Date post: | 21-Dec-2015 |
Category: |
Documents |
View: | 220 times |
Download: | 2 times |
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #1
EE579T / CS525TNetwork Security
4: IPSec
Prof. Richard A. Stanley
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #2
Overview of Tonight’s Class
• Review of last week’s class
• Class projects– Likely presentation date: 12 April– Presentation time: ~25 minutes, incl. Q&A
• IP Security
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #3
Last class (1)...
• Combining hashing algorithms and asymmetric cryptography, it is possible to digitally sign a message
• A digitally signed message can, under certain conditions, assure both integrity of the contents and authenticity of the sender
• Trust relationships are necessary to extend this concept. The most common such system is X.509 v3
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #4
Last class (2) ...
• PGP illustrates systems integration of functions to produce a very good cryptosystem, providing confidentiality, authentication, and features to make it compatible with email
• Despised by governments worldwide, and subject to legal restrictions in many places
• Complex key management scheme does not scale well to large systems, or where previously unknown entities need services
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #5
ISO Protocol Model (again)
IP
Ethernet, token ring
Electrical standards
Protocols
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #6
Protocol Layering & Internetworking
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #7
Consider DECNET
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #8
DECNET
• Supports many Layer 2 protocols
• Address is of form 10.1, where10 = Area number
1 = node number
• Addresses NOT associated with physical networks to which nodes are connected
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #9
Compare Appletalk
Source: http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/applet.htm
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #10
Appletalk
• Like DECNET, supports several Layer 2 protocols
• Network addressing schema:
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #11
How Could We Connect These Two?
• Addressing completely different
• Routing structure different
• Electrical standards different
• …etc.
• In fact, not much similar except that they are both digital networks
• This is why IP came in, and why it remains!
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #12
IP Overview
• Layer 3 protocol
• Provides packet routing
• Does not ensure reliable delivery—that is left to higher-level protocols, like TCP & UDP
• Facilitates interconnection of dissimilar computers, which is why it is important
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #13
IP Versions
• Most commonly used version is IP v4, which is widely used worldwide
• Next version is IP v6 (there is no v5)– Adds address space
– Adds security, QoS
– Provides for additional routing capabilities
– Improves housekeeping
– Ability to add features in the future.
– Being implemented by US DoD
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #14
IP Version 4 Structure
Source: http://www.freesoft.org/CIE/Course/Section3/7.htm
4
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #15
IP Version 6 Structure
Source: http://courseptr.com/downloads/chapterpreview/MUDGameProgch1.pdf
6
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #16
IP in Short
• “Democracy is the worst form of government except for all those others that have been tried.” -Winston Churchill
• This kind of describes IP– Not the best protocol ever established– But one of the most ubiquitous– It isn’t going away—huge investment in it
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #17
The Future: One Version
• Every outlet, light, and appliance in a home or office will have its own IP address
• IP-enabled appliances are already available
• Security issues here?
LG GR-D267DTU Internet Refrigerator
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #18
IP Security
• Using the original IP standards, this is an oxymoron
• Needs– Protection from eavesdropping– Protection from spoofing– Provision for secure user-to-user traffic
• Problems– IP not designed for this
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #19
Enter IPSec
• IPSec intended to meet the security needs of IP networks, especially the Internet – Originally intended to come in as part of IP v6– IP v6 may never come for many folks, and
most of the IPSec functionality has become available in IP v4
– Becoming widely available in products such as virtual private networks, etc.
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #20
What Does IPSec Do?• Enables secure VPNs over public networks• Allows secure remote access over public
networks• Facilitates secure connectivity with business
partners, especially temporarily• Improves eCommerce security• It does all this using the cryptographic tools
we have just studied. Now we’ll see how.
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #21
IPSec Features
• Can be applied at the perimeter– In-house traffic avoids security overhead that
may not actually be needed
• Lies below the transport layer, so is transparent to applications
• Can be made transparent to end users, which keeps training and support costs low
• Can support individual user security
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #22
Services
• Access control
• Datagram integrity
• Sender authenticity
• Replay protection
• Message body confidentiality
• Traffic flow security (very limited, though)
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #23
Security Association• IPSec concept that defines the relationship
between one party and another for security– ONE-WAY! (i.e., not reflexive)– If A & B have bilateral security needs, two security
associations are required
• Defined by– Security parameters index (SPI)– Destination IP address– Security protocol identifier
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #24
So...
• Security association (SA) is uniquely defined by – Destination address in the IP header, and– SPI in the enclosed extension header (AH or
ESP)
• What’s an extension header?
• What are AH and ESP?
• Stick around!
