Transcript Document

IP security
Ge Zhang
[email protected]
Karlstad University
Packet-switched network is not Secure!
• The protocols were designed in the late 70s to early
80s
– Very small network (closed environment)
• All hosts are assumed to be trusted
• So are the users
• Therefore, security was not an issue
Karlstad University
Message transfer over the Internet
d
e
t
s
u
r
t
n
U
Alice
Karlstad University
Bob
OSI security architecture
• Security attacks: any action that compromises the
security of information.
• Security mechanism: A method that is designed to
detect, prevent or recover from a security attack
• Security service: A service that enhances the
security of a system
Karlstad University
Scenario
Alice
Karlstad University
Attacker
Bob
Passive attacks
Read contents
of message
from Alice to
Bob
Attacker
Alice
Bob
Attacker
Alice
Karlstad University
Observe who
communicated
whom
Bob
Active attacks
Message from
attacker that
appears to be
from Alice
Attacker
Attacker
disrupts service
provided by
server
Attacker
Alice
Alice
Bob
Attacker
modifies
message from
Attacker Alice to Bob
Capture message
from Bob to Alice;
later replay
message
to Alice
Attacker
Alice
Karlstad University
Bob
Alice
Bob
Security services
•
•
•
•
•
Karlstad University
Data origin authentication
Data confidentiality
Anonymity
Data integrity
Non-repudiation
Security mechanism
•
•
•
•
•
Karlstad University
Encipher
Digital signature
Trusted functionality
Detection and prevention
…
Layered TCP/IP model
• IPSec is working in IP layer
• Protect IP packets
Karlstad University
Goals of IPSec
• to verify sources of IP packets
– Data source authentication
• to prevent replaying of old packets
• to protect integrity and/or confidentiality of packets
– Data Integrity/Data Encryption
Karlstad University
IPSec subprotocols
ESP
Encapsulating Security
Payload
AH
Authentication Header
IPSec Security Policy
IKE
The Internet Key Exchange
Karlstad University
IPSec—IP Security
• Provide encryption and integrity protection to IP
packets (and authentication of two peers).
– AH (Authentication Header)
• An additional header, provides integrity protection
– ESP (Encapsulating Security Payload)
• Also an addition header, provides encryption and integrity
protection
– IKE (Internet Key Exchange)
• Establishing session keys (used for AH & ESP) as well as
authentication.
Karlstad University
IPSec related RFCs
• A collection of protocols (RFC 2401)
– Authentication Header (AH)
• RFC 2402
– Encapsulating Security Payload (ESP)
• RFC 2406
– Internet Key Exchange (IKE)
• RFC 2409
– IP Payload Compression (IPcomp)
• RFC 3137
Karlstad University
Transport mode and tunnel mode
A->B
Payload
Transport mode
R2
R1
A
A->B
Karlstad University
Payload
B
Tunnel mode
R1->R2 A->B
Payload
A->B
Payload
Authentication Header (AH)
• Provides source authentication
– Protects against source spoofing
• Provides data integrity
• Protects against replay attacks
– Use monotonically increasing sequence numbers
• NO support for confidentiality!
Karlstad University
AH Details
• Use 32-bit increasing sequence number to avoid
replay attacks
• Use cryptographically strong hash algorithms to
protect data integrity (96-bit)
– Use symmetric key cryptography
– HMAC-SHA-96, HMAC-MD5-96
Karlstad University
AH Protocol (transport & tunnel mode in
IPv4)
Authenticated except
for mutable fields
IP header
AH header
data (e.g., TCP, UDP segment)
Authenticated except
for mutable fields
New IP header AH header
Karlstad University
IP header data (e.g., TCP, UDP segment)
IPSec Authentication Header
Karlstad University
Encapsulating Security Payload (ESP)
• Provides most that AH offers, and
• in addition provides data confidentiality
– Uses symmetric key encryption
Karlstad University
ESP Details
• Same as AH:
– Use 32-bit sequence number to counter replaying
attacks
– Use integrity check algorithms ( protect on different
fields)
• Only in ESP:
– Data confidentiality:
• Uses symmetric key encryption algorithms to encrypt packets
Karlstad University
ESP Protocol (transport & tunnel mode in
IPv4)
authenticated
encrypted
IP header
ESP
ESP
ESP
TCP, UDP segment
header
trailer authent.
authenticated
encrypted
ESP
New IP header
header
ESP
ESP
TCP,
UDP
segment
IP header
trailer authent.
ESP in fact puts information both before and after the protected data.
For encryption, DATA, padding, padding length and next header are encrypted.
For authentication, all fields are included.
Karlstad University
IPSec ESP Format
Karlstad University
Anti-replay service
• Sequence number (from 0 to 232-1)
• The sender increments the sequence number for each
generated packet.
• How to detect replayed packet?
– The receiver maintains an array with 232 units to mark which
packets have been received.
– The receiver only accepts the packets with larger sequence
number than the previous one.
Both are not good methods, why?
Karlstad University
Slide window scheme
• A windows of size W (default W = 64)
• N: highest sequence number of successfully received packets
• Three cases
– Packets in the window
– Packets to the right of the window
– Packets to the left of the window
A
59
54
64
B
53
55 56
√ 54 √
√ 57
√ 58
√ 59
√ 60
√ 61 62
√ 63 64
√ 65 66
Karlstad University
Security Associations (SA)
• A SA is a one-way relationship between a sender and a receiver
that affords security services to the traffic carried on it.
– Two ends (from one end  the other end)
– A SA is identified by:
• Security Parameters Index (SPI): a local identifier points to a SA
• IP destination address
• Security protocol identifier: AH? Or ESP?
– SA parameters:
•
•
•
•
•
•
Karlstad University
Sequence number counter
Anti-replay window
AH information (key, algorithms)
ESP information (key, algorithms)
IPSec protocol mode (Tunnel, transport)
…
Internet Key Exchange Protocol
• SA could be created manually, but…
• Internet Key Exchange Protocol (IKE)
– Exchange and negotiate security policies
– Establish security sessions
• Identified as Security Associations (SA)
– Key exchange
– Key management
– Can be used outside IPSec as well
Karlstad University
Virtual Private Networks (VPNs)
• Virtual
– It is not a physically distinct network
• Private
– Tunnels are encrypted to provide confidentiality
• Using VPN while traveling
Tunnel
Intranet server
Karlstad University
Mail server
Discussion
• IPSec is not the only solution!
– Security features can be added on top of IP!
• e.g. Kerberos, SSL
• Confused?
– IP, IPSec protocols are very complex!
• Two modes, three sub protocols
– Complexity is the biggest enemy of security
Karlstad University
Discussion
• Has it been used?
– Yes—primarily used by some VPN vendors
• But not all routers support it
– No—it is not really an end-to-end solution
• Authentication is too coarse (host based)
• Default encryption algorithm too weak (DES)
• Too complex for applications to use
Karlstad University
Key points
• Security attack, mechanism and service
• Classical attacks in the internet
• IPSec encompasses : authentication, confidentiality and
key management
• AH and ESP
• Transport mode and tunnel mode
• Slide window to defend against replay attack
• VPN
Karlstad University