Lecture 10: Communications Security

Similar documents
Introduction. INF3510 Information Security. Lecture 10: Communications Security. Outline. Network Security Concepts. University of Oslo Spring 2018

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Transport Level Security

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

IP Security IK2218/EP2120

E-commerce security: SSL/TLS, SET and others. 4.1

Protocol Architecture (2) Suguru Yamaguchi Nara Institute of Science and Technology Department of Information Science

Internet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Transport Layer Security

CSCE 715: Network Systems Security

Internet security and privacy

CSCE 715: Network Systems Security

IPSec. Overview. Overview. Levente Buttyán

8. Network Layer Contents

COSC4377. Chapter 8 roadmap

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Lecture 9: Network Level Security IPSec

IPsec (AH, ESP), IKE. Guevara Noubir CSG254: Network Security

CS 356 Internet Security Protocols. Fall 2013

Virtual Private Network

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

VPN Overview. VPN Types

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1415/ Chapter 16: 1

Cryptography and Network Security

The Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME,

IPsec and SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, /43

Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München. ilab. Lab 8 SSL/TLS and IPSec

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

Cryptography and Network Security. Sixth Edition by William Stallings

Chapter 5: Network Layer Security

AIT 682: Network and Systems Security

Security Protocols. Professor Patrick McDaniel CSE545 - Advanced Network Security Spring CSE545 - Advanced Network Security - Professor McDaniel

PROGRAMMING Kyriacou E. Frederick University Cyprus. Network communication examples

The IPsec protocols. Overview

Chapter 6. IP Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

Information Security CS 526

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP,

Chapter 4: Securing TCP connections

(2½ hours) Total Marks: 75

IKE and Load Balancing

IP Security Discussion Raise with IPv6. Security Architecture for IP (IPsec) Which Layer for Security? Agenda. L97 - IPsec.

Computer Networking. What is network security? Chapter 7: Network security. Symmetric key cryptography. The language of cryptography

CSE543 Computer and Network Security Module: Network Security

14. Internet Security (J. Kurose)

CONTENTS. vii. Chapter 1 TCP/IP Overview 1. Chapter 2 Symmetric-Key Cryptography 33. Acknowledgements

IBM i Version 7.2. Security Virtual Private Networking IBM

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Cryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption

Overview. SSL Cryptography Overview CHAPTER 1

CS 393 Network Security. Nasir Memon Polytechnic University Module 12 SSL

INTERNET PROTOCOL SECURITY (IPSEC) GUIDE.

CSE509: (Intro to) Systems Security

INFS 766 Internet Security Protocols. Lectures 7 and 8 IPSEC. Prof. Ravi Sandhu IPSEC ROADMAP

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

VPNs and VPN Technologies

IP Security. Have a range of application specific security mechanisms

Secure channel, VPN and IPsec. stole some slides from Merike Kaeo

Sample excerpt. Virtual Private Networks. Contents

Chapter 6/8. IP Security

Transport Layer Security

Defeating All Man-in-the-Middle Attacks

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1516/ Chapter 16: 1

IP Security. Cunsheng Ding HKUST, Kong Kong, China

Prof. Shervin Shirmohammadi SITE, University of Ottawa. Security Architecture. Lecture 13: Prof. Shervin Shirmohammadi CEG

Network Security. Thierry Sans

HP Instant Support Enterprise Edition (ISEE) Security overview

iii PPTP... 7 L2TP/IPsec... 7 Pre-shared keys (L2TP/IPsec)... 8 X.509 certificates (L2TP/IPsec)... 8 IPsec Architecture... 11

TLS1.2 IS DEAD BE READY FOR TLS1.3

Configuring Security for VPNs with IPsec

Application Layer. Presentation Layer. Session Layer. Transport Layer. Network Layer. Data Link Layer. Physical Layer

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

Network Encryption 3 4/20/17

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance

VPN World. MENOG 16 Istanbul-Turkey. By Ziad Zubidah Network Security Specialist

On the Internet, nobody knows you re a dog.