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #25
Security Parameters
• Encapsulating Security Payload (ESP)– Deals with packet encryption
• Authentication Header (AH)– Deals with packet authentication
• Encryption algorithm (several available)
• Authentication algorithm (ditto)
• Key management scheme
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #26
SA Parameters
• Sequence number counter• Sequence counter overflow flag• Anti-replay window• AH information• ESP information• SA lifetime• IPSec protocol mode (tunnel, transport, wildcard)• Path MTU
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #27
Policy
• Association of traffic with SAs is done by the Security Policy Database (SPD)
• Each SPD entry is defined by a selector– Selectors filter outbound traffic
• Compare packet selector fields with SPD to find matching SPD entry; points to zero or more SAs
• Determine SA for this packet and its SPI (Security Parameters Index)
• Perform the required processing (AH or ESP)
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #28
Authentication Header (AH)
• Supports data integrity and authentication– Assures data modification will be detected– Also guards against replay
• Based on Message Authentication Code (MAC) – Requires shared secret key
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #29
AH Fields
• Next header– Identifies type of header that follows
• Payload length
• Reserved for future use
• SPI (defines an SA)
• Sequence number
• Authentication data
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #30
AH Overview
0 8 16 31
Next header PayloadLength (reserved)
SPI
Sequence number
Authentication data (variable length)
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #31
Overview of Headers(IP v4)
OriginalIP header TCP Payload (data)
OriginalIP header TCP Payload (data)AH
Standard
Transport mode
OriginalIP header TCP Payload (data)AHNew
IP headerTunneling
mode
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #32
Integrity Check Value (ICV)• Included in the Authentication Data field
– Based on HMAC (keyed hash)• HMAC MD5• HMAC SHA-1
– 96 MSB of HMAC result used for ICV– HMAC calculated over
• Immutable or predictable IP header fields• The AH header except the Authentication Data field• The entire upper-level protocol data
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #33
Anti-Replay Service
• Replay: retransmission of an already-authenticated packet at a later time– A favorite way to break into or disrupt services
• IPSec implements anti-replay using the Sequence Number field (32 bits), so the maximum Sequence Number is 232
• If the Sequence Number would wrap around, a new SA, with new key, is needed
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #34
Anti-Replay in Action
• Sender initializes sequence counter to 0, increments counter by 1 for every packet sent
• Counter value is placed in SN field• Receiver has a problem:
– IP is connectionless, so packets can arrive in any order
– IP doesn’t guarantee delivery (that is done by TCP), so packets can -- and do -- go missing
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #35
Anti-Replay at the Receiver
• Receiver maintains a sliding window over received packets, default width = 64 = W
• Right edge of window holds highest SN packet so far received that is valid
• All slots from (N-W+1) to N that have been authenticated are marked
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #36
Window Management
• If new packet is within the window and is new, the corresponding slot is marked
• If new packet is outside window to the right, and is authenticated, window is moved to the right and slot is marked
• If new packet is outside the window to the left, or if not authenticated, packet discarded and audit event raised
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #37
The Window in Action
Window
N-W
N
Space for valid packetnot yet received
Received, valid, marked
The window makes replay attacks much more difficult, as they would have to occur within the width of the window: possible, but unlikely (most of the time)
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #38
IPSec Authentication: Transport Mode
• Transport Mode uses the Authentication Header (AH)– IP v4: AH inserted after original IP header, but
before the IP payload– IP v6: AH is an end-to-end payload, not
examined by intermediate routers. So, AH comes after the other IP v6 header routing fields (base, hop-to-hop, etc.)
• Clearly, AH does not provide data confidentiality
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #39
IPSec Authentication: Tunnel Mode
• Entire original IP packet authenticated– AH inserted before original IP header and after
new “outer” IP header– Allows placing original routing info within the
authentication envelope, but more importantly– Allows a new set of IP addresses to be used as a
wrapper for the original packet
• As we shall see, this forms the basis for IPSec-based virtual private networks.
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #40
Encapsulating Security Payload (ESP)
• Provides confidentiality services– Optionally, can also provide authenticity
• Fields– SPI
– Sequence number
– Payload data
– Padding
– Pad length
– Next header
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #41
ESP
SPI
Sequence number
Payload data (variable length)
Padding (0-255 bytes)
Pad length Next header
Authentication data (variable)
AuthenticationCoverage
ConfidentialityCoverage
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #42
Encryption Algorithms
• Confidentiality services provided by symmetric cryptography
• Algorithms supported:– DES (CBC) – TDEA (three key)– IDEA – Three key triple IDEA– CAST – Blowfish– AES – RC5
• MAC same as AH (96-bit HMAC)
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #43
Padding?
