Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München ilab Lab 8 SSL/TLS and IPSec
Outlook: On Layer 4: Goal: Provide security for one specific port SSL (Secure Socket Layer) / TLS (Transport Layer Security) ~1990 1996 SSL Version 1, 2, 3 developed by Netscape 1999: TLS 1.0, 2006: TLS 1.1, 2008: TLS 1.2 developed / standardized by IETF Uses TCP as transport protocol On Layer 3: Goal: Provide security for IP traffic IPSec (IP Security) ~ 1998 Alternative: OpenVPN Often used for Virtual Private Networks (VPN) / Tunnel Internetpraktikum 2
SSL/TLS Internetpraktikum 3
TLS Properties Used for: Encryption and integrity protection for data sent over a socket Transparent for the application layer protocol E.g.: Protection of HTTP, IMAP HTTPS, IMAPS TCP/IP Modell Applikation Application flow: 1. Key exchange, e.g. with RSA, Diffie Hellman 2. optional server and/or client authentication (server/client certificates and digital signatures used) 3. finally: encryption + authentication for all packets TLS TCP IP Host to Network SSL/TLS uses the reliable transport protocol TCP DTLS is an adaptation that uses the more lightweight protocol UDP Internetpraktikum 4
TLS Architecture TLS can be split into two protocol layers: Applikation SSL Handshake Protocol SSL Change Cipherspec Protocol SSL Alert Protocol SSL Application Data Protocol SSL Record Protocol TCP Handshake: Authentication of peers and negotiation of security parameters Change Cipherspec: Signalization of encryption method to be used Alert: Signalization of errors (e.g. certificate could not be validated) Application Data: Transparent transport of application payload All protocols described above communicate via the Record Protocol Internetpraktikum 5
SSL Record Protocol 0 7 15 23 31 Type Ver. (maj.) Ver. (min.) Length Length Data Type: Change Cipherspec: 0x14 (20) Alert: 0x15 (21) Handshake: 0x16 (22) Application Data: 0x17 (23) Version: SSL Version (major = 3, minor = 3 TLS 1.2) Length: Length of payload Data: Payload to transmit (e.g. for Application Data Protocol: encrypted data, MAC, padding) Internetpraktikum 6
SSL Record Protocol Is directly built on top of TCP Processing chain (sending): Fragmentation Parts/records are max 2 14 Bit long Compression optional Calculation of authentication data MAC = H(MAC_write_secret + pad_2 + H(MAC_write_secret + pad_1 + seq_num + length + data)) Remark: the sequence number will not be sent inside the SSL header, as the TCP header contains the sequence number Encryption of data and MAC Using the algorithms which were selected and signalized with the current Change Cipherspec Internetpraktikum 7
SSL Handshake Protocol (RSA, Server auth.) Overview: 1. random number, set of cryptographic suites 1. random number, chosen cryptographic suite, certificate 1. Key exchange (Pre master secret) Generation of the master secret 1. MAC on all previous messages 2. MAC on all previous messages Client Key Generation Server 1 2 3 Key Generation 4 5 Note: 3 and 4 are actually sent together to reduce latency the TLS handshake requires two round trips Internetpraktikum 8
SSL Handshake Protocol (Bsp.: RSA, Server auth) Client Server 1 ClientHello(Ver,Random, CipherSuite,Compr) ServerHello(Ver,Random, SessionID,CipherSuite,Compr) ServerCertificate ServerHelloDone 2 3 4 ClientKeyExchange ChangeCipherSpec Finished ChangeCipherSpec Finished 5 Internetpraktikum 9
SSL Handshake Protocol Client Server 1 ClientHello(Ver,Random, CipherSuite,Compr) 3 [ClientCertificate] ClientKeyExchange [CertificateVerify] ServerHello(Ver,Random, SessionID,CipherSuite,Compr) [ServerCertificate] [CertificateRequest] [ServerKeyExchange] ServerHelloDone 2 4 ChangeCipherSpec Finished ChangeCipherSpec Finished 5 [...] denotes optional message Internetpraktikum 10
IPSec Internetpraktikum 11
Application of IPSec: Virtual Private Networks 3 typical configurations: End to End (both devices have VPN Software) Site to Site (security gateways apply IPSec to traffic, often used to connect branches of a company) End to Site (road warriors connect to the company) End to End Site to Site 10.3.2.11 10.3.2.34 Branch A End to Site Branch B Internetpraktikum 12
IP Security (IPSec) Shortcomings of IP: IP neither protects authenticity of communication entities or data, or protects data integrity, nor provides confidentiality Services of IPSec: Authentication of client/server Data integrity protection Confidentiality IPSec defines two packet formats AH (RFC 2402) Authentication ESP (RFC 2406) Confidentiality (+ Authentication) A combination of ESP and AH is possible and a key exchange protocol IKE (Internet Key Exchange) provides a safe key exchange mechanism via an insecure channel Internetpraktikum 13