VPN, IPsec and TLS. stole slides from Merike Kaeo apricot2017 1

Virtual Private Networks

IP Security Part 1 04/02/06. Hofstra University Network Security Course, CSC290A

TLS 1.1 Security fixes and TLS extensions RFC4346

Chapter 11 The IPSec Security Architecture for the Internet Protocol

VPN and IPsec. Network Administration Using Linux. Virtual Private Network and IPSec 04/2009

Network Security and Cryptography. December Sample Exam Marking Scheme

Verifying Real-World Security Protocols from finding attacks to proving security theorems

Security Engineering. Lecture 16 Network Security Fabio Massacci (with the courtesy of W. Stallings)

Lecture 13 Page 1. Lecture 13 Page 3

Outline. 0 Topic 4.1: Securing Real-Time Communications 0 Topic 4.2: Transport Layer Security 0 Topic 4.3: IPsec and IKE

WAP Security. Helsinki University of Technology S Security of Communication Protocols

Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers

Acronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector

Chapter 8. Network Security. Cryptography. Need for Security. An Introduction to Cryptography 10/7/2010

The IPSec Security Architecture for the Internet Protocol

CSC 6575: Internet Security Fall 2017

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

Introduction to IPsec. Charlie Kaufman

Transcription:

INF3510 Information Security Lecture 10: Communications Security Nils Gruschka University of Oslo Spring 2018

Introduction Nils Gruschka University Kiel (Diploma in Computer Science) T-Systems, Hamburg University Kiel (PhD in Computer Science) NEC Laboratories Europe, Heidelberg University of Applied Science, Kiel University of Oslo, Associate Professor Contact: Nils.Gruschka@ifi.uio.no OJD hus, 9 th floor Areas of interest: Security: Network, Web, Cloud Computing, Industrial Networks Applied Cryptography L10: CommSec INF3510 - Spring 2018 2

Outline Network security concepts Communication security Perimeter security Protocol architecture and security services Example security protocols Transport Layer Security (TLS) IP Layer Security (IPSec) VPN Virtual Private Network L10: CommSec INF3510 - Spring 2018 3

Network Security Concepts Assumes that each organisation owns a network Wants to protect own local network Wants to protect communication with other networks Network Security: two main areas Communication Security: Protection of data transmitted across networks between organisations and end users Topic for this lecture Perimeter Security: Protection of an organization s network from unauthorized access Topic for next lecture L10: CommSec INF3510 - Spring 2018 4

Communication Architecture Protocol Service French Oceanographer Research Results Italian Oceanographer translate Translator English Text Translator encode Morse Coder Morse Code Morse Coder Layer transmit Radio Operator Radio Signal Radio Operator L10: CommSec INF3510 - Spring 2018 5

Communication Protocol Architecture Layered structure of hardware and software that supports the exchange of data between systems Each protocol consists of a set of rules for exchanging messages, i.e. the protocol. Two standards: OSI Reference model Never lived up to early promises TCP/IP protocol suite Most widely used L10: CommSec INF3510 - Spring 2018 6

OSI Open Systems Interconnection Developed by the International Organization for Standardization (ISO) A layer model of 7 layers Each layer performs a subset of the required communication functions Each layer relies on the next lower layer to perform more primitive functions Each layer provides services to the next higher layer Changes in one layer should not require changes in other layers L10: CommSec INF3510 - Spring 2018 7

The OSI Protocol Stack L10: CommSec INF3510 - Spring 2018 8

Communication across OSI 7 data AH AH data 7 6 data PH PH data 6 5 data SH SH data 5 4 data TH TH data 4 3 data NH NH data 3 2 DT data DH DH data DT 2 1 1 bit stream medium L10: CommSec INF3510 - Spring 2018 9

Communication across OSI L10: CommSec INF3510 - Spring 2018 10

TCP/IP Protocol Architecture Developed by the US Defense Advanced Research Project Agency (DARPA) for its packet switched network (ARPANET) Used by the global Internet No official model, but it s a working one. Application layer Host to host or transport layer Internet layer Network access layer Physical layer L10: CommSec INF3510 - Spring 2018 11