• Extends the plaintext to a multiple of some number of bytes to accommodate those encryption algorithms that require fixed block sizes (e.g. DES, AES)
• Ensures that the end of the Next Header field is right-aligned with the 32-bit word
• Can be used to provide partial traffic flow security, by concealing payload length
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #44
Transport mode ESP Service
• Encrypts data carried by IP– Optionally, also authenticates the data
OriginalIP header TCP Payload (data)
OriginalIP header TCP Payload (data)
ESPheader
Standard
Transport mode ESPtrlr
ESPauth
Encrypted
Authenticated
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #45
Transport Mode
• Provides end-to-end confidentiality
• Is transparent to applications
• Is efficient, adds little extra to IP overhead
• Does not provide traffic flow security– Possible to analyze source - destination traffic
flows and volumes– Useful for drawing conclusions about
associations, workload, etc.
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #46
Tunneling Mode ESP
• Encrypts the entire IP packet– Including the original source, destination
OriginalIP header TCP Payload (data)
NewIP header
Tunnelingmode
ESPheader
ESPtrlr
ESPauth
OriginalIP header TCP Payload (data)Standard
Encrypted
Authenticated
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #47
Tunneling Mode
• Encrypts entire original IP packet, including source and destination addresses– Can help to counter traffic analysis
• Allows construction of secure virtual private networks (VPNs) over unsecured networks
• Useful when firewalls in the path -- security can be done only at the network edge
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #48
VPN Example
Edge routers need info about the other end of the network
IPSec starts/ends here
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #49
SA Limits• An individual SA can implement either AH or
ESP, but not both
• But, sometimes both services are needed– This requires multiple SA’s in the same traffic
flow– Just as with Feistel encryption/decryption key
scheduling, we must “unwrap” the SA’s in inverse order to their application
– Referred to as SA bundle
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #50
SA Bundling• Transport adjacency
– Applies >1 SA to the same IP packet, without tunneling
– Only one level of combination
• Iterated tunneling– Applies multiple security protocols through IP
tunneling– Multiple nesting, since each tunnel can originate or
terminate at any IPSec site
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #51
What to do First?• Transport adjacency
– Wrap an ESP SA inside an AH SA• IP payload is encrypted (because ESP is inner level)
• AH covers ESP, original IP header
• Result: more fields are authenticated
• Transport-tunnel bundle– Wrap an AH SA inside an ESP SA
• Authentication data protected by encryption
• Authentication data can be accessed in clear
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #52
Key Management
• IPSec has many good features. Performing key distribution manually is not one of them
• Protocol has been developed to provide for session key distribution– Internet Key Exchange (IKE) [RFC 2409]
– IKE incorporates• ISAKMP [RFC 2408]
• Oakley
• A few other things
– Current version (Nov 2001) is v2
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #53
Diffie-Hellman Revisited• Advantages
– Generates keys only when required– Requires no preexisting infrastructure
• Disadvantages– No authentication of communicating parties– Vulnerable to man-in-the-middle attack– Computationally intensive
• Slow
• Vulnerable to denial of service attack
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #54
Oakley Key Determination
• Based on D-H, but improved (RFC 2412)
• Advantages over Diffie-Hellman– Uses cookies to avoid denial of service attacks– Enables prior negotiation of global parameters– Uses nonces to guard against replay– Allows exchange of D-H public key values– Authenticates D-H exchange (defeats man-in-
the-middle attacks)
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #55
Nonce
• nonce (nns) noun– The present or particular occasion: “Her tendency
to discover a touch of sadness had for the nonce disappeared” (Theodore Dreiser).
– [From Middle English for the nones, for the occasion]
• The American Heritage® Dictionary of the English Language, Third Edition, 1992, Houghton Mifflin Company
• Say what?• In cryptography, a nonce is a pseudorandom
number bearing a timestamp
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #56
Oakley Authentication
• Three types available– Digital Signature– Asymmetric-key cryptography– Symmetric-key cryptography
• This guards against man-in-the-middle attacks
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #57
We Like IKE
• IKE is an IPSec protocol that defines the procedures and formats needed to establish, negotiate, modify, or delete Security Associations within IPSec
• Built on the ISAKMP protocol, which is sometimes viewed as IKE v0.1
• ISAKMP notation still in wide use, but officially, it is now IKE
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #58
Summary• IPSec is a complex security protocol, originally
developed for roll-out with IP v6
• Provides authentication, integrity, and confidentiality services to IP transmission
• IKE mproves on basic protocols like D-H
• Many implementations available for IP v4, so it it usable today
• Authentication and encapsulation services provide a basis for VPNs
Spring 2005© 2000-2005, Richard A. Stanley
EE579T/4 #59
Homework
• Read Stallings, Chapter 7
• Do Stallings, Problems 6.1a, 6.2 (for IPv4 only), 6.3a, 6.5a