EE579S Computer Security
Download
Report
Transcript EE579S Computer Security
EE579T / CS525T
Network Security
2: Networking and IPSec
Prof. Richard A. Stanley
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #1
Overview of Tonight’s Class
•
•
•
•
Review of last week’s class
Class projects
Networking overview
IP Security
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #2
Projects
• Who, what?
• Finalized topics and lists
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #3
Networks
• A network is an interconnected group of
communicating devices.
• Two primary network types
– Circuit-switched (connection oriented)
– Packet-switched (connectionless)
• Span
– WAN, MAN, LAN
– So what?
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #4
Data Networks
• Almost exclusively packet switched
– Higher efficiency than circuit-switched
– Computationally intensive to provide
– Packet loss rate is very high
• Largely due to collisions rather than circuit faults
– Require extensive protocols to operate
• X.25
• TCP
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #5
Network Topology
• The topology of a network is a view of its
interconnections, as they would be seen by an
observer looking down from great height
• Topology is important because it has implications
for security
• Four major topologies:
–
–
–
–
star
buss
ring
mesh
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #6
Star Topology
The orange lines depict one
star -- this slide actually shows
a star-star architecture.
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #7
Buss Topology
Buss
In a buss topology, all signals pass by all terminals
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #8
Ring Topology
A ring is simply a buss with
the ends connected to one another.
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #9
Mesh Topology
The telephone network is an example of a mesh topology
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #10
How To Get There?
• Every destination on the network must have
an address, just as every postal destination
must have an address
– Addresses must be unique
– Network must know how to recognize address
– Various addressing schema, e.g.
• Ethernet
• IP
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #11
Two Network Technologies
• Token ring
– Users remain silent until they receive token
– Pioneered by IBM, not widely used
• Ethernet
–
–
–
–
Carrier-sense, multiple access/collision detect
Binary exponential backoff on collision sense
This is a radio network! Another vulnerability
Most widely used architecture today, largely because it
is less expensive than token ring
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #12
Other Network Technologies
• Fiber-Distributed Data Interconnect (FDDI)
– Self-healing, 100 Mbps dual ring
• Frame relay
– Packet data service, built on X.25
• Synchronous Optical Network (SONET)
• Asynchronous Transfer Mode (ATM)
– Can operate at gigabit speeds
• 53 byte packets; 5 of the bytes are overhead
These are of interest in networking, but not security per se;
will not be discussed further in this course
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #13
Topology Misconceptions
• The physical interconnection of network
elements does not necessarily reflect the
logical network topology
– Ethernet is logically a buss architecture
– Ethernet, connected using hubs, uses a physical
star interconnection
– Ethernet, connected using coaxial cable, uses a
physical buss interconnection
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #14
Ethernet Misconceptions
• IEEE 802.3 = Ethernet
– Nope! Pure Ethernet is 802.2
• All Ethernets are created equal
– Vendor implementation issues
• The faster the network speed, the faster I
can work
– Signaling speed data throughput
• Ethernet maps to the internet
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #15
CSMA/CD Throughput
Signaling speed
~40%
Throughput
Users
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #16
Some Network Security Issues
• Users not necessarily registered at the node they
are accessing
– How to authenticate users?
– What is basis for access control decisions?
• Some options:
–
–
–
–
User ID
User address
Service being invoked
Cryptographic-based solutions
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #17
Network Size
• Networks cannot grow to be arbitrarily large
–
–
–
–
Address space
Physical interconnection limitations
Increasing collisions as users increase
Protocol/OS/machine incompatibilities
• So, how to extend the ability to interconnect
computers?
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #18
The ARPANET
• Father of the Internet
• Began as an attempt to conduct and share research
to ensure continuity of communications after
nuclear war, so
– Connectionless
– Assured delivery
– Self-reconfiguring (sort of)
• Demonstrated feasibility of internetworking
disparate computer networks and machines
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #19
Internetworking
• Internetworking is the interconnection of
networks
• The Internet is an internetwork; all
internetworks are not the Internet
• Very few modern networks exist in
isolation; most are internetworked
• This has important security and legal
implications
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #20
Internetworking Concepts
• Networks are interconnected by routers or
gateways
– More about this later in the course
• Routers route a packet using the destination
network address, not the destination host
address
– Analogous to the world postal system and how
letters are routed
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #21
Internetwork Architecture
Net 1
Summer 2003
© 2000-2003, Richard A. Stanley
R
Net 2
EE579T/2GD #22
Extended Internetworking
Net 1
Clearly, this can be
extended ad infinitum,
to form very large
internetworks.
Summer 2003
© 2000-2003, Richard A. Stanley
R
Net 2
R
Net 3
EE579T/2GD #23
Network Facts
• Most computers today are connected to a
network (consider the Internet), at least for
part of the time they are in operation
• Most local networks are internetworked
• How to provide authenticity, integrity,
confidentiality, availability?
• Cryptography can help provide all the
security services except availability
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #24
IP Security
• Using the original IP standards, this is an
oxymoron
• Needs
– Protection from eavesdropping
– Protection from spoofing
– Provision for secure user-to-user traffic
• Problems
– IP not designed for this
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #25
Enter IPSec
• IPSec intended to meet the security needs of
IP networks, especially the Internet
– Originally intended to come in as part of IP v6
– IP v6 may never come, so most of the IPSec
functionality has become available in IP v4
– Becoming widely available in products such as
virtual private networks, etc.
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #26
What Does IPSec Do?
• Enables secure VPNs over the Internet
• Allows secure remote access over the
Internet
• Facilitates secure connectivity with business
partners, especially temporarily
• Improves eCommerce security
• It does all this using the cryptographic tools
we have just studied. Now we’ll see how.
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #27
IPSec Features
• Can be applied at the perimeter
– In-house traffic avoids security overhead that
may not actually be needed
• Lies below the transport layer, so is
transparent to applications
• Can be made transparent to end users,
which keeps training and support costs low
• Can support individual user security
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #28
Services
•
•
•
•
•
•
Access control
Datagram integrity
Sender authenticity
Replay protection
Message body confidentiality
Traffic flow security (very limited, though)
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #29
Security Association
• IPSec concept that defines the relationship
between one party and another for security
– ONE-WAY!
– If A & B have bilateral security needs, two
security associations are required
• Defined by
– Security parameters index (SPI)
– Destination IP address
– Security protocol identifier
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #30
So...
• Security association (SA) is uniquely
defined by
– Destination address in the IP header, and
– SPI in the enclosed extension header (AH or
ESP)
• What’s an extension header?
• What are AH and ESP?
• Stick around!
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #31
Security Parameters
• Encapsulating Security Payload (ESP)
– Deals with packet encryption
• Authentication Header (AH)
– Deals with packet authentication
• Encryption algorithm (several available)
• Authentication algorithm (ditto)
• Key management scheme
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #32
SA Parameters
•
•
•
•
•
•
•
•
Sequence number counter
Sequence counter overflow flag
Anti-replay window
AH information
ESP information
SA lifetime
IPSec protocol mode (tunnel, transport, wildcard)
Path MTU
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #33
Policy
• Association of traffic with SAs is done by
the Security Policy Database (SPD)
• Each SPD entry is defined by a selector
– Selectors filter outbound traffic
• Compare packet selector fields with SPD to find
matching SPD entry; points to zero or more SAs
• Determine SA for this packet and its SPI (Security
Parameters Index)
• Perform the required processing (AH or ESP)
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #34
Authentication Header (AH)
• Supports data integrity and authentication
– Assures data modification will be detected
– Also guards against replay
• Based on Message Authentication Code
(MAC)
– Requires shared secret key
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #35
AH Fields
• Next header
– Identifies type of header that follows
•
•
•
•
•
Payload length
Reserved for future use
SPI (defines an SA)
Sequence number
Authentication data
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #36
AH Overview
0
8
Next header
16
Payload
Length
31
(reserved)
SPI
Sequence number
Authentication data (variable length)
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #37
Overview of Headers
(IP v4)
Standard
Transport mode
Tunneling
mode
New
IP header
Summer 2003
© 2000-2003, Richard A. Stanley
Original
IP header
AH
Original
IP header
AH
Original
IP header
TCP
Payload (data)
TCP
Payload (data)
TCP
Payload (data)
EE579T/2GD #38
Integrity Check Value (ICV)
• Included in the Authentication Data field
– Based on HMAC (keyed hash)
• HMAC MD5
• HMAC SHA-1
– 96 MSB of HMAC result used for ICV
– HMAC calculated over
• Immutable or predictable IP header fields
• The AH header except the Authentication Data field
• The entire upper-level protocol data
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #39
Anti-Replay Service
• Replay: retransmission of an alreadyauthenticated packet at a later time
– A favorite way to break into or disrupt services
• IPSec implements anti-replay using the
Sequence Number field (32 bits), so the
maximum Sequence Number is 232
• If the Sequence Number would wrap
around, a new SA, with new key, is needed
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #40
Anti-Replay in Action
• Sender initializes sequence counter to 0,
increments counter by 1 for every packet
sent
• Counter value is placed in SN field
• Receiver has a problem:
– IP is connectionless, so packets can arrive in
any order
– IP doesn’t guarantee delivery (that is done by
TCP), so packets can -- and do -- go missing
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #41
Anti-Replay at the Receiver
• Receiver maintains a sliding window over
received packets, default width = 64 = W
• Right edge of window holds highest SN
packet so far received that is valid
• All slots from (N-W+1) to N that have been
authenticated are marked
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #42
Window Management
• If new packet is within the window and is
new, the corresponding slot is marked
• If new packet is outside window to the
right, and is authenticated, window is
moved to the right and slot is marked
• If new packet is outside the window to the
left, or if not authenticated, packet
discarded and audit event raised
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #43
The Window in Action
Window
N
N-W
Space for valid packet
not yet received
Received, valid, marked
The window makes replay attacks much more difficult, as they would have to occur
within the width of the window: possible, but unlikely (most of the time)
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #44
IPSec Authentication:
Transport Mode
• Transport Mode uses the Authentication Header
(AH)
– IP v4: AH inserted after original IP header, but
before the IP payload
– IP v6: AH is an end-to-end payload, not
examined by intermediate routers. So, AH
comes after the other IP v6 header routing
fields (base, hop-to-hop, etc.)
• Clearly, does not provide data confidentiality
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #45
IPSec Authentication:
Tunnel Mode
• Entire original IP packet authenticated
– AH inserted before original IP header and after
new “outer” IP header
– Allows placing original routing info within the
authentication envelope, but more importantly
– Allows a new set of IP addresses to be used as a
wrapper for the original packet
• As we shall see, this forms the basis for
IPSec-based virtual private networks.
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #46
Encapsulating Security Payload
(ESP)
• Provides confidentiality services
– Optionally, can also provide authenticity
• Fields
–
–
–
–
–
–
SPI
Sequence number
Payload data
Padding
Pad length
Next header
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #47
ESP
SPI
Sequence number
Payload data (variable length)
Authentication
Coverage
Confidentiality
Coverage
Padding (0-255 bytes)
Pad length Next header
Authentication data (variable)
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #48
Encryption Algorithms
• Confidentiality services provided by
symmetric cryptography
• Algorithms supported:
–
–
–
–
DES (CBC)
IDEA
CAST
RC5
–
–
–
–
TDEA (three key)
Three key triple IDEA
Blowfish
AES
• MAC same as AH (96-bit HMAC)
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #49
Padding?
• Extends the plaintext to a multiple of some
number of bytes to accommodate those
encryption algorithms that require this
(e.g. DES)
• Ensures that the end of the Next Header
field is right-aligned with the 32-bit word
• Can be used to provide partial traffic flow
security, by concealing payload length
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #50
Transport mode ESP Service
• Encrypts data carried by IP
– Optionally, also authenticates the data
Standard
Original
IP header
TCP
Payload (data)
Authenticated
Encrypted
Transport mode
Summer 2003
© 2000-2003, Richard A. Stanley
Original
ESP
IP header header
TCP
Payload (data)
ESP ESP
trlr auth
EE579T/2GD #51
Transport Mode
•
•
•
•
Provides end-to-end confidentiality
Is transparent to applications
Is efficient, adds little extra to IP overhead
Does not provide traffic flow security
– Possible to analyze source - destination traffic
flows and volumes
– Useful for drawing conclusions about
associations, workload, etc.
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #52
Tunneling Mode ESP
• Encrypts the entire IP packet
– Including the original source, destination
Standard
Original
IP header
Payload (data)
TCP
Authenticated
Encrypted
Tunneling
mode
New
ESP
IP header header
Summer 2003
© 2000-2003, Richard A. Stanley
Original
IP header
TCP
Payload (data)
ESP ESP
trlr auth
EE579T/2GD #53
Tunneling Mode
• Encrypts entire original IP packet, including
source and destination addresses
– Can help to counter traffic analysis
• Allows construction of secure virtual
private networks (VPNs) over unsecured
networks
• Useful when firewalls in the path -- security
can be done only at the network edge
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #54
VPN Example
Edge routers need info about
the other end of the network
IPSec starts/ends here
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #55
SA Limits
• An individual SA can implement either AH
or ESP, but not both
• But, sometimes both services are needed
– This requires multiple SA’s in the same traffic
flow
– Just as with Feistel encryption/decryption key
scheduling, we must “unwrap” the SA’s in
inverse order to their application
– Referred to as SA bundle
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #56
SA Bundling
• Transport adjacency
– Applies >1 SA to the same IP packet, without
tunneling
– Only one level of combination
• Iterated tunneling
– Applies multiple security protocols through IP
tunneling
– Multiple nesting, since each tunnel can
originate or terminate at any IPSec site
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #57
What to do First?
• Transport adjacency
– Wrap an ESP SA inside an AH SA
• IP payload is encrypted (because ESP is inner level)
• AH covers ESP, original IP header
• Result: more fields are authenciated
• Transport-tunnel bundle
– Wrap an AH SA inside an ESP SA
• Authentication data protected by encryption
• Authentication data can be accessed in clear
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #58
Key Management
• IPSec has many good features. Performing key
distribution manually is not one of them
• Protocol has been developed to provide for session
key distribution
– Internet Key Exchange (IKE) [RFC 2409]
– IKE incorporates
• ISAKMP [RFC 2408]
• Oakley
• A few other things
– Current version (Nov 2001) is v2
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #59
Diffie-Hellman Revisited
• Advantages
– Generates keys only when required
– Requires no preexisting infrastructure
• Disadvantages
– No authentication of communicating parties
– Vulnerable to man-in-the-middle attack
– Computationally intensive
• Slow
• Vulnerable to denial of service attack
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #60
Oakley Key Determination
• Based on D-H, but improved
• Advantages over Diffie-Hellman
–
–
–
–
–
Uses cookies to avoid denial of service attacks
Enables prior negotiation of global parameters
Uses nonces to guard against replay
Allows exchange of D-H public key values
Authenticates D-H exchange (defeats man-inthe-middle attacks)
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #61
Nonce
• nonce (nns) noun
– The present or particular occasion: “Her tendency
to discover a touch of sadness had for the nonce
disappeared” (Theodore Dreiser).
– [From Middle English for the nones, for the
occasion]
•
The American Heritage® Dictionary of the English Language, Third Edition, 1992, Houghton Mifflin Company
• Say what?
• In cryptography, nonce is a pseudorandom
number
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #62
Oakley Authentication
• Three types available
– Digital Signature
– Asymmetric-key cryptography
– Symmetric-key cryptography
• This ensures against man-in-the-middle
attacks
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #63
We Like IKE
• IKE is an IPSec protocol that defines the
procedures and formats needed to establish,
negotiate, modify, or delete Security
Associations within IPSec
• Built on the ISAKMP protocol, which is
sometimes viewed as IKE v0.1
• ISAKMP notation still in wide use, but
officially, it is now IKE
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #64
Summary
• IPSec is a complex security protocol,
originally developed for roll-out with IP v6
• Provides authentication, integrity, and
confidentiality services to IP transmission
• Improves on basic protocols like D-H
• Many implementations available for IP v4,
so it is usable today
• Authentication and encapsulation services
provide a basis for VPNs
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #65
Homework
• Read Stallings, Chapter 6
• Do Stallings, Problems 6.1a, 6.2 (for IPv4
only), 6.3a, 6.5a
Summer 2003
© 2000-2003, Richard A. Stanley
EE579T/2GD #66