OSI model vs. TCP/IP model (The Internet) 7 6 Application protocols, e.g. http, ftp, smtp, snmp 5 4 3 TCP (Transmission Control Protocol) UDP (User Datagram Protocol ) IP (Internet Protocol) 2 TCP or UDP 1 host IP IP IP router router host L10: CommSec INF3510 - Spring 2018 12

TCP/IP Model Example: Access over WiFi router HTTP HTTP TCP TCP IP WiFi WiFi WiFi WiFi IP Ethernet Ethernet IP Ethernet Ethernet End system Notebook Transit system Router End system Web Server L10: CommSec INF3510 - Spring 2018 13

Communication Security Analogy Physical transport security Internet Protected Pipe Digital communication security L10: CommSec INF3510 - Spring 2018 14

Security Protocols Many different security protocols have been specified and implemented for different purposes Authentication, integrity, confidentiality Key establishment/exchange E-Voting Secret sharing etc. Protocols are surprisingly difficult to get right! Many vulnerabilities are discovered years later (e.g. for TLS: DROWN, POODLE, ROBOT, Logjam, FREAK, BEAST, ) some are never discovered (or maybe only by the attackers) L10: CommSec INF3510 - Spring 2018 15

Security Protocols Overview This lecture discusses the operation of two networkrelated protocols that are in common use. Transport Layer Security (TLS): Used extensively on the web and is often referred to in privacy policies as a means of providing confidential web connections. IP Security (IPSec): Provides security services at the IP level and is used to provide Virtual Private Network (VPN) services. L10: CommSec INF3510 - Spring 2018 16

Transport Layer Security TLS/SSL

SSL/TLS: History 1994: Netscape Communications developed the network authentication protocol Secure Sockets Layer, SSLv2. Badly broken 1995: Netscape release their own improvements SSLv3. Widely used for many years. 1996: SSLv3 was submitted to the IETF as an Internet draft, and an IETF working group was formed to develop a recommendation. In January 1999, RFC 2246 was issued by the IETF, Transport Layer Security Protocol: TLS 1.0 Similar to, but incompatible with SSLv3 Currently TLS 1.2 (2008) (allows backwards compatibility with SSL) Draft TLS 1.3 (2016) (totally bans SSL) Firefox browser enabled TLS 1.3 by default in February 2017 [ L10: CommSec INF3510 - Spring 2018 18

SSL/TLS Protocol versions 2013 2017 2014 2015 2016 2018 L10: CommSec INF3510 - Spring 2018 19

TLS: Overview TLS is a cryptographic services protocol based on the Browser PKI, and is commonly used on the Internet. Each server has a server certificate and private key installed Allows browsers to establish secure sessions with web servers. Port 443 is reserved for HTTP over TLS/SSL and the protocol https is used with this port. http://www.xxx.com implies using standard HTTP using port 80. https://www.xxx.com implies HTTP over TLS/SSL with port 443. Other applications: IMAP over TLS: port 993 POP3 over TLS: port 995 L10: CommSec INF3510 - Spring 2018 20

TLS: Layer 4 Security L10: CommSec INF3510 - Spring 2018 21

TLS: Protocol Stack TLS Handshake Protocol TLS Change Cipher Suite Protocol TLS Alert Protocol Application Protocol (e.g. HTTP) TLS Record Protocol TCP IP L10: CommSec INF3510 - Spring 2018 22

TLS: Architecture Overview Designed to provide secure reliable end-to-end services over TCP. Consists of 3 higher level protocols: TLS Handshake Protocol TLS Alert Protocol TLS Change Cipher Spec Protocol The TLS Record Protocol provides the practical encryption and integrity services to various application protocols. L10: CommSec INF3510 - Spring 2018 23

TLS: Handshake Protocol The handshake protocol Negotiates the encryption to be used Establishes a shared session key Authenticates the server Authenticates the client (optional) Completes the session establishment After the handshake, application data is transmitted securely Several variations of the handshake exist RSA variants Diffie-Hellman variants L10: CommSec INF3510 - Spring 2018 24

TLS: Handshake Four phases Phase 1: Initiates the logical connection and establishes its security capabilities Phases 2 and 3: Performs key exchange. The messages and message content used in this phase depends on the handshake variant negotiated in phase 1. Phase 4: Completes the setting up of a secure connection. L10: CommSec INF3510 - Spring 2018 25

TLS: Simplified RSA-based Handshake Client Server Supported crypto algorithms and protocol versions Secret material encrypted with server pub. key Client Hello Server Hello Client Key Exchange Common protocol, Common algorithm, Server certificate Client and Server generate session key from secret material Go to crypto with common algorithm and session key Change Cipher Suite Change Cipher Suite Go to crypto with common algorithm and session key Continues with TLS Record protocol encrypted with session key L10: CommSec INF3510 - Spring 2018 26

TLS: Elements of Handshake Client hello Advertises available algorithms (e.g. RSA, AES, SHA256) Different types of algorithms bundled into Cipher Suites Format: TLS_key-exchange-algorithm_WITH_data-protection-algorithm Example: TLS_RSA_WITH_AES_256_CBC_SHA256 RSA for key exchange AES with CBC mode for encryption SHA256 as hash function for authentication and integrity protection Server hello Returns the selected cipher suite Server adapts to client capabilities L10: CommSec INF3510 - Spring 2018 27

TLS: Elements of Handshake Server Certificate X.509 digital certificate sent to client Client verifies the certificate including that the certificate signer is in its acceptable Certificate Authority (CA) list. Now the client has the server s certified public key. Client Certificate Optionally, the client can send its X.509 certificate to server, in order to provide mutual authentication Server/Client Key Exchange The client and server can a establish session key using asymmetric encryption or DH key exchange (details below) L10: CommSec INF3510 - Spring 2018 28

TLS: Record Protocol Overview Provides two services for SSL connections. Message Confidentiality: Ensure that the message contents cannot be read in transit. The Handshake Protocol establishes a symmetric key used to encrypt SSL payloads. Message Integrity: Ensure that the receiver can detect if a message is modified in transmission. The Handshake Protocol establishes a shared secret key used to construct a MAC. L10: CommSec INF3510 - Spring 2018 29

TLS: Record Protocol Operation Fragmentation: Each application layer message is fragmented into blocks of 214 bytes or less. Compression: Optionally applied. SSL v3 & TLS default compression algorithm is null Add MAC: Calculates a MAC over the compressed data using a MAC secret from the connection state. Encrypt: Compressed data plus MAC are encrypted with symmetric cipher. Permitted ciphers include AES, IDEA,DES, 3DES, RC4 For block ciphers, padding is applied after the MAC to make a multiple of the cipher s block size. L10: CommSec INF3510 - Spring 2018 30

TLS: Key Exchange Two possibilities for exchange of secret key material (premaster secret, PS): RSA encryption DH exchange RSA encryption: Client generates PS + encrypts PS with server public key (RSA) Server decrypts PS with server private key (RSA) L10: CommSec INF3510 - Spring 2018 31

Illustration of DH Key Exchange Image source: Wikipedia

Diffie Hellman Key exchange Process: Alice and Bob agree on (public parameters): Large prime number p (all calculation are performed mod p ) Generator g (i.e. g is primitive root mod p) Alice chooses random number a (1 < a < p - 1) and sends g a to Bob Bod chooses random number b (1 < b < p - 1) and send g b to Alice Common secret: K = (g a ) b mod p = (g b ) a mod p = g ab mod p Security: K can not be calculated from g a or g b

Weakness of DH Key Exchange A E B g a g b g e g e Secure Communication K 1 = g ae mod p Secure Communication K 2 = g be mod p

