs establishment Each source/destination/port has its own SA/keys otherwise ESP traffic not using integrity could be decrypted

Phase 1 IKE Two modes: Aggressive mode: mutual authentication and session key establishment in three messages A -> B: g a mod p, A, crypto proposal B -> A: g b mod p, crypto choice, proof I m B A -> B: proof I m A Main: additional features such as hiding end-points identities and negotiating crypto DH algorithm A -> B: crypto suite I support B -> A: crypto suite I choose A -> B: g a mod p B -> A: g b mod p A -> B: g ab mod p {A, proof I m A} B -> A: g ab mod p {B, proof I m B}

Phase 1 IKE Key types: Pre-shared secret key Public encryption key: fields are separately encrypted using the public key Optimized public encryption key: used to encrypt a random symmetric key, and then data is encrypted using the symmetric key Public signature key: used only for signature purpose 8 variants of IKE phase 1: 2 modes x 4 key types Proof of Identity: Required in messages 2-3 aggressive mode and 5-6 main mode Proves the sender knows the key associated with the identity Depends on the key type Hash of identity key, DH values, nonces, crypto choices, cookies Alternative: MAC of previous messages

Phase 1 IKE Negotiating cryptographic parameters A specifies suites of acceptable algorithms: {(3DES, MD5, RSA public key encryption, DH), (AES, SHA-1, pre-shared key, elliptic curve), } The standard specifies a MUST be implemented set of algorithms: Encryption=DES, hash=md5/sha-1, authentication=pre-shared key/dh The lifetime of the SA can also be negotiated Session keys: Key seed: SKEYID Signature public keys: SKEYID = prf(nonces, g xy mod p) Encryption public keys: prf(hash(nonces), cookies) Pre-shared secret key: prf(pre-shared secret key, nonces) Secret to generate other keys: SKEYID_d = prf(skeyid, (g xy, cookies, 0)) Integrity key: SKEYID_a = prf(skeyid, (SKEYID_d, (g xy, cookies, 1))) Encryption key: SKEYID_e = prf(skeyid, (SKEYID_a, (g xy, cookies, 2)) Message IDs: Random 32-bits serves the purpose of a SN but in an inefficient manner because they have to be remembered

IKE Phase 1: Public Signature Keys, Main Mode Description: Both parties have public keys for signatures Hidden endpoint identity (except for?) Protocol: A -> B: CP B -> A: CPA A -> B: g a mod p, nonce A B -> A: g b mod p, nonce B K = f(g ab mod p, nonce A, nonce B ) A -> B: K{A, proof I m A, [certificate]} B -> A: K{B, proof I m B, [certificate]} Questions: What is the purpose of the nonces? Can we make to protocol shorter (5 messages)? At what expense?

IKE Phase 1: Public Signature Keys, Aggressive Mode Protocol: A -> B: CP, g a mod p, nonce A, A B -> A: CPA, g b mod p, nonce B, B, proof I m B, [certificate] A -> B: proof I m A, [certificate]

IKE Phase 1: Public Encryption Keys, Main Mode, Original Protocol: A -> B: CP B -> A: CPA A -> B: g a mod p, {nonce A } B, {A} B B -> A: g b mod p, {nonce B } A, {B} A K = f(g ab mod p, nonce A, nonce B ) A -> B: K{proof I m A} B -> A: K{proof I m B}

IKE Phase 1: Public Encryption Keys, Aggressive Mode, Original Protocol: A -> B: CP, g a mod p, {nonce A } B, {A} B B -> A: CPA, g b mod p, {nonce B } A, {B} A, proof I m B A -> B: proof I m A

IKE Phase 1: Public Encryption Keys, Main Mode, Revised Protocol: A -> B: CP B -> A: CPA K A = hash(nonce A, cookie A ) A -> B: {nonce A } B, K A {g a mod p}, K A {A}, [K A {A s cert}] K B = hash(nonce B, cookie B ) B -> A: {nonce B } A, K B {g b mod p}, K B {B} K = f(g ab mod p, nonce A, nonce B, cookie A, cookie B ) A -> B: K{proof I m A} B -> A: K{proof I m B}

IKE Phase 1: Public Encryption Keys, Aggressive Mode, Revised Protocol: K A = hash(nonce A, cookie A ) A -> B: CP, {nonce A } B, K A {g a mod p}, K A {A}, [K A {A s cert}] K B = hash(nonce B, cookie B ) B -> A: CPA, {nonce B } A, K B {g b mod p}, K B {B}, proof I m B K = f(g ab mod p, nonce A, nonce B, cookie A, cookie B ) A -> B: K{proof I m A}

IKE Phase 1: Shared Secret Keys, Main Mode Assumption A and B share a secret J Protocol: A -> B: CP B -> A: CPA A -> B: g a mod p, nonce A B -> A: g b mod p, nonce B K = f(j, g ab mod p, nonce A, nonce B, cookie A, cookie B ) A -> B: K{proof I m A} B -> A: K{proof I m B}

IKE Phase 1: Shared Secret Keys, Aggressive Mode Protocol: A -> B: CP, g a mod p, nonce A, A B -> A: CPA, g b mod p, nonce B, B,proof I m B A -> B: proof I m A

IKE: Phase 2 Also known as Quick Mode : 3- messages protocol A -> B: X, Y, CP, traffic, SPI A, nonce A, [g a mod p] optional B -> A: X, Y, CPA, traffic, SPI B, nonce B, [g b mod p] optional A -> B: X, Y, ack All messages are encrypted using SKEYID_e, and integrity protected using SKEYID_a (except X, Y) Parameters: X: pair of cookies generated during phase 1 Y: 32-bit number unique to this phase 2 session chosen by the initiator CP: Crypto Proposal, CPA: Crypto Proposal Accepted DH is optional and could be used to provide PFS Nonces and cookies get shuffled into SKEYID to produce the SA encryption and integrity keys

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback