IP Security IK2218/EP2120

Similar documents
IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Internet security and privacy

IPsec (AH, ESP), IKE. Guevara Noubir CSG254: Network Security

CSCE 715: Network Systems Security

IP Security. Have a range of application specific security mechanisms

CIS 6930/4930 Computer and Network Security. Topic 8.1 IPsec

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

CSC 6575: Internet Security Fall 2017

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

IP Security Discussion Raise with IPv6. Security Architecture for IP (IPsec) Which Layer for Security? Agenda. L97 - IPsec.

INFS 766 Internet Security Protocols. Lectures 7 and 8 IPSEC. Prof. Ravi Sandhu IPSEC ROADMAP

Virtual Private Network

Chapter 5: Network Layer Security

IPSec. Overview. Overview. Levente Buttyán

Chapter 11 The IPSec Security Architecture for the Internet Protocol

Introduction to IPsec. Charlie Kaufman

Network Security: IPsec. Tuomas Aura

The Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME,

Chapter 6. IP Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

The IPSec Security Architecture for the Internet Protocol

The IPsec protocols. Overview

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1415/ Chapter 16: 1

Chapter 6/8. IP Security

CIS 6930/4930 Computer and Network Security. Topic 8.2 Internet Key Management

Cryptography and Network Security. Sixth Edition by William Stallings

CSE509: (Intro to) Systems Security

Network Security: IPsec. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

IP Security II. Overview

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

Lecture 9: Network Level Security IPSec

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1516/ Chapter 16: 1

8. Network Layer Contents

Outline. Key Management. Security Principles. Security Principles (Cont d) Escrow Foilage Protection

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Outline. Key Management. CSCI 454/554 Computer and Network Security. Key Management

CSCI 454/554 Computer and Network Security. Topic 8.2 Internet Key Management

Lecture 13 Page 1. Lecture 13 Page 3

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

IP Security. Cunsheng Ding HKUST, Kong Kong, China

CSC/ECE 574 Computer and Network Security. Outline. Key Management. Key Management. Internet Key Management. Why do we need Internet key management

Outline. CSC/ECE 574 Computer and Network Security. Key Management. Security Principles. Security Principles (Cont d) Internet Key Management

Internet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

IP Security Part 1 04/02/06. Hofstra University Network Security Course, CSC290A

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Virtual Private Networks

VPN Overview. VPN Types

COSC4377. Chapter 8 roadmap

Network Security IN2101

Network Security (NetSec) IN2101 WS 16/17

Real-time protocol. Chapter 16: Real-Time Communication Security

Cryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption

VPNs and VPN Technologies

Lecture 12 Page 1. Lecture 12 Page 3

Secure channel, VPN and IPsec. stole some slides from Merike Kaeo

Firewalls, Tunnels, and Network Intrusion Detection

Configuring Security for VPNs with IPsec

Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München. ilab. Lab 8 SSL/TLS and IPSec

CSE543 Computer and Network Security Module: Network Security

VPN and IPsec. Network Administration Using Linux. Virtual Private Network and IPSec 04/2009

Outline. 0 Topic 4.1: Securing Real-Time Communications 0 Topic 4.2: Transport Layer Security 0 Topic 4.3: IPsec and IKE

CSC 4900 Computer Networks: Security Protocols (2)

Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP,

CS 494/594 Computer and Network Security

INTERNET PROTOCOL SECURITY (IPSEC) GUIDE.

Network Interconnection

VPN, IPsec and TLS. stole slides from Merike Kaeo apricot2017 1

Table of Contents 1 IKE 1-1

IPsec and Secure VPNs

The EN-4000 in Virtual Private Networks

Cisco Live /11/2016

CIS 6930/4930 Computer and Network Security. Final exam review

Sample excerpt. Virtual Private Networks. Contents

IPSec Transform Set Configuration Mode Commands

IBM i Version 7.2. Security Virtual Private Networking IBM

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

IPSec Site-to-Site VPN (SVTI)

IKE and Load Balancing

IPsec and SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, /43

Configuration of an IPSec VPN Server on RV130 and RV130W

IPSec Transform Set Configuration Mode Commands

Advanced IKEv2 Protocol Jay Young, CCIE - Technical Leader, Services. Session: BRKSEC-3001

14. Internet Security (J. Kurose)

Computer Networks. Wenzhong Li. Nanjing University

Cryptography and Network Security

AIT 682: Network and Systems Security

Chapter 8 Network Security

Internet Protocol and Transmission Control Protocol

Network Encryption 3 4/20/17

Virtual Private Networks (VPN)

show crypto group summary, page 1 show crypto ikev2-ikesa security-associations summary spi, page 2