TLS: Key Exchange Two possibilities for exchange of secret key material (premaster secret, PS): RSA encryption DH exchange RSA encryption: Client generates PS + encrypts PS with server public key (RSA) Server decrypts PS with server private key (RSA) DH exchange: Client and server perform Diffie-Hellman-Exchange (DH) Server signs his DH value with his private key (RSA) Client validates signature with server public key (RSA) L10: CommSec INF3510 - Spring 2018 35

TLS Key Exchange Problem with RSA key exchange? Lets assume adversary records complete TLS session If later private key of server is known Premaster secret can be decrypted Session key can be calculated Complete payload can be decrypted With DH exchange: later knowledge of private key is useless Payload remains protected perfect forward secrecy L10: CommSec INF3510 - Spring 2018 36

TLS: Symmetric key derivation Using two random numbers (from client and server) + premaster secret Key material calculation (general) Uses Key Expansion Internally using a pseudo random function (based on hash function) Can produce arbitrary length key material Master secret calculation Input: Premaster Secret, random number client, random number server Output: Master Secret (48 byte) Encryption/MAC key calculation Input: Master Secret, random number client, random number server Output: Key block, is partitioned into required keys Random (Client) Premaster secret PRF Master secret PRF Random (Server) 37 Key Block Client MAC Server MAC...

Demo L10: CommSec INF3510 - Spring 2018 38

SSL/TLS Challenges Higher layers should not be overly reliant on SSL/TLS. Many vulnerabilities exist for SSL/TLS. People are easily tricked Changing between http and https causes vulnerability to SSL stripping attacks SSL/TLS only as secure as the cryptographic algorithms used in handshake protocol: hashing, symmetric and asymmetric crypto. Relies on Browser PKI which has many security issues Fake server certificates difficult to detect Fake root server certificates can be embedded in platform, see e.g. Lenovo Komodia advare scam L10: CommSec INF3510 - Spring 2018 39

SSL Stripping Attack User Man in the Middle Bank Client 1 http access http login page 6 7 http login credentials 8 Stolen credentials http access 2 redirect SSL 3 https access 4 https login page 5 Server Variations include MitM server can connect to client over https in msg (6) with server certificate that has similar domain name as real server. Attacker can leave the connection after stealing credentials, then the client connects directly to real server with https Attacker just downgrades the https connnection to a vulnerable SSL/TLS version or a broken cipher suite L10: CommSec INF3510 - Spring 2018 40

HSTS HTTP Strict Transport Security Preventing SSL Stripping A secure server can instruct browsers to only use https When requesting website that uses HSTS, the browser automatically forces connect with https. Users are not able to override policy Two ways of specifying HSTS websites List of HSTS websites can be preloaded into browsers HSTS policy initially specified over a https connection HSTS policy can be changed over a https connection Disadvantages HSTS websites can not use both http and https Difficult for a website to stop using https Can cause denial of service, e.g. no fallback to http in case of expired server certificate L10: CommSec INF3510 - Spring 2018 41

Preventing SSL Stripping with HSTS User Man in the Middle Bank 1 http HSTS 2 https access http login page 5 3 https access https login page 4 Client 6 Session blocked Server Limitation of HSTS: Requires first visit to secure website to set HSTS policy in browser Can be solved by browser having preloaded list of HSTS websites Browsers would be vulnerable if attacker could delete HSTS cache L10: CommSec INF3510 - Spring 2018 42

Demo L10: CommSec INF3510 - Spring 2018 44

Phishing and failed authentication User Phishing email 1 masquerading as bank Click on link to access fake bank 2 The Mafia Fake Bank looks real 5 Server certificate Mafia 3 4 TLS setup Client Fake login page 6 HTML Bank Server 7 Hijacked Login L10: CommSec INF3510 - Spring 2018 45

IP Layer Security IPSec & Virtual Private Networks

IPSec: Introduction Internet Protocol security (IPSec) is standard for secure communications over Internet Protocol (IP) networks, through the use of cryptographic security services. Uses encryption, authentication and key management algorithms Based on an end-to-end security model at the IP level Provides a security architecture for both IPv4 and IPv6 Mandatory for IPv6 Optional for IPv4 Requires operating system support, not application support. L10: CommSec INF3510 - Spring 2018 47

Layer 3 Security IP Sec Operation L10: CommSec INF3510 - Spring 2018 48

IPSec: Security Services Message Confidentiality. Protects against unauthorized data disclosure. Accomplished by the use of encryption mechanisms. Message Integrity. IPsec can determine if data has been changed (intentionally or unintentionally) during transit. Integrity of data can be assured by using a MAC. Traffic Analysis Protection. A person monitoring network traffic cannot know which parties are communicating, how often, or how much data is being sent. Provided by concealing IP datagram details such as source and destination address. L10: CommSec INF3510 - Spring 2018 49

IPSec: Security Services Message Replay Protection. The same data is not delivered multiple times, and data is not delivered grossly out of order. However, IPsec does not ensure that data is delivered in the exact order in which it is sent. Peer Authentication. Each IPsec endpoint confirms the identity of the other IPsec endpoint with which it wishes to communicate. Ensures that network traffic is being sent from the expected host. Network Access Control. Filtering can ensure users only have access to certain network resources and can only use certain types of network traffic. L10: CommSec INF3510 - Spring 2018 50

IPSec: Common Architectures Gateway-to-Gateway Architecture Host-to-Gateway Architecture Host-to-Host Architecture L10: CommSec INF3510 - Spring 2018 51

IPSec: Gateway-to-Gateway Architecture Source: NIST Special Publication 800-77 L10: CommSec INF3510 - Spring 2018 52

IPSec: Host-to-Gateway Architecture Source: NIST Special Publication 800-77 L10: CommSec INF3510 - Spring 2018 53

IPSec: Host-to-Host Architecture Source: NIST Special Publication 800-77 L10: CommSec INF3510 - Spring 2018 54

IPSec: Protocols Types Encapsulating Security Payload (ESP) Confidentiality, authentication, integrity and replay protection Authentication Header (AH) Authentication, integrity and replay protection. However there is no confidentiality Internet Key Exchange (IKE) negotiate, create, and manage security associations A connection consists of two SA (Security Associations) One SA for each directions Each SA is described by a set of parameters L10: CommSec INF3510 - Spring 2018 55

IPSec: Modes of operation Each protocol (ESP or AH) can operate in transport or tunnel mode. Transport mode: Operates primarily on the payload (data) of the original packet. Generally only used in host-to-host architectures. Tunnel mode: Original packet encapsulated into a new one, payload is original packet. Typical use is gateway-to-gateway and host-to-gateway architectures. L10: CommSec INF3510 - Spring 2018 56

Transport Mode ESP Original IP Packet IP Header DATA IP Header ESP Header DATA ESP Trailer ESP Auth Encrypted Authenticated Original IP Packet protected by Transport-ESP L10: CommSec INF3510 - Spring 2018 57

IPSec - ESP in Transport Mode: Outbound Packet Processing The data after the original IP header is padded by adding an ESP trailer and the result is then encrypted using the symmetric cipher and key in the SA. An ESP header is prepended. If an SA uses the authentication service, an ESP MAC is calculated over the data prepared so far and appended. The original IP header is prepended. However, some fields in the original IP header must be changed. For example, Protocol field changes from TCP to ESP. Total Length field must be changed to reflect the addition of the AH header. Checksums must be recalculated. L10: CommSec INF3510 - Spring 2018 58

Tunnel Mode ESP Original IP Packet IP Header DATA New IP Head ESP Head IP Header DATA ESP Trailer ESP Auth Authenticated Original IP Packet protected by Tunnel-ESP Encrypted L10: CommSec INF3510 - Spring 2018 59

IPSec - ESP in Tunnel Mode: Outbound Packet Processing The entire original packet is padded by adding an ESP trailer and the result is then encrypted using the symmetric cipher and key agreed in the SA. An ESP header is prepended. If an SA uses the authentication service, an ESP MAC is calculated over the data prepared so far and appended. A new outer IP header is prepended. The inner IP header of the original IP packet carries the ultimate source and destination addresses. The outer IP header may contain distinct IP addresses such as addresses of security gateways. The outer IP header Protocol field is set to ESP. L10: CommSec INF3510 - Spring 2018 60

Security Associations A security association (SA) contains info needed by an IPSec endpoint to support one end of an IPSec connection. Can include cryptographic keys and algorithms, key lifetimes, security parameter index (SPI), and security protocol identifier (ESP or AH). The SPI is included in the IPSec header to associate a packet with the appropriate SA. Security Associations are simplex need one for each direction of connection stored in a security association database (SAD). Key exchange is largely automated after initial manual configuration by administrator prior to connection setup. (See ISAKMP, IKE, Oakley, Skeme and SAs) L10: CommSec INF3510 - Spring 2018 61

Key Exchange Alice and Bob have common (long term) secret s DH exchange is authenticated (MITM not possible) After each session, session key is destroyed Perfect forward secrecy A B g a g b hash (g a g b s) hash (g a g b s Bob ) 62

Typical usage of IPSec: VPN External Location Home Network Internet Protected Pipe L10: CommSec INF3510 - Spring 2018 63

Risks of using IPSec for VPN IPSec typically used for VPN (Virtual Private Networks) A VPN client at external location may be connected to the Internet (e.g. from hotel room or café) while at the same time being connected to home network via VPN. VPN gives direct access to resources in home network. Internet access from external location may give high exposure to cyber threats No network firewall, no network IDS Attacks against the VPN client at external location can directly access the home network through VPN tunnel L10: CommSec INF3510 - Spring 2018 64

Risk of using VPN Attacker External Location Home Network Internet Protected Pipe Secure pipe can be attack channel to home network! L10: CommSec INF3510 - Spring 2018 65

Cloud VPN A cloud-based infrastructure for VPN. VPNaaS A.k.a.: - Hosted VPN - VPNaaS (Virtual Private Network as a Service) Cloud VPNs provide security and globally accessible VPN service access without the need for any VPN infrastructure on the user's end. The user connects to the cloud VPN through the provider s website or a desktop/mobile app. The pricing of cloud VPN is based on pay-per-usage or a flat-fee subscription. Disadvantages /risks Cleartext-gap at the VPN provider VPN provider knows Internet usage profile Malicious VPN service? L10: CommSec INF3510 - Spring 2018 66

Cloud VPN Hosted VPN VPNaaS Company Branch A Internet VPNaaS (cleartext-gap) Company Branch B L10: CommSec INF3510 - Spring 2018 67

Internet services VPN Browsing via VPN Proxy Internet VPNaaS (exposed URLs) User L10: CommSec INF3510 - Spring 2018 68

Tor The Onion Router Image courtesy indymedia.de An anonymizing routing protocol Originally sponsored by the US Naval Research Laboratory From 2004 to 2006 was supported by EFF Since 2006 independent nonprofit organisation Creates a multi-hop proxy circuit through the Internet from client to destination. Each hop wraps another encryption layer thereby hiding the next destination. No cleartext-gap, except at the exit-node. No node knows end-to-end client-server association Full technical details: https://www.torproject.org/ L10: CommSec INF3510 - Spring 2018 69

Image courtesy torproject.org L10: CommSec INF3510 - Spring 2018 70

Image courtesy torproject.org L10: CommSec INF3510 - Spring 2018 71

Image courtesy torproject.org L10: CommSec INF3510 - Spring 2018 72

Onion Message Destination: Router A Encrypt for A Destination: Router B Encrypt for B Destination: Router C Encrypt for C Destination: Jane Payload L10: CommSec INF3510 - Spring 2018 73

Diagram courtesy Wikimedia Commons L10: CommSec INF3510 - Spring 2018 74

End of lecture L10: CommSec INF3510 - Spring 2018 75

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback