PPT - web.iiit.ac.in
Download
Report
Transcript PPT - web.iiit.ac.in
An Introduction To IPsec
Bezawada Bruhadeshwar,
International Institute of
Information Technology,
Hyderabad
Overview of Presentation
Introduction
The Internet Model and Threats
Solutions Possible
Security Measures at Various Layers
IPsec: security at network layer
How IPsec works
IPsec model
Authentication Header
Encapsulating Security Payload
Internet Key Exchange
Limitations of IPsec
Conclusions
Introduction
Original Design Model for Internet
The model of Internet was made for a more
benign environment like academia
All data on Internet was free to all and anyone
could share or modify the data
Since the some etiquette was being observed
by the limited Internet community, security
was hardly an issue
Internet has grown beyond academia
Introduction (contd.)
Several useful applications have prompted businesses
to make use of the Internet
E.g., Amazon.com, rediff.com, icicibank.com…
Almost all conventional businesses now have a prescence on
the Internet
Some businesses only have Internet prescence
E.g., Ebay.com, Amazon.com, fabmall.com
Several social communities are built over the Internet
E.g., Orkut.com, yahoo.groups, google groups
Introduction (contd.)
In present scenario, Internet enables instant
on-demand business by
Establishing communication links with suppliers
and business partners
By eliminating the need for costly wide area
network dedicated lines
Enabling remote access to corporate networks
using many available Internet service providers
One of the main stumbling blocks to achieve
these benefits is lack of security (besides,
reliability, quality of service among others)
Internet Threats
The varied nature of Internet users and
networks has brought the security concern
To ratify the fears several threats have
surfaced, such as,
Identity spoofing
Denial of service
Loss of privacy
Loss of data integrity
Replay attacks
Internet Threats (contd.)
Identity spoofing
Executing transactions by masquerading
Denial of service
Preventing a service provider by flooding with fake requests
for service
Loss of privacy
Eavesdropping on conversations, database replies etc
Loss of data integrity
Modifying data in transit to disrupt a valid communication
Replay attacks
Using older legitimate replies to execute new and malicious
transactions
Solutions to the Problems
Confidentiality
If data is encrypted intruders cannot observe
Integrity
Modification can be detected
Authentication
If devices can identify source of data then it is difficult to
impersonate a friendly device
Spoofing , replay attacks and denial of service can be
averted
The question is where should such a solution be
implemented in the protocol stack?
Public-Key Cryptography
A user generates two keys: public-key and privatekey pair
Public-key and private-key pairs can be viewed as
mutually cancelling
What public-key can encrypt only private-key can decrypt
Public-key is known to everyone
Anyone can send a message to the user using public key
Private-key is secret
Only the user can decrypt with private key
Encryption with private is called digital signature
Can be verified but cannot be forged
Message Authentication Codes
A Message Authentication Code algorithm is a family
of hash functions hk, parametrized by a secret k, with
properties:
Ease of computation: given a key k and input x, it is easy to
compute hk(x)
Compression: hk maps an input of arbitrary length to an
output of hk(x) of bitlength n
Computation-resistance: given zero or more text-MAC pairs
(xi, hk(xi)) it is computationally infeasible to compute any
text-MAC pair (x, hk(x)) for any new input x
If two users share a cryptographic key they can use it
generate same MAC and hence, validate each other
Recalling Protocol Stack
Application
Link Layer
Physical Layer
NFS
IP
SNMP
FTP
DNS
FTP
SMTP
HTTP
TCP, UDP
Security Measures at Different
Layers
Application Layer
PGP, Kerberos, SSH, S/MIME
Transport Layer
SSL/Transport Layer Security (TLS)
Network Layer
IPsec
Data Link Layer
Hardware encryption
Security Measures
Layers (contd.)
at
Different
Application Layer Security
Implemented as a User Software
No need to modify operating system or underlying network
structure
Each application and system requires its own security
mechanisms
SSL/TLS (transport layer security) is implement as
user-end software, and is protocol specific
Link layer security
Implemented in hardware
Requires encryption decryption between every link
Difficult to implement in Internet like scenario
IPsec: Security at IP Layer
IPsec is a framework of open standards
developed by IETF (www.ietf.org, rfc’s 43014308)
IPsec is below transport layer and is transperant
to applications
IPsec provides security to all traffic passing through
the IP layer
End users need not be trained on security
mechanisms, issued keys or revoked
IPsec has the granularity to provide per-user
security if needed
IPsec: Security at IP Layer (contd.)