Terms Security Policy (SP) / Security Policy Database (SPD) SP is a rule that specify how to protect a specific communication session E.g.: protect confidentiality and authenticity of all packets sent between Host a and Host b using encryption mechanism x and authentication mechanism y Security Policies are quite static and stateless E.g.: A SP does not contain a session key used for encryption Security Association (SA) / Security Association Database (SAD) SAs are the concrete settings that enforce the more abstract policies specified in the SPD SAs are bindings of IPs, encryption / authentication methods, the currently used key, duration, SAs are negotiated by IKE SAs are quite dynamic and stateful Each SA is identified by a SPI (Security Parameter Index) Internetpraktikum 14
Authentication Header vs. Encapsulating Security Payload The authentication header (AH): Provides data origin authentication and replay protection Is realized as a header which is inserted between the IP header and the data to be protected IP header AH header protected data authenticated The encapsulating security payload (ESP): Provides data origin authentication, confidentiality, replay protection Is realized with a header and a trailer encapsulating the data to be protected encrypted IP header ESP header protected data ESP trailer authenticated Internetpraktikum 15
ESP + AH Combined encrypted IP header AH header ESP header protected data ESP trailer authenticated ESP and AH can be combined for maximum security: Payload is encrypted by ESP Payload and nearly all header fields of the IP header are authenticated by AH Uses two SAs For ESP For AH Internetpraktikum 16
Transport Mode vs. Tunnel Mode IPSec works in two modes: Transport mode can be used between end points of a communication: host host Tunnel mode can be used between arbitrary peers security gateway security gateway host security gateway The difference between the two modes is, that: Transport mode just adds a security specific header (+ possibly a trailer): IP header Tunnel mode encapsulates IP packets: New IP header IPSec header IPSec header Old IP header protected data protected data Encapsulation of IP packets allows for a gateway protecting traffic on behalf of other entities (e.g. hosts of a subnetwork, etc.) Internetpraktikum 17
Example: IPSec Tunnel between two networks Site to Site 10.3.2.11 10.3.2.34 Branch A Branch B Internetpraktikum 18
AH Header AH authenticates all invariant fields of the IP Header Protocol (IPv4) / Next Header Feld (IPv6): 51 = AH 0 7 15 23 31 IP Header Next Header Payload Length Reserved Used to identify the currently used SA AH Security Parameter Index (SPI) Sequence Number Authentication Data authenticated Payload Internetpraktikum 19
ESP Header 0 7 15 23 31 Used to identify the currently used SA encrypted Security Parameter Index (SPI) Sequence Number Initialization Vector Protected Data authenticated Pad Pad Length Next Header Authentication Data The ESP Header directly follows the IP header or the AH header Protocol (IPv4) or Next Header (IPv6) field: 50 = ESP The next header field refers to protected data Internetpraktikum 20
Example: IPSec Tunnel between two networks Outbound Processing Site to Site 10.3.2.11 10.3.2.34 Branch A Branch B Internetpraktikum 21
Basic Scheme: Processing of Outgoing Packets IPSec outbound processing new incoming packet Lookup appropriate policy deliver packet discard packet IKE yes yes yes No policy? no Policy is discard? no Lookup SAs No SA? no perform outbound processing according to the order given in the SPD Internetpraktikum 22
Example: IPSec Tunnel between two networks Inbound Processing Site to Site 10.3.2.11 10.3.2.34 Branch A Branch B Internetpraktikum 23
Basic Scheme: Processing of Incoming Packets IP Inbound processing (1) Wait for Fragments All Fragments Available? yes IPSec header found yes get SPI from the IPSec header no no Does SA for SPI Exist? yes perform ESP/AH inbound processing no Discard Packet Internetpraktikum 24
Security of IPSec Currently no working attacks are known Design got criticized by various persons, e.g. Schneier/Ferguson Some concepts are redundant most operational modes are not used/not needed AH+ESP fits all Highly complexity, mainly due to IKE Complex things are prone to errors, i.e. implementation is very difficult Currently the best working security mechanism for securing IP communication (on layer 3) Internetpraktikum 25