Transcript ipsec
Syrian Virtual University
MWS/MWT
AWS-WIS Course
2013-2014
Security Protocols
in Networks
Lecture 6
Dr. Moutasem Shafa’amry
[email protected]
Course outlines
• Computers Ethics
• Introduction to cryptography
– The need for crypto systems
– Symmetric& Asymmetric
– PKI & Digital Signature
•
•
•
•
•
•
•
•
•
Computer network protocols
Computer Networks attacks
Security Protocols
Types of Web Applications Attacks
Detection and prevention
Security Standards
Security and Risk management
Practical Issues
Project
•
– أخالقيات استخدام االنترنت والقوانين المتعلقة
بها
– مقدمة في أمن المعلومات
مفاهيم ومصطلحات
Cryptography التعمية المتناظرة وغير المتناظرة
Digital Signature التوقيع الرقمي
Digital Certificate الشهادات الرقمية
•
•
•
•
بروتوكوالت الشبكات الحاسوبيةا
:– لمشاكل األمنية في بروتوكوالت االنترنت
HTTP, SMTP FTP
SSL, TLS, HTTPS, – برتوكوالت الحماية
واستخداماتها في تطبيقات الوبPGP
:– أنواع الهجوم على الوب
Cross-Site Request Forgery (CSRF)
SQL injection
etc
•
•
•
2
Security in Layers
Security in Layers
Security Layers
Application
E-Commerce
protocol/ https
Application
E-Mail
S/MIME, PGP
E-mail
TCP/Higherlevel net
protocols
IP
SSL, TLS,SSH
IPSEC
TCP/Higherlevel net
protocols
IP
Data Link
Hardware Link
Data Link
Physical
Kerberos
Encryption
Physical
4
IPSec: IP Security
Application
E-Commerce protocol
Application
E-Mail
S/MIME, PGP
E-mail
Higher-level net
protocols
SSL, TLS,SSH
Higher-level net
protocols
TCP/IP
IPSEC
TCP/IP
Data Link
Hardware Link
Data Link
IPSec Protocol
Kerberos
IPSEC
Encryption
Physical
Physical
IPSec: IP Security
• An IETF standard
– IPSec architecture and related standards published as refer
RFC 1825 thru RFC 1829
• Addresses security issues arising from
– authentication and confidentiality
– connecting a remote host to a server
– Interconnecting two LANs using a public network
• Applications:
– wide-area networking of branch offices using Internet
– Interconnecting supplier/distributor extranets to enterprise
network
– Telecommuting
– E-commerce
• Implemented in clients, servers or in routers
6
IPSec: IP Security
• An IETF standard
– IPSec architecture and related standards published as
refer RFC 1825 thru RFC 1829
• Addresses security issues arising from
– authentication and confidentiality
– connecting a remote host to a server
– Interconnecting two LANs using a public network
• Applications:
– wide-area networking of branch offices using Internet
– Interconnecting supplier/distributor extranets to enterprise
network
– Telecommuting
– E-commerce
• Implemented in clients, servers or in routers
7
IPSec Scenario
PC
Public
Network
Enterprise
LAN#1
PC
Router
PC
Router
Enterprise
LAN#2
Server
8
Modes in IPSec
• Transport Mode
– The payload in an IP packet is secured
• E.g. TCP, UDP, ICMP headers, data
• Tunnel Mode
– The complete IP packet
• including its header is secured
9
Transport Mode IPSec
PC
Public
Network
End-to-end
authentication
and/or encryption
Enterprise
LAN#1
PC
Router
Server
PC
Router
Enterprise
LAN#2
End-to-end
authentication
and/or encryption
10
Tunnel Mode IPSec
PC
Public
Network
End-system to
ROUTER
authentication
and/or encryption
Enterpris
e LAN#1
PC
Router
Server
PC
Router
Enterpris
e LAN#2
Router-to-router
authentication
and/or encryption
11
Transport vs. Tunnel modes
Tunnel Mode
Transport mode
authenticates IP header
and data
authenticates
TCP/UDP/ICMP header
and data
encrypts IP header and
data
encrypts TCP/UDP/ICMP
header and data
encrypts IP header and
data authenticates
encrypts and
authenticates
TCP/UDP/ICMP header
and data
AH: Authentication
function
ESP: Encryption
function
ESP with AH
12
Security functions covered by
IPSec
Authentication
header (AH)
Encapsulating
security payload
(ESP), without AH
Yes
Encapsulating
security payload,
with AH
Access control
Yes
Yes
Connection-less integrity
Yes
Yes
Data origin authentication
Yes
Yes
Rejection of replayed packets
Yes
Yes
Yes
Confidentiality
Yes
Yes
(Limited) Flow Confidentiality
Yes
Yes
13
IPSec Tunnel mode
• Advantages:
– Only routers need to implement IPSec functions
– Implement VPN (Virtual private network)
Enterprise
LAN
Enterprise
LAN
Router
Router
Public
Network
Enterprise
LAN
Router
Enterprise
LAN
Router
14
IPSec: Authentication Header
• Original IP packet
Original
IP hdr
TCP
header
TCP data
Authen.
hdr
TCP
header
TCP data
Original
IP hdr
TCP
header
TCP data
• Encoded packet in “transport mode”?
Original
IP hdr
• Encoded packet in “tunnel mode”?
NEW IP
hdr
Authen.
hdr
15
IPSec: packet format for AH
Original/new IP header
Next
Payload
header
length
Identifier (32 bits)
Reserved (16 bits)
Sequence number (32 bits)
AH (variable length, default 96 bits)
Based on: MD5, or SHA-1
Covers TCP/UDP/ICMP header, data
and portions of “non-mutable” IP
headers
Payload (IP or TCP packet)
16
IPSec: ESP (Encryption)
•
Original IP packet
•
Encoded packet in “transport mode”?
Original
IP hdr
•
Original
IP hdr
ESP hdr
TCP
header
TCP
header
TCP
data
TCP
data
ESP
trailer
AH
(optional)
Encoded packet in “tunnel mode”?
NEW IP
hdr
ESP hdr
Original
IP hdr
TCP
header
TCP
data
ESP
trailer
AH
(optional)
17
IPSec: packet format for ESP
Original/new IP header
Identifier (32 bits)
Sequence number (32 bits)
authenticated
encrypted
Payload (TCP, or IP packet with
padding, pad length, next header),
suitably encrypted using 3DES, RC5
or …
Pad length,
…
Authentication Header based on
MD5, etc.
18
Combining security functions
• Authentication with confidentiality
– ESP, with AH
• An AH inside a ESP (both in transport mode)
PC
Server
Router
Enterprise
LAN
Public
Network
Enterprise
LAN
Router
19
Combining security functions
• An AH inside a ESP (both in transport mode), and all
this within a ESP tunnel across the routers
PC
Server
Router
Enterprise
LAN
Public
Network
Enterprise
LAN
Router
20
Key exchange
• Key generation and exchange using some
“physical means”
• Automated generation of keys
– Oakley key determination and exchange
• Based on Diffie-Hellman key generation algorithm
• Oakley key exchanged protocol
21
Diffie-Hellman key generation
• A distributed key generation scheme
• Given
q - a large prime number
a – a primitive root of q
(1 <= ak mod q < q, and distinct for all 1 <= k < q)
• A:
– picks XA (keeps it secret),
– computes and sends YA aXA mod q to B
• B:
– picks XB (keeps it secret),
– computes and sends YB aXB mod q to A
• A and B compute the secret shared key aXA XB
YBXA or YAXB
22
Diffie-Hellman key generation
• Man-in-the-middle attack
– Assumes ability to intercept, and spoof
A
XA, A2B
XE, A2B
B
E
XE, B2A
aXA*XE
XB, B2A
aXB*XE
23
Diffie-Hellman key generation
• Issues with the algorithm:
– What is the value of q, a?
• Make available several sets, and let the parties negotiate
– Man-in-the-middle attack
• Use some form of authentication
– Denial of service attack, arises from addressspoofing
• Use cookies:
– Replay attacks
• Use nonces
24
Cookies
• Cookies:
A requests B’s attention
B responds with a “cookie” (a random number), K
A must return K in its subsequent messages
• Characteristics of cookies:
–
–
–
–
Should depend upon data specific to B
Should use some secret information
Cookie generation and verification must be fast
B should not have to save the cookie
• Example method used:
– Hash sender/receiver IP address TCP port nos. and a secret
value
25
Oakley Key exchange
26
Oakley Key exchange: part 1
• A to B
– ID of A, ID of B
– Initiator cookie, CK-A
– Encryption, hash, authentication algorithms
– Specific Diffie Hellman group (q, a)
– public key yA = aXA mod q
– Nonce NA
Signed KR(A)[ID of A, ID of B, NA, q, a, yA]
27
Oakley Key exchange: part 2
• B to A
– ID of B, ID of A
– Responder cookie, CK-B, Returned initiator cookie,
CK-A
– Encryption, hash, authentication algorithms
– Specific Diffie Hellman group (q, a)
– public key yB = aXB mod q
– Nonce NA, NB
SignedKR(B)[ID of B, ID of A, NA, NB, q, a, yB yA]
28
Oakley Key exchange: part 3
• A to B
– ID of A, ID of B
– Returned cookie, CK-B, initiator cookie, CK-A
– Encryption, hash, authentication algorithms
– Specific Diffie Hellman group (q, a)
– public key yA = aXA mod q
– Nonce NA, NB
Signed KR(A)[ID of A, ID of B, NA, NB, q, a, yB yA]
29
IPSEC Architecture
• Key management establishes a security association (SA) for a
session
– SA used to provide Authentication/confidentiality for that session
– SA is referenced via a security parameter index (SPI) in each IP
datagram header
IPSEC
IP
SPI
DATA
30
AH
Authentication header — integrity protection
only
• Inserted into IP datagram:
IPv4
IP
IPv4+IPSec
DATA
IP
AH
DATA
IPSEC
• Integrity check value (ICV) is 96-bit HMAC
31
AH (ctd)
• Authenticates entire datagram:
• Mutable fields (time-to-live, IP checksums)
are zeroed before AH is added
• Sequence numbers provide replay
protection
IPSEC
– Receiver tracks packets within a 64-entry
sliding window
32
ESP: Encapsulating security
protocol
IPSEC
Encapsulating security protocol — authentication
(optional) and confidentiality Inserted into IP datagram:
• Contains sequence numbers and optional ICV as for AH
• Secures data payload in datagram:
– Encryption protects payload
– Authentication protects header and encryption
• SA bundling is possible
– ESP without authentication inside AH
– Authentication covers more fields this way than just
ESP with authentication
33
IPSEC Algorithms
IPSEC
• DES in CBC mode for encryption
• HMAC/MD5 and HMAC/SHA (truncated to 96 bits) for
authentication
• Later versions added optional, DOI-dependent
algorithms
–
–
–
–
–
–
–
3DES
Blowfish
CAST-128
IDEA
RC5
Triple IDEA (!!!)
AES
34
Processing
• Use SPI to look up security association (SA)
• Perform authentication check using SA
• Perform decryption of authenticated data
using SA
• Operates in two modes
IPSEC
– Transport mode (secure IP), protects payload
– Tunneling mode (secure IP inside standard IP),
protects entire packet
• Popular in routers
• Communicating hosts don’t have to implement IPSEC
themselves
• Nested tunneling possible
35
IPSEC Key Management
• ISAKMP
– Internet Security Association and Key Management
Protocol
• Oakley
– DH-based key management protocol
• Photuris
– DH-based key management protocol
• SKIP
– Sun’s DH-based key management protocol
IPSEC
• Protocols changed considerably over time, most
borrowed ideas from each other
36
Photuris
Latin for “firefly”, Firefly is the NSA’s key exchange
• protocol for STU-III secure phones
• Three-stage protocol
Photuris
– 1. Exchange cookies
– 2. Use DH to establish a shared secret Agree on security
parameters
– 3. Identify other party
• Authenticate data exchanged in steps 1 and 2
• no Change session keys or update security
parameters
37
…. Photuris
• Cookie based on IP address and port, stops flooding
attacks
• • Attacker requests many key exchanges and bogs
down host
• (clogging attack)
• Cookie depends on
– IP address and port
– Secret known only to host
– Cookie = hash( source and dest IP and port + local secret )
Photuris
• Host can recognize a returned cookie
– Attacker can’t generate fake cookies
• Later adopted by other IPSEC key management
protocols
38
SKIP
SKIP
Each machine has a public DH value authenticated via
– X.509 certificates
– • PGP certificates
– • Secure DNS
• Public DH value is used as an implicit shared key
• calculation parameter
– • Shared key is used once to exchange encrypted
session key
– • Session key is used for further
encryption/authentication
• Clean-room non-US version developed by Sun
partner in Moscow
• • US government forced Sun to halt further work with
non-US version
39
ISAKMP
ISAKMP
• NSA-designed protocol to exchange security
parameters (but not establish keys)
– Protocol to establish, modify, and delete IPSEC
security associations
– Provides a general framework for exchanging
cookies, security parameters, and key
management and identification information
• Exact details left to other protocols Two phases
– 1. Establish secure, authenticated channel (“SA”)
– 2. Negotiate security parameters (“KMP”)
40
ISAKMP Formats
Bits 0
31
16
Initiator Cooki
Responder cooki
Next payload
MjVer MnVer Exchange Type
Flags
Message ID
ISAKMP
Length
ISAKMP Header
Next payload
RESERVED
Playload Length
Generic Payload header
41
ISAKMP/Oakley
• ISAKMP merged with Oakley
– • ISAKMP provides the protocol framework
– • Oakley provides the security mechanisms
ISAKMP/Oakley
• Combined version clarifies both protocols,
resolves ambiguities
42
ISAKMP/Oakley (ctd)
Phase 1 example
Client
Server
ISAKMP/Oakley
Client cookie
Client ID
Key exchange information
Server cookie
Server ID
Key exchange information
Server signature
Client signature
43
ISAKMP/Oakley (ctd)
Phase 2 example
Client
Server
ISAKMP/Oakley
Encrypted, MAC’d
Client nonce
Security parameters
offered
Encrypted, MAC’d
Server nonce
Security parameters
accepted
Encrypted, MAC’d
Client nonce
Server nonce
44
Security in Transport Layer
Application
E-Commerce protocol
Application
E-Mail
S/MIME, PGP
E-mail
Secure Socket Layer
SSL protocol
Higher-level net
protocols
SSL, TLS,SSH
TCP/IP
IPSEC
TCP/IP
Data Link
Hardware Link
Data Link
Kerberos
Higher-level net
protocols
Encryption
SSL
Physical
Physical
SSL Protocol
Secure sockets layer — TCP/IP socket encryption
Usually authenticates server using digital signature
Can authenticate client, but this is never used
Confidentiality protection via encryption
Integrity protection via MAC’s
Provides end-to-end protection of communications
sessions
SSL
•
•
•
•
•
•
46
SSL
SSL
47
History
SSL
• SSLv1 designed by Netscape, broken by members of
the audience while it was being presented
• SSLv2 shipped with Navigator 1.0
• Microsoft proposed PCT: PCT != SSL
• SSLv3 was peer-reviewed, proposed for IETF
Standardization
48
SSL
SSL Protocol Stack
49
SSL Handshake
SSL
1. Negotiate the cipher suite
2. Establish a shared session key
3. Authenticate the server (optional)
4. Authenticate the client (optional)
5. Authenticate previously exchanged data
50
SSL Handshake (ctd)
• Client hello:
– Client nonce
– Available cipher suites (e.g RSA + RC4/40 + MD5)
• Server hello:
– Server nonce
– Selected cipher suite
• Server adapts to client capabilities
• Optional certificate exchange to authenticate
server/client
SSL
– In practice only server authentication is used
51
SSL Handshake (ctd)
• Client key exchange:
– RSA-encrypt( premaster secret )
• Both sides:
– 48-byte master secret = hash( premaster + clientnonce +server-nonce )
SSL
• Client/server change cipher spec:
• Switch to selected cipher suite and key
52
SSL Handshake (ctd)
• Client/server finished MAC of previously exchanged
parameters (authenticates data from Hello and other
exchanges)
– – Uses an early version of HMAC
• Can reuse previous session data via session ID’s in Hello
• Can bootstrap weak crypto from strong crypto:
• Server has > 512 bit certificate
• • Generates 512-bit temporary key
• • Signs temporary key with > 512 bit certificate
• • Uses temporary key for security
SSL
• Maintains separate send and receive states
53
SSL Data Transfer
Data
Fragment Fragment Fragment
Compress
MAC
Optional
SSL
Encrypt
Transmit
SSL Record Protocol Operation
54
SSL Characteristics
• Protects the session only
• Designed for multiple protocols (HTTP, SMTP, NNTP,
POP3, FTP) but only really used with HTTP
• Compute-intensive:
– • 3 CPU seconds on Sparc 10 with 1Kbit RSA key
– • 200 MHz NT box allows about a dozen concurrent SSL
handshakes
• – Use multiple servers
• – Use hardware SSL accelerators
• Crippled crypto predominates
SSL
• • Strong servers freely available (Apache), but most browsers USsourced and crippled
55
Strong SSL Encryption
• Most implementations based on SSLeay,
– http://www.ssleay.org/Server
• Some variation of Apache + SSLeay Browser
• Hacked US browser
• Non-US browser
SSL Proxy
• Strong encryption tunnel using SSL
SSL
•
•
•
•
•
56
SSL
Client-Server
SSL
Handshake
57
Server Gated Cryptography
SGC
SGC
Server Gated Cryptography
SGC
• Allows strong encryption on a per-server
basis
• Originally available only to “qualified
financial institutions”, later extended
slightly (hospitals, some government
departments)
• Requires special SGC server certificate
from VeriSign
• Enables strong encryption for one server
(www.bank.com)
59
SGC (ctd)
Exportable SSL
Client
Hello
Server
Hello + certificate
Weak encryption key
Weak encryption
Weak encryption
SSL with SGC
Client
Hello
Server
Hello + SGC certificate
Strong encryption key
Strong encryption
SGC
Strong encryption
60
Application
E-Commerce protocol
Application
E-Mail
S/MIME, PGP
E-mail
Transport Layer Protocol
TLS
Higher-level net
protocols
SSL, TLS,SSH
TCP/IP
IPSEC
TCP/IP
Data Link
Hardware Link
Data Link
Kerberos
Higher-level net
protocols
Encryption
Physical
Physical
TLS
Transport Layer Security
•
•
•
•
TLS
IETF-standardised evolution of SSLv3
• Non-patented technology
• Non-crippled crypto
• Updated for newer algorithms Substantially similar to
SSL
• • TLS identifies itself as SSL 3.1
• TLS standards work,
• http://www.consensus.com/ietf-tls/
62
Questions?
Dr. Moutasem Shafa’amry
[email protected]