IPsec has additional advantages of
protecting routing architecture
IPsec
can
assure
that
a
router
advertisement is from an authorized router
A routing update is not forged
A neighbor advertisement comes from an
authorized router
IPsec Services
Access control
Connectionless Integrity
Data origin authentication
Rejection of replayed packets
Confidentiality
Limited traffic flow confidentiality
IPsec Manifestation
IPsec Manifestation
Protects data flow between/among
Pair of hosts: end-to-end protection between two users,
independent of applications they are using
Pair of security gateways: A security gateway can be a
router, firewall, proxy etc. Secures entire traffic from/to the
network
Security gateway and a host: secure remote access to
network resources
Granularity in Ipsec
Mode, choice of cryptographic algorithms, protocols
Which subsets of traffic are afforded protection
IPsec at a Glance
IPsec uses a combination of the
following techniques to provide its
services
Diffie-Hellman key exchange to establish
keys between peers
Encryption algorithms like DES to provide
confidentiality
Keyed hash algorithms like MD5 and SHA-1
to provide message authentication
IPsec: Roadmap
Security Association, Security Policy Database
IPsec protocol components
IPsec modes
Authentication Header
Encapsulating Security Payload
Internet Key Exchange
Commercial Instantiations
Security Association
A simplex (one-way) relationship that affords
security services to the traffic carried by it
Only one service per SA : AH or ESP
To secure bi-directional traffic 2 SAs are
required
Specified by Security parameters index (SPI),
destination IP address
Multiple SAs used by same source/receiver
Multiple sources can use same SA
Security Association
Security Parameters Index
IP Destination Address
Security Protocol Identifier
All three identify the particular SA being
used
SA Parameters
Sequence Number Counter
Sequence Counter Overflow
Anti-Replay Window
AH Information
ESP Information
Lifetime of SA
IPSec Protocol mode –Tunnel, Transport
Path MTU
Security Policy Database
Defines policies for all IP traffic passing through the
interface
Each SPD points to one or more corresponding SAs
Processing is done after matching against the corresponding
SPD entry by using the relevant SA
Protection offered by IPsec is based on requirements
defined by a security policy database, SPD
Packets are selected for one of three processing
actions based on IPheader information, matched
against entries in SPD
Actions:PROTECT, DISCARD, BYPASS
SPD Entries
Destination IP Address
Source IP Address
UserID
Data sensitivity level
Transport layer protocol
IPSec protocol
Source and Destination Ports
IPv6 Class
IPv6 Flow label
IPv4 Type of Service
Security Policy Database (contd.)
Logical divisions of SPD: SPD-S, SPDI, SPD-O
SPD-I (bypassed or discarded), entries that
apply to the inbound traffic
SPD-O(bypassed or discarded), entries
identifying outbound traffic
SPD-S(secure traffic), entries to lookup
SAs, create SAs,
IPsec components
IPsec consists of two important protocol
components
The first, defines the information that needs to be
added to the IP packet to achieve the required
services. These are classified further as
Authentication Header and Encapsulating Security
Protocol
The second, Internet Key Exchange, which
negotiates security association between two peers
and exchanges keying material
Recalling Packet Headers
Encapsulation of Data for Network Delivery
Application Layer
Transport Layer
(TCP, UDP)
Network Layer
(IP)
Data Link Header 1
Layer
Header 2
Original
Message
Header 3 Data 3
Data 2
Data 1
IPsec Modes
IPsec can operate in two modes
Transport Mode
Only IP payload is encrypted
IP headers are left in tact
Adds limited overhead to the IP packet
Tunnel
Entire IP packet is encrypted
New IP headers are generated for this packet
Transparent to end-users
IPsec modes (contd.)
Transport Mode: protect the upper layer
protocols
Original IP
Datagram
IP
Header
TCP
Header
Transport Mode
protected packet
IP
Header
IPSec
Header
Data
TCP
Header
Data
protected
Tunnel Mode: protect the entire IP payload
Tunnel Mode
protected packet
New IP
Header
IPSec
Header
Original IP
Header
protected
TCP
Header
Data
Authentication Header
This information is added to the header
to provide the following services:
Access control, connectionless integrity,
data origin authentication, rejection of
replayed packets
Information added are:
Sequence number (32-bit)
Integrity check value (variable, multiple of 32-
bits)
Authentication Header (contd.)
Anti-replay attacks
Range of sequence numbers for session is 232-1
Sequence numbers are not reused
Integrity Check Value (ICV)
Keyed MAC algorithms used: AES, MD5, SHA-1
MAC is calculated over immutable fields in transit
(source/dest. addr, IP version, header length,
packet length)
Encapsulating Security Payload
Three types of services
Confidentiality only
Integrity only
Confidentiality and integrity
Others
Anti-replay service
Limited traffic flow confidentiality
ESP (contd.)
Header fields
Security parameters index (32-bit)
Sequence number (32-bit)
Encrypted
payload
(variable)+padding(0-255
bytes) computed over upper layer segment
(transport mode) or entire packet (tunnel mode)
TFC padding (optional, variable)
Integrity check value-ICV (variable, optional),
computed over ESP header (all above data)
ESP (contd.)
Most purposes ESP is sufficient to achieve
both confidentiality and integrity.
Some auditable events by IPsec are:
Invalid SA
Processing fragmented packet
Transmitting packet which can cause sequence
number overflow
Received packet fails anti-replay
Integrity check fails
Internet Key Exchange (IKE)
IKE creates authenticated secure
channel between two peers and then,
negotiates SA
Phases of IKE
Authentication
Key Exchange
Establishing SA
Authentication
Two peers in IPsec need to identify each
other. Forms of authentication :
Pre-shared keys: same keys are pre-installed and
authentication is done exchanging known data
Decryption requires same key and hence, only valid
receivers can recover data
Public key cryptography: Nonces are exchanged
using other user’s public-key and replies are
checked for verification
Public-key to encrypt, Private-key to decrypt
IKE and IPsec
Limitations
Security implemented by AH and ESP
ultimately depends on their implementation
Operating environment affects the way IPsec
security works
Defects in OS security, poor random number
generators, misconfiguration of protocols, can
all degrade security provided by IPssec.
Cryptographic Standards for ESP & IKE
Encapsulating Security Payload
ESP encryption: TripleDES in CBC mode [RFC2451]
ESP integrity : HMAC-SHA1-96 [RFC2404]
IKE and IKEv2
Encryption : TripleDES in CBC mode [RFC2451]
Pseudo-random function: HMAC-SHA1 [RFC2104]
Integrity : HMAC-SHA1-96 [RFC2404]
Diffie-Hellman group: 1024-bit Modular Exponential (MODP)
[RFC2409]
Conclusions
IPsec provides a method for creating secure
private networks over public networks
Applications, operating systems need not be
changed
Implementation can be limited to secure gateways
Several products based on IPsec are
commercially deployed
Users can even enable and use IPsec on their
machines