Date post: | 02-Mar-2016 |
Category: |
Documents |
Upload: | kuljit-kaur |
View: | 17 times |
Download: | 0 times |
of 58
IKEInternetKeyExchange:BeforeIPSecsendsauthenticatedorencryptedIPdata,boththesenderandreceivermustagreeontheprotocols,encryptionalgorithmsandkeystouseformessageintegrity,authenticationandencryption.IKEisusedtonegotiatetheseandprovidesprimaryauthentication.
Keylifetimescanbesetandrekeyingcanbedoneautomatically
InternetKeyExchange:ProtocolfordoingmutualauthenticationandestablishingasharedsecretkeytocreateanIPSecSA.Uses:longtermkeys(publicsignatureonlykeys,presharedsecretkeys,publicencryptionkeys)Pieces:ISAKMP(InternetSecurityAssociationandKeyManagementProtocol)framework(OAKLEYimplementation)IKE(InternetKeyExchange)definesfields,choosesoptionsofISAKMPDOI(DomainofInterpretation)specifiesparticularuseofISAKMP
IKE
ISAKMP:FrameworkdevelopedbytheNSAmainlyconcernedwiththedetailsofSecurityAssociationmanagement
ConsistsofproceduresandfieldsforAuthenticationofpeersNegotiation,modification,deletionofSecurityAssociationskeygenerationtechniquesthreatmitigation(e.g.DoS,replayattacks)
Isdistinctfromkeyexchangeprotocolssodetailsofmanagingsecurityassociationsareseparatedfromdetailsofmanagingkeyexchange
IKE
ISAKMP:FrameworkdevelopedbytheNSAmainlyconcernedwiththedetailsofSecurityAssociationmanagement
ConsistsofproceduresandfieldsforAuthenticationofpeersNegotiation,modification,deletionofSecurityAssociationskeygenerationtechniquesthreatmitigation(e.g.DoS,replayattacks)
Isdistinctfromkeyexchangeprotocolssodetailsofmanagingsecurityassociationsareseparatedfromdetailsofmanagingkeyexchange
AnimplementationrequiresakeyexchangeprotocollikeIKE
IKE
ISAKMP:FrameworkdevelopedbytheNSAmainlyconcernedwiththedetailsofSecurityAssociationmanagement
ConsistsofproceduresandfieldsforAuthenticationofpeersNegotiation,modification,deletionofSecurityAssociationskeygenerationtechniquesthreatmitigation(e.g.DoS,replayattacks)
Isdistinctfromkeyexchangeprotocolssodetailsofmanagingsecurityassociationsareseparatedfromdetailsofmanagingkeyexchange
AnimplementationrequiresakeyexchangeprotocollikeIKE
CommonimplementationisOAKLEY,akeyagreementprotocolusingDH.BasisofIKE.
IKE
IKE:InternetKeyExchange(IKEorIKEv2)Theprotocolusedtosetupasecurityassociation(SA)inIPsec.
UsesDiffieHellmangetasharedsessionsecretThatsecretisusedtoderiveupto6cryptographickeys.
IKE
IKE:InternetKeyExchange(IKEorIKEv2)Theprotocolusedtosetupasecurityassociation(SA)inIPsec.
UsesDiffieHellmangetasharedsessionsecretThatsecretisusedtoderiveupto6cryptographickeys.
Publickeyalgorithmsorapresharedkeyareusedtomutuallyauthenticatecommunicatingparties.
IKE
IKE:InternetKeyExchange(IKEorIKEv2)Theprotocolusedtosetupasecurityassociation(SA)inIPsec.
UsesDiffieHellmangetasharedsessionsecretThatsecretisusedtoderiveupto6cryptographickeys.
Publickeyalgorithmsorapresharedkeyareusedtomutuallyauthenticatecommunicatingparties.
IKEbuildsupontheOakleyprotocol.
IKE
IKE:InternetKeyExchange(IKEorIKEv2)Theprotocolusedtosetupasecurityassociation(SA)inIPsec.
UsesDiffieHellmangetasharedsessionsecretThatsecretisusedtoderiveupto6cryptographickeys.
Publickeyalgorithmsorapresharedkeyareusedtomutuallyauthenticatecommunicatingparties.
IKEbuildsupontheOakleyprotocol.
Implementation:adaemoninuserspace(accesstodatabases)packetsparsedbykernelmodules(forspeed)
IKE
IKE:InternetKeyExchange(IKEorIKEv2)Theprotocolusedtosetupasecurityassociation(SA)inIPsec.
UsesDiffieHellmangetasharedsessionsecretThatsecretisusedtoderiveupto6cryptographickeys.
Publickeyalgorithmsorapresharedkeyareusedtomutuallyauthenticatecommunicatingparties.
IKEbuildsupontheOakleyprotocol.
Implementation:adaemoninuserspace(accesstodatabases)packetsparsedbykernelmodules(forspeed)
IKEv2solvedmanyIKEproblems:DoS,poorSAnegotiation,notcompletelyspecified.
IKE
DOI:DomainofInterpretationGroupsrelatedprotocolsusingISAKMPtonegotiateSAs.ProtocolssharingaDOIchoosesecurityprotocolandcryptotransformsfromacommonnamespaceandsharekeyexchangeprotocolidentifiers.TheyalsoshareacommoninterpretationofDOIspecificpayloaddatacontent,includingtheSAandIdentificationpayloads.
namingschemeforDOIspecificprotocolidentifiersinterpretationfortheSituationfieldSAfromassocIDpacket,needssecrecy,needsintegritychecksetofapplicablesecuritypoliciessyntaxforDOIspecificSAAttributessyntaxforDOIspecificpayloadcontentsadditionalKeyExchangetypes,ifneededadditionalNotificationMessagetypes,ifneeded
IKE
IKE
IPSec IPSec
Phase1
Phase2SA SA
NodeA NodeB
Phase1:Doesmutualauthenticationandestablishessessionkeysbasedonidentitiessuchasnames,andsecretsPhase2:SAsareestablishedbetweentwoentities
IKE
IPSec IPSec
Phase1
Phase2SA SA
NodeA NodeB
Phase1:Doesmutualauthenticationandestablishessessionkeysbasedonidentitiessuchasnames,andsecretsPhase2:SAsareestablishedbetweentwoentities
Reason:differentSAsmaybeestablishedfordifferenttrafficflows;phase1needbedoneonce,phase2usesthesamephase1sessionkeytogeneratemultipleSAs.
IKE
Cookies:usedtopreventDoS.BothsideshaveacookiewhichisahashovertheIPsourceanddestinationaddresses,thesourceanddestinationports,andalocallygeneratedsecretvalue.Cookiesaresentintheopeningtransaction.Ifcookieisnotreceivedinthesecondroundofmessages,connectioniscancelled.
IKE
Cookies:usedtopreventDoS.BothsideshaveacookiewhichisahashovertheIPsourceanddestinationaddresses,thesourceanddestinationports,andalocallygeneratedsecretvalue.Cookiesaresentintheopeningtransaction.Ifcookieisnotreceivedinthesecondroundofmessages,connectioniscancelled.
ButISAKMPrequiresthatthecookieisuniqueforeverySAsoSAinformationneedstobemaintainedduringhandshakeSothecookiesarenotactuallystateless
IKE
Cookies:usedtopreventDoS.BothsideshaveacookiewhichisahashovertheIPsourceanddestinationaddresses,thesourceanddestinationports,andalocallygeneratedsecretvalue.Cookiesaresentintheopeningtransaction.Ifcookieisnotreceivedinthesecondroundofmessages,connectioniscancelled.
ButISAKMPrequiresthatthecookieisuniqueforeverySAsoSAinformationneedstobemaintainedduringhandshakeSothecookiesarenotactuallystateless
Attackercanonlyforceanacknowledgment,notaDiffieHellmancalculation.
PossibleSecurityProblem:(encryptionw/ointegrity)
CcandecryptpacketsentbyAtoBRecordpacketfromAtoBandpacketfromCtoDSplicetheencryptedpartcontainsrcdstfromCtoDontoAtoBForwardpackettoFirewall,Firewalldecrypts,sendsresulttoD
Firewall Firewall
A C B D
IKE
InternetKeyExchangePhase1:
AggressiveMode:Accomplishesmutualauthenticationinthreemessages
Client Server
IKE
InternetKeyExchangePhase1:
AggressiveMode:Accomplishesmutualauthenticationinthreemessages
Client Server
DiffieHellmanExchange
IKE
gamodp,ID,cyptoprop.,nonceC.
InternetKeyExchangePhase1:
AggressiveMode:Accomplishesmutualauthenticationinthreemessages
Client Server
DiffieHellmanExchangeproof(ofID)mightbeasignature
gbmodp,proof,cypchoice,nonceS,[cert]
IKE
InternetKeyExchangePhase1:
AggressiveMode:Accomplishesmutualauthenticationinthreemessages
Client Serverproof,[cert]
IKE
InternetKeyExchangePhase1:
AggressiveModeProblems:
1.SomeoneotherthanServercansendarefusalbacktoClientandClientcannottellifitisfake(wouldwantsuchamessagetobesentencrypted).
IKE
InternetKeyExchangePhase1:
MainMode:Accomplishesmutualauthenticationinsixmsgs.Includesabilitytohideendpointidentifiersfromeavesdroppersandflexibilityinnegotiatingcryptoalgorithms
Client Servercryptoproposal
Parameternegotiation
IKE
InternetKeyExchangePhase1:
MainMode:Accomplishesmutualauthenticationinsixmsgs.Includesabilitytohideendpointidentifiersfromeavesdroppersandflexibilityinnegotiatingcryptoalgorithms
Client Servercryptochoose
Parameternegotiation
IKE
InternetKeyExchangePhase1:
MainMode:Accomplishesmutualauthenticationinsixmsgs.Includesabilitytohideendpointidentifiersfromeavesdroppersandflexibilityinnegotiatingcryptoalgorithms
Client Server
DiffieHellmanexchange
gmodp,non1a
IKE
InternetKeyExchangePhase1:
MainMode:Accomplishesmutualauthenticationinsixmsgs.Includesabilitytohideendpointidentifiersfromeavesdroppersandflexibilityinnegotiatingcryptoalgorithms
Client Server
DiffieHellmanexchange
gmodp,non2b
IKE
InternetKeyExchangePhase1:
MainMode:Accomplishesmutualauthenticationinsixmsgs.Includesabilitytohideendpointidentifiersfromeavesdroppersandflexibilityinnegotiatingcryptoalgorithms
Client Server
authenticate,encryptednoncesallowsameDiffieHellmanprivatevalueformanytransactionsproofofID:signatureonahashofID,DHvalues,nonces,cryptochoices
K{ID,proofofID,[cert]}
abK=f(gmodp,non1,non2)
IKE
InternetKeyExchangePhase1:
MainMode:Accomplishesmutualauthenticationinsixmsgs.Includesabilitytohideendpointidentifiersfromeavesdroppersandflexibilityinnegotiatingcryptoalgorithms
Client Server
authenticate,encrypted
K{ID,proofofID,[cert]}
IKE
InternetKeyExchangePhase1:
ProofofIdentity:Somehashofthekeyassociatedwiththeidentity,theDiffieHellmanvalues,nonces,cryptographicchoices,andcookies.
Problem:choiceofcryptographicsuitebyserverisnotencrypted.Amaninthemiddlemightactuallyreplaceagoodchoicewithapoor(crackable)choicethendecryptandimpersonateserverfromthenon.
Statelesscookies?No,mustremembercryptoproposalsDuplicateconnectionidentifiers?Possibletohavetwoconnectionswiththesamecryptoparameters
IKE
InternetKeyExchangePhase1:
CryptoParameters:1.Encryptionalgorithm(DES,3DES,IDEA)2.Hashalgorithm(MD5,SHA)3.Authenticationmethod(RSAsignature,DSS...)4.DiffieHellmangroup((g,p),ellipticcurves)
IKE
InternetKeyExchangePhase1:
Certificates:ClientnorServercanasktheothersideforacertificate.Iftheydonotknowtheotherside'spublickeytheycannotusetheprotocol.Ifcertificatesaresentinfirsttwomessagesthenidentitiesarerevealed.
IKE
InternetKeyExchangePhase1:
Threekeys:
Encryption:
Authentication:
NonIPSec:
Thesekeyswillbeusedtoprotectthelastphase1transactionandallthephase2transactions
IKE
Ke=f(K,Ka|gabmodp|cookiea|cookieb|2)
Ka=f(K,Kd|gabmodp|cookiea|cookieb|1)
Kd=f(K,gabmodp|cookiea|cookieb|0)
InternetKeyExchangePhase1:
MainModeRevised:requiresasingleprivatekeyoperationoneitherside.
Client Servercryptoproposal
ParameternegotiationStartsoutasbefore
IKE
InternetKeyExchangePhase1:
MainModeRevised:
Client Servercryptochoose
ParameternegotiationNochangeyet
IKE
InternetKeyExchangePhase1:
MainModeRevised:
Client Server
DiffieHellmanexchangeServerusesprivatekeytodecryptnon1thendeterminesK1thendecryptsID,andeverythingelse
K1{gmodp},K1{ID},K1{[certificate]},ServerPublicKey{non1}
a
K1=hash(non1,cookie1)
IKE
InternetKeyExchangePhase1:
MainModeRevised:
Client Server
DiffieHellmanexchange
K2=hash(non2,cookie2)
K2{gmodp},K2{ID},ClientPublicKey{non2}
b
IKE
InternetKeyExchangePhase1:
MainModeRevised:
Client Server
authenticate,encrypted
K{proofofID}
abK=f(gmodp,nons,cooks)
IKE
InternetKeyExchangePhase1:
SharedSecretMainMode:Onlyrequiredprotocol.RequiresClientandServertoalreadyshareasecretintendedforlaptopstryingtogetintoafirewallatworkwhileontheroad?
Client Servercryptoproposal
Parameternegotiation
SharedSecretJ
IKE
InternetKeyExchangePhase1:
SharedSecretMainMode:Onlyrequiredprotocol.RequiresClientandServertoalreadyshareasecretintendedforlaptopstryingtogetintoafirewallatworkwhileontheroad?
Client Servercryptochoose
Parameternegotiation
SharedSecretJ
IKE
InternetKeyExchangePhase1:
SharedSecretMainMode:Onlyrequiredprotocol.RequiresClientandServertoalreadyshareasecretintendedforlaptopstryingtogetintoafirewallatworkwhileontheroad?
Client Server
DiffieHellman
SharedSecretJ
gmodp,non1a
IKE
InternetKeyExchangePhase1:
SharedSecretMainMode:Onlyrequiredprotocol.RequiresClientandServertoalreadyshareasecretintendedforlaptopstryingtogetintoafirewallatworkwhileontheroad?
Client Server
DiffieHellman
SharedSecretJ
gmodp,non2b
IKE
InternetKeyExchangePhase1:
SharedSecretMainMode:Onlyrequiredprotocol.RequiresClientandServertoalreadyshareasecretintendedforlaptopstryingtogetintoafirewallatworkwhileontheroad?
Client Server
authentication
SharedSecretJ
K=f(J,gmodp,nons,coks)ab
K{ID,proof(ID)}
IKE
InternetKeyExchangePhase1:
SharedSecretMainMode:Onlyrequiredprotocol.RequiresClientandServertoalreadyshareasecretintendedforlaptopstryingtogetintoafirewallatworkwhileontheroad?
Client Server
authentication
SharedSecretJ
K=f(J,gmodp,nons,coks)ab
K{ID,proof(ID)}
IKE
InternetKeyExchangePhase1:
Problems:1.Clientsendsidentityinmessage5encryptedwithkeyKwhichisafunctionofsharedsecretJ.ServercannotdecryptthatmessagetofindoutwhotheClientisunlessitknowsJ.ButthatmeansServermustknowwhotheClientisinthefirstplace!SothespecificationrequiresthatidentitiesareIPaddresses.
2.IfidentitiesmustbeIPaddresses,thisprotocolcannotseriouslybeusedinroadwarriorapplication
IKE
InternetKeyExchangePhase1:
Problems:1.Clientsendsidentityinmessage5encryptedwithkeyKwhichisafunctionofsharedsecretJ.ServercannotdecryptthatmessagetofindoutwhotheClientisunlessitknowsJ.ButthatmeansServermustknowwhotheClientisinthefirstplace!SothespecificationrequiresthatidentitiesareIPaddresses.
2.IfidentitiesmustbeIPaddresses,thisprotocolcannotseriouslybeusedinroadwarriorapplication
Fix:DonotmakeKafunctionofJ.OKsinceJisincludedinthehashwhichisproofofidentity.
IKE
InternetKeyExchangePhase1:NegotiatingCryptographicParameters:encryptionalgorithm:DES,3DES,IDEAhash:MD5,SHAauthenticationmethod:presharedkeys,RSAsigning,RSAencryption,DSSDiffieHellmantype:p,g
SessionKeys:Twoestablished:integrity,encryptionforprotectingthelastphase1transactionandallthephase2transactions
IKE
Kd=f(K,gabmodp|cookiea|cookieb|0)
Ka=f(K,Kd|gabmodp|cookiea|cookieb|1)
Ke=f(K,Ka|gabmodp|cookiea|cookieb|2)
InternetKeyExchangePhase2:
SettingupIPSecSAs:AllmessagesareencryptedwithPhase1SA'sencryptionkeyKeandintegrityprotectedwithphase1SA'sintegritykeyKa.
Client Server
Phase1SA
X,Y,CP,traffic,SPI1,nonce1,[gmodp]a
Xisapairofcookiesfromphase1Yisa32bitnumberchosentodistinguishthissetupfromothersthatmaybesetupsimultaneouslyinphase1.XandYareunencrypted.
IKE
InternetKeyExchangePhase2:
SettingupIPSecSAs:AllmessagesareencryptedwithPhase1SA'sencryptionkeyKeandintegrityprotectedwithphase1SA'sintegritykeyKa.
Client Server
Phase1SA
X,Y,CP,traffic,SPI1,nonce1,[gmodp]a
Restofmessage:cryptoparameters,optionalDiffieHellmanvaluesforPerfectForwardSecrecy,optionaldescriptionoftraffic.IntegrityProtected:withKaEncrypted:withKe
IKE
InternetKeyExchangePhase2:
SettingupIPSecSAs:AllmessagesareencryptedwithPhase1SA'sencryptionkeyKeandintegrityprotectedwithphase1SA'sintegritykeyKa.
Client Server
Phase1SA
X,Y,CP,traffic,SPI1,nonce1,[gmodp]a
Encryption:Initializationvectoristhefinalciphertextblockoflastmessageofphase1hashedwithY.
IKE
InternetKeyExchangePhase2:
SettingupIPSecSAs:
Client Server
Phase1SA
X,Y,CPA,traffic,SPI2,nonce2,[gmodp]b
Encryption:Initializationvectoristhefinalciphertextblockoflastmessageofpreviousphase2messagehashedwithY.
IKE
InternetKeyExchangePhase2:
SettingupIPSecSAs:
Client Server
Phase1SA
X,Y,ack
Encryption:Initializationvectoristhefinalciphertextblockoflastmessageofpreviousphase2messagehashedwithY.
IKE
InternetKeyExchangePhase2:Results:NewKeyingmaterial:Keymat=f(Kd,protocol|[g
xymodp|]SPI|nonce1|nonce2)
partiesdecidehowtousethekeyingmaterialtogeneratesixkeysforthesession.
IKE
InternetKeyExchangePhase2:Problems:1.Canbevulnerabletoreplay:a.IfYis"random"insteadofbasedonasequence#,todetectareplayattackonemustrememberallY'sgenerated.b.Ifheadersandsessionkeysarethesameinbothdirections,attackercanreplayeasily.2.Canbevulnerabletoreflectionattack.
Whattodo:Usedifferentkeysindifferentdirections.UsesequencenumbersinsteadofmessageIDs.
IKE
ISAKMP/IKEEncoding:
Messageshaveafixedheaderfollowedbyasequenceofpayloads.Eachpayloadstartswith"typeofnextpayload"and"lengthofthispayload".
IKE
FixedHeader:
initiator'scookie(64bits)responder'scookienextpayloadtype
(64bits)(8bits)
exchangetype(32bits)messageID(80bits)
messagelengthflags
(64bits)
version
IKE
payloadtype:End,SA,Proposal,Transform(cryptochoices),KeyExchange,ID,Certificate,CertificateRequest,Checksum(hash),signature,nonce,Notification,delete(closingtheSPI),vendorID(fortellingtheImplementationbeingused)
FixedHeader:
initiator'scookie(64bits)responder'scookienextpayloadtype
(64bits)(8bits)
exchangetype(32bits)messageID(80bits)
messagelengthflags
(64bits)
version
exchangetype:baseaddsextramessagetoaggresivemodetoallowDHnegot.identityprotection(mainmode)authenticationonlyaggressiveinformationalflags:encrypted,commit,authenticationonly(setonlyduringphase2),messageID:differentiatesmessageswithsamephase1SA
IKE
Payload,startingfields:
nexttypeofpayload(8bits)unused
lengthofthispayload(8bits)
(16bits)
IKEIKE
Example,cryptochoices:
SA:typeofpayload=bundlelength
nextpayload=T
IKEIKE
nextpayload=Tnextpayload=0
nextpayload=Tnextpayload=Tnextpayload=0
nextpayload=P
nextpayload=0
Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Slide 22Slide 23Slide 24Slide 25Slide 26Slide 27Slide 28Slide 29Slide 30Slide 31Slide 32Slide 33Slide 34Slide 35Slide 36Slide 37Slide 38Slide 39Slide 40Slide 41Slide 42Slide 43Slide 44Slide 45Slide 46Slide 47Slide 48Slide 49Slide 50Slide 51Slide 52Slide 53Slide 54Slide 55Slide 56Slide 57Slide 58