Transcript IPsec
IPSec
406
NW’98
© 1998, Cisco Systems, Inc.
1
Security Threats
telnet foo.bar.org
username: dan
password:
m-y-p-a-s-s-w-o-r-d
I’m Bob,
Send Me
all Corporate
Correspondence
with Cisco
d-a-n
Bob
Loss of Privacy
Impersonation
Deposit $ 1000
Deposit $ 100
CPU
Bank
Customer
Loss of Integrity
Denial of Service
406
NW’98
© 1998, Cisco Systems, Inc.
2
Challenges of Data Confidentiality
• Protect confidentiality of data
over an untrusted network
• Ensure identity of users and systems
• Scale from small to very large networks
• Implement a manageable public
key infrastructure
406
NW’98
© 1998, Cisco Systems, Inc.
3
What Is IPSec?
• Network layer encryption
and authentication
• Open standards for ensuring secure
private communications
• Provides a necessary component of
a standards-based, flexible solution for
deploying a network-wide
security policy
406
NW’98
© 1998, Cisco Systems, Inc.
4
Benefits of IPSec
• Standard for privacy, integrity and
authenticity for networked commerce
• Implemented transparently in the network
infrastructure
• End-to-end security solution including
routers, firewalls, PCs and servers
406
NW’98
© 1998, Cisco Systems, Inc.
5
IPsec Everywhere!
Router to Firewall
Router to Router
PC to Firewall
PC to Server
406
NW’98
PC to Router
© 1998, Cisco Systems, Inc.
6
Keyed Hashing for Authentication
• Secret key and message are
hashed together
• Recomputation of digest
verifies that message
originated with peer and that
message was not altered in
transit
“Secret
Key”
Hash
Function
Hash
406
NW’98
© 1998, Cisco Systems, Inc.
7
Diffie-Hellman Key Exchange (1976)
By Openly Exchanging
Non-Secret Numbers, Two People Can
Compute a Unique Shared Secret Number
Known Only to Them
406
NW’98
© 1998, Cisco Systems, Inc.
8
Grounds of Diffie-Hellman
• one large prime number (generator) g is
made public
• computing gR is fast
• computing R from gR is much more
difficult
• modulus (prime), p
• modular arithmetic (mod p) actually used
=> nearly impossible to get back R
406
NW’98
© 1998, Cisco Systems, Inc.
9
Diffie-Hellman Public Key Exchange
Alice
Private Value, XA
Public Value, YA
YA =g
XA
Private Value, XB
Public Value, YB
mod p
YB = g
XB
Bob
mod p
YA
YB
YB
XA
= (g
XB X A
)
=g
XB XA
=
g
XA XB
=
(g
XB X A
)
= YA
XB
mod p
(shared secret)
406
NW’98
© 1998, Cisco Systems, Inc.
10
Using Certificates
BANK
Internet
• Certificate Authority (CA) verifies identity
• CA signs digital certificate containing
device’s public key
• Certificate equivalent to an ID card
406
NW’98
© 1998, Cisco Systems, Inc.
11
Digital Certificate
• A digital certificate
contains:
Serial number of the
certificate
Issuer algorithm
information
Valid to/from date
User public key
information
0000123
RSA, 3837829…
1/1/93 to 12/31/98
Alice Smith, Acme Corp
RSA, 3813710…
Acme Corporation, Security Dept.
RSA, 2393702347…
Signature of issuing
authority
406
NW’98
© 1998, Cisco Systems, Inc.
12
How peers work with CA ?
CA’s own certificate
signed by CA
3. peer’s certificate
signed by CA
Strong or human authentication
needed for steps 1. and 2.
406
NW’98
0. peer generates public/private key pair
© 1998, Cisco Systems, Inc.
13
Certification Authority
• CA is a software
• main purpose of CA = sign certificates
after valid authentication
• private key of CA is the ‘most secret’ key
• CA can be offline or online
• CA is used only:
–on installation
–public key changes
–renewal of certificates
406
NW’98
© 1998, Cisco Systems, Inc.
14
How to scale CA ?
a root CA can delegate authentication to lower CA
root
lower CA
root CA own certificate signed by root CA
lower CA certificate signed by root CA
router certificate signed by lower CA
certificates chain of router
406
NW’98
© 1998, Cisco Systems, Inc.
15
How to scale CA ?
• beside this hierarchical scheme there is a
meshed one
• CA role can be split:
publication authority: CRL storage
local registration authority:
very similar to lower CA
406
NW’98
© 1998, Cisco Systems, Inc.
16
What worth is a certificate ?
• certificate are signed by CA private key
==> secure the private key
• own key pairs can be compromised ==>
corresponding certificate must be
revocated (black list = CRL Certificate
Revocation List)
406
NW’98
© 1998, Cisco Systems, Inc.
17
Certificate Revocation List
• List of revoked certificates
signed by CA
• Stored on CA or directory
service
• No requirement on devices to
ensure CRL is current
406
NW’98
© 1998, Cisco Systems, Inc.
Revoked
Cert 12345
Cert 12241
Cert 22333
18
Defining the Terms
• PKCS—Public Key
Cryptography Standards
• PKIX—Public Key Infrastructure
Working group
• CEP—Certificate enrollment protocol.
Used by Cisco to enroll certificates
406
NW’98
© 1998, Cisco Systems, Inc.
19
PKCS Standards
• Created by RSA to ensure interoperability
• Important PKCS for IPSec:
PKCS #1: RSA signature definition
PKCS #7: Digitally signed or enveloped messages
PKCS #10: Certification requests
406
NW’98
© 1998, Cisco Systems, Inc.
20
IETF Public Key Infrastructure
Working Group (PKIX)
• Facilitate the use of X.509 certificates in
multiple applications, including IPSec,
S/Mime, Web
• Promote interoperability
406
NW’98
© 1998, Cisco Systems, Inc.
21
Certificate Enrollment Protocol
• Lightweight protocol to support
certificate life cycle operations
• Uses PKCS #7 and #10
• Transaction-oriented request /
response protocol
• Transport-mechanism independent
• Requires manual authentication during
enrollment
406
NW’98
© 1998, Cisco Systems, Inc.
22
IPSec Description
406
NW’98
© 1998, Cisco Systems, Inc.
23
IPSec Security Services
• Data integrity
• Data origin authentication
• Replay prevention
• Confidentiality
• Limited traffic flow confidentiality
406
NW’98
© 1998, Cisco Systems, Inc.
24
Tunnel and Transport Modes
• Transport mode for end-to-end session
• Tunnel mode for everything else
Tunnel Mode
Tunnel Mode
Transport Mode
406
NW’98
© 1998, Cisco Systems, Inc.
25
IPsec Modes
IP HDR
Data
Tunnel Mode
New IP HDR IPsec HDR
IP HDR
Data
may be encrypted
IP HDR
Data
Transport Mode
IP HDR
IPsec HDR
Data
may be encrypted
406
NW’98
© 1998, Cisco Systems, Inc.
26
IPsec: Authentication Header
• RFC 1826 Aug ‘95 without anti-replay
• RFC 2085 Feb ‘97 with anti-replay
• Authentication Header, AH
• additional header inside the IP datagram
• MD5 can be used (RFC 1828),
• or … (currently IETF drafts)
406
NW’98
© 1998, Cisco Systems, Inc.
27
IPsec AH (Cont.)
Original IP datagram
IP header
other headers and payloads
secret key
Digital signature (RFC 1828 = MD5)
IP header
Auth. header
other headers and payloads
Authenticated IP datagram
406
NW’98
© 1998, Cisco Systems, Inc.
28
IPsec Encapsulating Security Payload
• RFC 1827 Aug ‘95
• Encapsulation Security Payload, ESP
• confidentiality of
whole IP datagram (tunnel)
TCP or UDP payload only (transport)
• DES can be used (RFC1829)
• or … (currently IETF drafts) also with
authentication in ESP
406
NW’98
© 1998, Cisco Systems, Inc.
29
IPsec ESP Transport (Cont.)
Can be used end to end, between host
ESP Transport ‘tunnel’
Sniffers are defeated
406
NW’98
© 1998, Cisco Systems, Inc.
30
IPsec ESP Transport
Original IP datagram
IP header
other headers and payloads
secret key
Encryption algorithm
IP header ESP header
other headers and payloads
ESP trailer
IP datagram with transport ESP
406
NW’98
© 1998, Cisco Systems, Inc.
31
IPsec ESP Tunnel (Cont.)
Usually between firewalls for VPN
ESP Transport ‘tunnel’
Sniffing possible
Sniffing possible
Sniffers are defeated
406
NW’98
© 1998, Cisco Systems, Inc.
32
IPsec ESP Tunnel (Cont.)
Or between client and firewall
mainly for VPDN
ESP Transport ‘tunnel’
Sniffing possible
Sniffers are defeated
406
NW’98
© 1998, Cisco Systems, Inc.
33
IPsec ESP Tunnel
Original IP datagram
IP header
other headers and payloads
New IP header built by tunnel end
new IP
header
secret key
Encryption algorithm
new IP
header
ESP header
IP header
other headers and payloads
ESP trailer
IP datagram with tunnel ESP
406
NW’98
© 1998, Cisco Systems, Inc.
34
Security Association (SA)
Firewall
Router
• Agreement between two entities
on a security policy, including:
Encryption algorithm
Authentication algorithm
Shared session keys
SA lifetime
• Unidirectional. Two-way communication
consists of two SAs
406
NW’98
© 1998, Cisco Systems, Inc.
35
Internet Key
Exchange (IKE)
AKA: ISAKMP + Oakley
406
NW’98
© 1998, Cisco Systems, Inc.
36
IPsec needs IKE
IKE
IKE protocol
Transform, key material
IKE
Transform, key material
IPsec protocols ESP, AH
IPsec SA needs for all peers:
- which transform
- which key
406
NW’98
© 1998, Cisco Systems, Inc.
37
IKE
• Negotiates policy to protect communication
• Authenticated Diffie-Hellman key exchange
• Negotiates (possibly multiple) security
associations for IPSec
406
NW’98
© 1998, Cisco Systems, Inc.
38
Perfect Forward Secrecy (PFS)
• Compromise of a single key will permit
access to only data protected by that
particular key
• IKE provides PFS if required by using
Diffie-Hellman for each rekey
• If PFS not required, can refresh key
material without using Diffie Hellman
406
NW’98
© 1998, Cisco Systems, Inc.
39
IKE Authentication
• Signatures
• Encrypted nonce’s
• Pre-shared key
406
NW’98
© 1998, Cisco Systems, Inc.
40
Initiating New Connections
IKE
IPSec
Data
• Establish IKE SA—“Main mode”
• Establish IPSec SA—“Quick mode”
Multiple quick modes for each main mode
• Send protected data
406
NW’98
© 1998, Cisco Systems, Inc.
41
How IPSec Uses IKE
1. Outbound packet from
Alice to Bob. No IPSec SA
4. Packet is sent from Alice to
Bob protected by IPSec SA
IPSec
IPSec
Alice’s
router
Bob’s
router
IKE
2. Alice’s IKE begins
negotiation with Bob’s
406
NW’98
IKE Tunnel
IKE
3. Negotiation complete.
Alice and Bob now have
complete set of SAs in place
© 1998, Cisco Systems, Inc.
42
Creating an IKE SA
DES
MD5
RSA Sig
DH1
DES
SHA
Pre-shared
DH1
DES
MD5
RSA Sig
DH1
YA
YB
Home-gw
10.1.2.3
Pent-gw
26.9.0.26
CRL
• Negotiate IKE parameters
• Exchange DH Numbers
• Exchange Certificates and check CRL
406
NW’98
• Exchange signed data for authentication
© 1998, Cisco Systems, Inc.
43
Creating IPSec SA—Quick Mode
IKE SA
DES
MD5
DH1
DES
SHA
DH1
DES
MD5
DH1
YA
YB
Data
• Requires IKE SA to be in place
• Negotiate IPSec parameters
Local
Policy
406
NW’98
{
• Create shared session key
Exchange DH numbers for PFS or
Exchange nonces for quick rekey
© 1998, Cisco Systems, Inc.
44
Overlapping Security Associations
SA-1 protects Net A to B
Bob
Net B
Net A
SA-2 protects Alice to IBM
Alice
• Multiple, overlapping security associations
• Selectable with extended access lists
406
NW’98
© 1998, Cisco Systems, Inc.
45
Dynamic Crypto Maps
• Enables easy configuration for remote clients
• Crypto map template created without
defining a peer
• If incoming IPSec SA request is accepted,
then a temporary crypto map entry is created
406
NW’98
© 1998, Cisco Systems, Inc.
46
Different Keys Everywhere
R SS
I T IY T Y
U N UI NVI VEE R
Ensure Confidential Communications
in an unsecured Network
406
NW’98
© 1998, Cisco Systems, Inc.
47
Define Sensitive Traffic for Each
406
NW’98
© 1998, Cisco Systems, Inc.
48
Enable Mobile Users
with L2TP and IPSec
IPSec
L2TP or L2F
• IPSec protects traffic from remote sites
to the enterprise using any application
• IPSec may be combined with L2TP or L2F
• Travelers can access the network
as securely as they would in the office
406
NW’98
© 1998, Cisco Systems, Inc.
49