Security for VPNs with IPsec Configuration Guide, Cisco IOS XE Release 3S

Chapter 8 Security. Computer Networking: A Top Down Approach. Andrei Gurtov. 7 th edition Jim Kurose, Keith Ross Pearson/Addison Wesley April 2016

CS Computer Networks 1: Authentication

Configuring Internet Key Exchange Security Protocol

Configuring an IPSec Tunnel Between a Cisco VPN 3000 Concentrator and a Checkpoint NG Firewall

CSC Network Security

CONTENTS. vii. Chapter 1 TCP/IP Overview 1. Chapter 2 Symmetric-Key Cryptography 33. Acknowledgements

Virtual Private Networks

Transcription:

IP Security IK2218/EP2120 Markus Hidell, mahidell@kth.se KTH School of ICT Based partly on material by Vitaly Shmatikov, Univ. of Texas

Acknowledgements The presentation builds upon material from - Previous slides by Markus Hidell and Peter Sjödin - Computer Networking: A Top Down Approach, 5 th ed. Jim Kurose, Keith Ross. Addison-Wesley. - TCP/IP Protocol Suite, 4 th ed, Behrouz Foruzan. McGraw-Hill. 2

Part 1 IPsec: AH and ESP Basics, traffic protection 2

TCP/IP 3

IP Security Issues Eavesdropping Modification of packets in transit Identity spoofing (forged source IP addresses) Denial of service Many solutions are application-specific TLS for Web, S/MIME for email, SSH for remote login IPsec aims to provide a framework of open standards for secure communications over IP Protect every protocol running on top of IPv4 and IPv6 4

Operating System Layers App. TCP IP L2 L1 User process OS kernel Interface specific Socket API Device driver SSL (Secure Socket Layer) changes the API to TCP/IP Applications change, but OS doesn t TCP does not participate in the cryptography...(dos attacks) IPsec implemented in OS Applications and API remain unchanged (at least in theory) To make full use of IPSec, API and apps have to change! and accordingly also the applications (pass on other IDs than IP addr)

Overview of IPsec Authenticated Keying Internet Key Exchange (IKE) Next part of the lecture Data Encapsulation ESP: IP Encapsulating Security Payload (RFC 4303) AH: IP Authentication Header (RFC 4302) Security Architecture (RFC 4301) Tunnel/transport Mode Databases (Security Association, Policy, Peer Authorization) 6

IPsec: Network Layer Security IPsec = AH + ESP + IKE Protection for IP traffic AH provides integrity and origin authentication ESP also confidentiality Sets up keys and algorithms for AH and ESP AH and ESP rely on an existing security association Idea: parties must share a set of secret keys and agree on each other s IP addresses and crypto algorithms Internet Key Exchange (IKE) Goal: establish security association for AH and ESP If IKE is broken, AH and ESP provide no protection! 8

IPsec Security Services Authentication and integrity for packet sources Ensures connectionless integrity (for a single packet) and protection against packet replay (partial sequence integrity) Confidentiality (encapsulation) for packet contents Authentication and encapsulation can be used separately or together Either provided in one of two modes Transport mode Tunnel mode 8

IPsec Modes Transport mode Used to deliver services from host to host or from host to gateway Usually within the same network, but can also be end-to-end across networks Tunnel mode Used to deliver services from gateway to gateway or from host to gateway Usually gateways owned by the same organization With an insecure network in the middle 9

IPsec in Transport Mode End-to-end security between two hosts Requires IPsec support at each host 10

IPsec in Tunnel Mode Gateway-to-gateway security Internal traffic behind gateways not protected Typical application: virtual private network (VPN) Only requires IPsec support at gateways API /application changes not an issue 11

Tunnel Mode Illustration Implements IPsec Implements IPsec IPsec protects communication on the insecure part of the network 12

Transport Mode vs Tunnel Mode Transport mode secures packet payload and leaves IP header unchanged IP header (real dest) IPsec header TCP/UDP hdr + data Tunnel mode encapsulates both IP header and payload into IPsec packets IP header (gateway) IPsec header IP header (real dest) TCP/UDP hdr + data 13

Security Association (SA) One-way sender-recipient relationship Manually configured or negotiated through IKE SA determines how packets are processed Cryptographic algorithms, keys, AH/ESP, lifetimes, sequence numbers, mode (transport or tunnel) SA is uniquely identified by {SPI, dst IP addr, flag} SPI: Security Parameter Index Chosen by destination (unless traffic is multicast...) Flag: ESP or AH Each IPsec implementation keeps a database of SAs SPI is sent with packet, tells recipient which SA to use 14

Sending IPsec Packets When Alice is sending to Bob: Consult security policy database (SPD) to check if packet should be protected with IPsec or not (defined by selectors) SPD can be compared with a firewall table SPD provides pointer to the associated SA entry in the security association database (SAD) SA provides SPI, algorithm, key, sequence number, etc. Include the SPI in the message 15

Outbound IPsec Processing The McGraw-Hill Companies, Inc., 2000 17

Receiving IPsec Packets When Bob receives a message: Lookup the SA based on the destination address and SPI (in a multicast message the address is not Bob's own) If the packet is unsecured (no IPsec) search through SPD for match if no matching entry or if policy is PROTECT or DISCARD, the packet is discarded Find algorithm, key, sequence number, etc. After decrypting message, deliver packet to the next higher layer (such as TCP) 16

Encapsulation Formats AH ESP Authentication Header Provides integrity Encapsulating Security Payload Provides integrity and/or privacy AH in transport mode Original IP header AH TCP header Data 17

AH: Authentication Header AHv2, RFC 4302 RFC 4302 Sender authentication Integrity for packet contents and IP header Sender and receiver must share a secret key This key is used in HMAC computation (message authentication code computed with a hash) The key is set up by IKE key establishment protocol and recorded in the Security Association (SA) Let authentication header implement IP integrity by holding a hash of a shared secret and the content of an IP packet 21

AH and IP Header Mutable fields may change: Service type, Fragm. Offset, TTL, Header checksum Predictable fields may change in a predictable way: Dst address (source routing) Immutable fields will not change: The rest... The McGraw-Hill Companies, Inc., 2000 Mutable fields can t be included in the AH s end-to-end integrity check 19

Authentication Header Format Provides integrity and origin authentication Authenticates portions of the IP header Anti-replay service (to counter denial of service) No confidentiality Next header (TCP) Payload length Security parameters index (SPI) Sequence number ICV: Integrity Check Value Reserved (HMAC of IP header, AH, payload) Identifies security association (shared keys and algorithms) Anti-replay Authenticates source, verifies integrity of payload 20

ESP: Encapsulating Security Payload RFC 4303 Adds new header and trailer fields to packet Transport mode Confidentiality of packet between two hosts Complete hole through firewalls (for IPsec from a particular IP address) Used sparingly Tunnel mode Confidentiality of packet between two gateways or a host and a gateway Implements VPN tunnels FW filtering can be done on packets before they enter tunnel 21

ESP Security Guarantees Confidentiality and integrity for packet payload Symmetric cipher negotiated as part of security assoc Optionally provides authentication (similar to AH) Can work in transport Encrypted (inner) Original IP header ESP header TCP/UDP segment ESP trailer ESP auth or tunnel mode (problem with NAT) Authenticated (outer) New IP header Original IP ESP header TCP/UDP segment ESP trailer ESP auth header 22

Tunnel Mode and NAT Tunnel mode can be problematic together with NAT If we set up a tunnel between our host and a public gateway, it won t work: Our private addresses will be in the original IP header It is OK to set up a tunnel between our host and a private intranet: Private intranet addresses will be in the original IP header New IP header will contain our home private address, which will be translated by the NAT 23

ESP Packet Identifies security association (shared keys and algorithms) Anti-replay TCP segment (transport mode) or entire IP packet (tunnel mode) Pad to block size for cipher, also hide actual payload length Type of payload HMAC-based Integrity Check Value (similar to AH) 24

IPsec and IPv6 IPsec is a mandatory component for IPv6 IPv6 header: Version Class Flow Label Payload Length Next Header Hop Limit Source Address Extension headers are used for IPsec Destination Address 25

IPsec Tunnel Mode in IPv6 IPv6 IPsec is implemented using Authentication extension header ESP extension header Encryption (inner) New IP hdr+ext Orig IP ESP header TCP/UDP segment ESP trailer ESP ICV hdr+ext Authenication/Integrity (outer) 26

Virtual Private Networks (VPN) ESP is often used to implement a VPN Packets go from internal network to a gateway with TCP/IP headers for address in another network Entire packet hidden by encryption Including original headers so destination addresses are hidden Receiving gateway decrypts packet and forwards original IP packet to receiving address in the network that it protects This is known as a VPN tunnel Secure communication between parts of the same organization over public Internet The term IPsec VPN is sometimes used for secure VPNs in general Even though they don t use the IPsec protocols 27

Use Cases Summary Host-Host Transport mode (Or tunnel mode) Gateway-Gateway Tunnel mode Host-Gateway Tunnel mode H H H Secure connection (host-host) H GW Secure tunnel (gw-gw) GW Secure tunnel (host-gw) GW H H

Part 2 IPsec: IKE Internet key exchange 29

Secure Key Establishment Goal: generate and agree on a session key using some public initial information What properties are needed? Authentication (know identity of other party) Secrecy (generated key not known to any others) Forward secrecy (compromise of one session key does not compromise of keys in other sessions) Prevent replay of old key material Prevent denial of service Protect identities from eavesdroppers 30

IKE Internet Key Exchange setting up the SAs for IPsec (ESP and AH SA's) We assume that the two nodes have some long term key Pre-shared secret key Public encryption key Public signature key Use IKE protocol to do mutual authentication and to create a session key Use Diffie-Hellman to derive shared symmetric key IKE does not define exactly which ciphers to use, but a mechanism in which the nodes will negotiate this 31

Diffie-Hellman Secret keys are created only when needed No need to store secret keys for a long period of time, exposing them to increased vulnerablility Exchange requires no preexisting infrastructure other than an agreement on the global parameters A large prime number, p A primitive root of p, g Each partie has its own secret: a and b respectively Secret shared key is g ab mod p For IKE to use Diffie-Hellman we need to add Cookies for protection against denial-of-service attacks Nonces to ensure against replay attacks A number any given user of a protocol uses only once (large random number or sequence number, for instance) 32

Cookies for Key Management in IPsec Protect against denial-of-service/clogging Impostor launches the attack packets with forged IP src addr Solution: When Bob receives connection initiation from IP addr S Send unpredictable number (cookie) to S should be stateless! Do nothing until same cookie is received from S Initiator Assures that initiator can receive packets sent to S I want to talk Bob cookie Cookie = hash(ip addr, secret) Cookie, start rest of the protocol Cookie = hash(ip addr, secret)? If so, continue 33

IKE Phases Phase 1 do mutual authentication and establish IKE session keys Sets up the main SA (or IKE SA) Phase 2 Set up one or more IPsec SAs (child SAs) between the nodes using the keys derived in phase 1 Why two phases? Mutual authentication is expensive If multiple SAs are needed or if SA parameters need to be changed, this can be done without repeating mutual authentication 34

Parameter negotiation IKE Phase 1 Main Mode Alice crypto proposal crypto choice Bob Diffie-Hellman exchange Send IDs and authenticate, encrypted g a mod p g b mod p g ab mod p { Alice, proof I'm Alice} g ab mod p { Bob, proof I'm Bob} Proof of identity different for different key types Pre-shared secret, private encryption or signature key,... Proof is a hash of key, Diffie-Hellman values, nonces, crypto choices, cookies 38

IKE Phase 1 Main Mode cont,d Alice More details: cookies and nonces crypto proposal + initiator cookie crypto choice + initiator cookie, responder cookie Bob g a mod p + cookie pair + nonce A g b mod p + cookie pair + nonce B g ab mod p { Alice, proof I'm Alice} g ab mod p { Bob, proof I'm Bob} Recommended method for creating the cookie: Fast hash (e.g., MD5) over IP src/dst addr, UDP src/dst port, locally generated secret value 39

IKE Phase 1 Session keys g ab mod p { Alice, proof I'm Alice} Means encrypted Previous pictures show the general idea What are the actual session keys? Integrity key and encryption key To calculate various keys: IKE first calculates a quantity known as SKEYID Prf(nonces, cookeis, Diffie-Hellman values) IKE then calculates secret bits called SKEYID_d Prf(SKEYID, and some other values) Use Prf again to create SKEYID_a and SKEYID_e a = authentication and e = encryption 37

Alice IKE Phase 2, Setting up IPsec SAs Phase-1 SA X, Y, K{CP, SPI A, nonce A } X, Y, K{CPA, SPI B, nonce B } X, Y, ack Bob X is a pair of cookies from phase 1 Y is a 32-bit number ID to distinguish between multiple phase 2 sessions The rest is encrypted using SKEYID_e and authenticated using SKEYID_a This part is simplified more info can be exchanged 38

IKEv2 IKE has a history ISAKMP (RFC 2408): framework rather than protocol OAKLEY (RFC 2412) and SKEME: protocols working within ISAKMP IKE (RFC 2409) IKEv2 (RFC 5996) One single document for the standard Simpler message exchange Increased robustness (avoiding deadlocks) Supporting NAT traversal Supporting mobility Supporting SCTP 39

Thanks for listening

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback