Post on 21-Mar-2016
description
transcript
W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T
IKE Tutorial
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
Agenda
Cryptography BasicsCryptography Basics IPSECIPSEC IKEIKE IKE Hybrid ModeIKE Hybrid Mode
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
Cryptography - BasicsCryptography is used forCryptography is used for
ConfidentialityConfidentiality IntegrityIntegrity Authentication (signature)Authentication (signature)
2 categories2 categories Symetric cryptographySymetric cryptography Asymetric cryptographyAsymetric cryptography
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
Symetric CryptographySame Key is performing encryption and Same Key is performing encryption and
decryptiondecryption
Hi Bob !Hi Bob !* * ^1 ^1’’’’hh’’Hi Bob !Hi Bob !
ALICEALICE BOBBOB
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
Symetric CryptographySymetric Encryption Algorythms : Symetric Encryption Algorythms :
DES, 3DESDES, 3DES RC2, RC4, RC5RC2, RC4, RC5 IDEAIDEA BlowFishBlowFish CASTCAST FWZ-1FWZ-1
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
Symetric CryptographyAdvantages : Advantages :
FastFast Reliable (depends on the Key lenght)Reliable (depends on the Key lenght)
DisadvantagesDisadvantages The Key must remain secretThe Key must remain secret Key ManagementKey Management
Large number of people / sitesLarge number of people / sites Key changesKey changes
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
Asymetric Cryptography
2 Keys2 Keys 1 Public1 Public 1 Private1 Private Both are linked Both are linked
togethertogetherAlgorytms : Algorytms :
RSA (Rivest Shamir RSA (Rivest Shamir Adleman)Adleman)
Diffie HelmannDiffie Helmann
Public keyPublished
Private keyConfidential
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
Asymetric Cryptography (RSA)
ConfidentialityConfidentiality
AuthenticationAuthentication
Receiver’s Private key
Decryption
Receiver’s Public key
Encryption
Sender’s Private key Sender’s Public key
Encryption Decryption
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
Asymetric CryptographyEx. : confidentiality with RSAEx. : confidentiality with RSA
ALICEALICE BOBBOB
Hi Bob !Hi Bob ! *&^1)-h@’
Hi Bob !Hi Bob !
Bob’sprivate key
Bob’spublic key
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
Asymetric Cryptography : DH
ALICEALICEBOBBOB
DH privatekey
DH privatekey
Alice’s DHpublic key
Bob’s DHpublic key
Bob’s DHpublic key
Alice’s DHpublic key
DH Secret key
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
Symetric Cryptography
Advantages : Advantages : No need to distribute Secret KeysNo need to distribute Secret Keys
DisadvantagesDisadvantages Slow (100 to 1000 times slower than Slow (100 to 1000 times slower than
Symetric cryptography)Symetric cryptography)
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
Agenda
Cryptography BasicsCryptography Basics IPSECIPSEC IKEIKE IKE Hybrid ModeIKE Hybrid Mode
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
IPSEC Tunnel mode : Tunnel mode :
AH (ip protocol 33)AH (ip protocol 33) ESP (ip protocol 32)ESP (ip protocol 32)
Authentication / Integrity
Encrypted
New IPHeader
HeaderESP
OriginalIP Header
Authentication / Integrity
New IPHeader
HeaderAH
OriginalIP Header
ESPESPAHAH
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
Agenda
Cryptography BasicsCryptography Basics IPSECIPSEC IKEIKE IKE Hybrid ModeIKE Hybrid Mode
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
IKE TutorialBefore we begin, one necessary term. Before we begin, one necessary term.
HMAC is an “authenticated” hash HMAC is an “authenticated” hash computation. It is a method to digitally computation. It is a method to digitally sign data without using public key sign data without using public key cryptography.cryptography.
HMAC(key, data) = HASH(mix(key,data))HMAC(key, data) = HASH(mix(key,data))
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
IKE Tutorial Basic concept in IKE: Security Association (SA).Basic concept in IKE: Security Association (SA). An SA contains all information necessary for two An SA contains all information necessary for two
entities to exchange secured messages.entities to exchange secured messages. Each SA has an identifier, sometimes called an SPI.Each SA has an identifier, sometimes called an SPI. Example SA:Example SA:
SPI: 12345Encryption algorithm: DES
HMAC algorithm: MD5Encryption key: 0x65f3dde…HMAC key: 0xa3b443d9…Expiry: 15:06:09 13Oct98
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
IKE Tutorial In IP security, there are two types of SAs:In IP security, there are two types of SAs:
IKE SA: used for securing key negotiations.IKE SA: used for securing key negotiations. IPSEC SA: used for securing IP data.IPSEC SA: used for securing IP data.
When two IP entities wish to secure IP data When two IP entities wish to secure IP data between them, the following will occur:between them, the following will occur: Negotiate IKE SA.Negotiate IKE SA. Use IKE SA to negotiate IPSEC SA.Use IKE SA to negotiate IPSEC SA. Use IPSEC SA to encrypt IP data.Use IPSEC SA to encrypt IP data.
The IKE SA is long term. It will typically be The IKE SA is long term. It will typically be used to secure many IPSEC SA negotiations.used to secure many IPSEC SA negotiations.
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
IKE Tutorial The negotiation of IKE SAs is called “Phase 1”. The negotiation of IKE SAs is called “Phase 1”.
Phase 1 is authenticated using either PKI, or pre-Phase 1 is authenticated using either PKI, or pre-shared secrets.shared secrets.
There are two types of Phase 1 negotiations: “Main There are two types of Phase 1 negotiations: “Main Mode” and “Aggressive Mode”. Mode” and “Aggressive Mode”.
Aggressive Mode is more efficient (shorter Aggressive Mode is more efficient (shorter negotiation), but does not provide identity protection.negotiation), but does not provide identity protection.
Negotiating IPSEC SAs is called “Phase 2”.Negotiating IPSEC SAs is called “Phase 2”. There is only one type of Phase 2 negotiation, called There is only one type of Phase 2 negotiation, called
“Quick Mode”.“Quick Mode”.
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
IKE TutorialPhase 1: First Message Pair Phase 1, Main Mode consists of three pairs of Phase 1, Main Mode consists of three pairs of
messages. Remember: goal is to establish an messages. Remember: goal is to establish an IKE SA.IKE SA.
First pair: negotiation of parameters for the First pair: negotiation of parameters for the IKE SA: algorithms, authentication type, IKE SA: algorithms, authentication type, expiry. Simplified example:expiry. Simplified example:
Alice Bob
“We can do 3DES and SHA1, or DES and MD5”
“Let’s do 3DES and SHA1”
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
IKE TutorialPhase 1: Second Message Pair Second pair: exchange of cryptographic data. Goal Second pair: exchange of cryptographic data. Goal
is to establish a shared secret between two entities:is to establish a shared secret between two entities:
Note: the DH key is used only for this exchange, Note: the DH key is used only for this exchange, and then thrown away.and then thrown away.
Alice Bob
“Here’s a DH public key, and some random data”
“Here’s a DH public key, and some random data”
Alice and Bob both compute a shared secret which is a function of the DH keys and the random data.
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
IKE TutorialPhase 1 Some notes before the third pair of Some notes before the third pair of
messages:messages: Alice and Bob now have a shared secret, and they Alice and Bob now have a shared secret, and they
can use it to encrypt the third pair of messages.can use it to encrypt the third pair of messages. First and second pairs do not provide any First and second pairs do not provide any
authentication. Alice and Bob could be authentication. Alice and Bob could be masquerading, or Eve could be attacking using the masquerading, or Eve could be attacking using the “man-in-the-middle” technique.“man-in-the-middle” technique.
Furthermore, Alice and Bob do not know who they Furthermore, Alice and Bob do not know who they are negotiating with. All they know is an IP are negotiating with. All they know is an IP address from which the messages are arriving.address from which the messages are arriving.
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
IKE TutorialPhase 1: Third Message Pair Third pair of messages is encrypted. The goal is to Third pair of messages is encrypted. The goal is to
exchange identities, prove the identities, and exchange identities, prove the identities, and retroactively authenticate all the previous messages. retroactively authenticate all the previous messages. The authentication can be based on either pre-The authentication can be based on either pre-shared secrets, or on PKI. Example:shared secrets, or on PKI. Example:
Alice Bob
I’m alice@wonderland.com. Here’s an HMAC overall the data we exchanged, using our pre-shared secret.
I’m 204.53.10.4. Here’s an HMAC over all the data we exchanged, using our pre-shared secret.
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
IKE TutorialPhase 1 Some remarks:Some remarks:
How does this work with PKI? Addressed in PKI How does this work with PKI? Addressed in PKI presentation.presentation.
Identity types include X.500 Distinguished Names, Identity types include X.500 Distinguished Names, E-mail addresses, IP addresses and more.E-mail addresses, IP addresses and more.
Result of negotiation is a single, bi-directional IKE Result of negotiation is a single, bi-directional IKE SA.SA.
Authentication with pre-shared secrets allows Authentication with pre-shared secrets allows dictionary attacks on the pre-shared secret.dictionary attacks on the pre-shared secret.
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
IKE TutorialPhase 2
Phase 2 is always secured by an IKE SA. The IKE Phase 2 is always secured by an IKE SA. The IKE SA provides secrecy, authentication, and data SA provides secrecy, authentication, and data integrity.integrity.
Remember: the goal is to establish an IPSEC SA.Remember: the goal is to establish an IPSEC SA. Three messages in Phase 2:Three messages in Phase 2:
Message 1: Suggestion of parameters, and identities for Message 1: Suggestion of parameters, and identities for whom we’re negotiating.whom we’re negotiating.
Message 2: Choice of parameters, and HMAC signature on Message 2: Choice of parameters, and HMAC signature on first message.first message.
Message 3: HMAC signature on previous messages.Message 3: HMAC signature on previous messages. HMAC signatures use a key from the IKE SA.HMAC signatures use a key from the IKE SA.
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
IKE TutorialPhase 2Example Phase 2 (simplified) exchange:Example Phase 2 (simplified) exchange:
Alice Bob
Let’s do either ESP DES/MD5, or AH SHA1. I’m negotiating on behalf of subnets 189.63.71.0 and 204.53.10.0. Here’s some random data.
Let’s use AH SHA1. Here’s an HMAC of the previous message using our IKE SA HMAC key. Here’s some random data
Here’s an HMAC of the previous messages using our IKE SA HMAC key.
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
IKE TutorialPhase 2 Remarks:Remarks:
The keys in the resulting IPSEC SA are a function The keys in the resulting IPSEC SA are a function of the IKE SA key and the random data.of the IKE SA key and the random data.
The result of the negotiation are two uni-directional The result of the negotiation are two uni-directional IPSEC SAs, each with a distinct SPI (SPI are also IPSEC SAs, each with a distinct SPI (SPI are also part of the negotiation).part of the negotiation).
The SAs can only be used to encrypt IPSEC traffic The SAs can only be used to encrypt IPSEC traffic between the negotiated identities. between the negotiated identities.
Identity types are IP addresses, IP ranges, IP Identity types are IP addresses, IP ranges, IP subnets.subnets.
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
IKE TutorialPhase 2 More Remarks:More Remarks:
Perfect Forward Secrecy (PFS) can be turned on Perfect Forward Secrecy (PFS) can be turned on to provide additional security. It includes an to provide additional security. It includes an additional exchange of DH keys.additional exchange of DH keys.
When an SA is about to expire, the entities can When an SA is about to expire, the entities can start a new negotiation. If the IKE SA is valid, only start a new negotiation. If the IKE SA is valid, only Phase 2 is required. Otherwise, both Phase 1 and Phase 2 is required. Otherwise, both Phase 1 and Phase 2 are required.Phase 2 are required.
One other types of IKE message: One other types of IKE message: “informational”. Examples: error messages, “informational”. Examples: error messages, requests to delete Sas.requests to delete Sas.
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
Agenda
Cryptography BasicsCryptography Basics IPSECIPSEC IKEIKE IKE Hybrid ModeIKE Hybrid Mode
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
Hybrid Mode IKE - What is it? A method of using Authentication Schemes A method of using Authentication Schemes
other than a Pre-shared Secret, or a Digital other than a Pre-shared Secret, or a Digital Certificate with IKECertificate with IKE
IKE Standard did not originally allow for IKE Standard did not originally allow for authentication schemes like:authentication schemes like: Token Cards - SecurID, etc. Token Cards - SecurID, etc. LDAPLDAP RADIUSRADIUS NT DomainNT Domain Firewall-1 PasswordFirewall-1 Password etcetc
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
Hybrid Mode Challenge: integrate all FW-1 authentication Challenge: integrate all FW-1 authentication
schemes with IKEschemes with IKE Standards based solution does not existStandards based solution does not exist
Requirements:Requirements: Open: integrates well with all authentication schemesOpen: integrates well with all authentication schemes Secure: mutual (user vs. gateway) authenticationSecure: mutual (user vs. gateway) authentication Standards based: suggest solution to IETF (draft-ietf-Standards based: suggest solution to IETF (draft-ietf-
ipsec-isakmp-hybrid-auth-03)ipsec-isakmp-hybrid-auth-03) Existing solutions are:Existing solutions are:
Proprietary (hard to determine their security)Proprietary (hard to determine their security) Or, insecure suggested standards (XAUTH)Or, insecure suggested standards (XAUTH)
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
Hybrid ModeSolution:Solution:
Gateway cannot use an “interactive” Gateway cannot use an “interactive” authentication scheme, unlike a user:authentication scheme, unlike a user:
Gateway uses PKIGateway uses PKI User uses of the FW-1 authentication schemesUser uses of the FW-1 authentication schemes
FW-1 Password, LDAP, TACACS+, RADIUS, etc.FW-1 Password, LDAP, TACACS+, RADIUS, etc.
CP management station includes simple CP management station includes simple PKI abilitiesPKI abilities Sufficient to deploy certificates to the Sufficient to deploy certificates to the
gatewaysgateways NOT a full blown PKI for usersNOT a full blown PKI for users
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
Hybrid Mode Example (Radius)
GW User
A’s certificate + A’s signature over previous data
User identity, hash of previous
data
Check identity in certificate and validate
Check identity
SA Negotiation
Radius challenge (“enter password”)
Password 1232456
Validate password
Establish encrypted channel
Establish encrypted channel