Blanket coverage Network-Layer...
Transcript of Blanket coverage Network-Layer...
1
CS242 Computer Networks Department of Computer Science Wellesley College
Network-Layer Security IPsec and Virtual Private Networks
IPsec 24-2
Blanket coverage o IPsec provides security at
the network layer by encrypting the payloads of all datagrams between pairs of network entities.
o In addition to confidentiality, it can also provide:
o authentication; o data integrity; o and security against replay
attacks.
IPsec 24-3
IPsec and Virtual Private Networks IP
header IPsec header
Secure payload
IP
head
er
IPse
c he
ader
Se
cure
pa
yloa
d IP
header IPsec
header
Secure
payload
IP
head
er
paylo
ad IP
header payload
Wellesley College French House
Your instructor (working from home)
Laptop w/ IPsec
Router w/ IPv4 and IPsec Router w/
IPv4 and IPsec
Internet
IPsec 24-4
A rather complex animal o IPsec is defined in more
than a dozen RFCs, including RFC 4301, describing overall IP security architecture, and RFC 6071 overviewing the IPsec protocol suit.
o Two principal protocols: Authentication Header (AH) and Encapsulation Security Payload (ESP).
2
IPsec 24-5
Security associations o Before sending IPsec
datagrams the source and destination entities create a network-layer logical connection called a security association (SA).
o An SA is unidirectional from source to destination.
o If both entities want to send secure datagrams, then two SAs need to be established.
IPsec 24-6
Security association from R1 to R2 Router R1 maintains the following state:
o 32-bit SA identifier: Security Parameter Index (SPI) o Origin SA interface (200.168.1.100) o Destination SA interface (193.68.2.23) o Type of encryption used (e.g., 3DES with CBC) o Encryption key o Type of integrity check used (e.g., HMAC with MD5) o Authentication key
193.68.2.23 200.168.1.100
172.16.1/24 172.16.2/24
security association
Internet Wellesley College French House
R1 R2
IPsec 24-7
IPsec tunnel mode packet format Suppose router R1 receives an
ordinary IPv4 datagram from host 172.16.1.17.
original IP hdr
Original IP datagram payload
IPsec 24-8
IPsec tunnel mode packet format
R1 appends to the back of the original IPv4
datagram an ESP trailer field.
original IP hdr
Original IP datagram payload
ESP trl
padding pad length
next header
3
IPsec 24-9
IPsec tunnel mode packet format
Encrypts the result using agreed algorithm
and key
original IP hdr
Original IP datagram payload
ESP trl
encrypted
padding pad length
next header
IPsec 24-10
IPsec tunnel mode packet format
Appends to the front of encrypted the ESP header field
to create the whole enchilada
ESP hdr
original IP hdr
Original IP datagram payload
ESP trl
encrypted
padding pad length
next header SPI Seq
#
IPsec 24-11
IPsec tunnel mode packet format An authentication MAC is created over the
whole enchilada using algorithm and key specified in SA creating a new payload
ESP hdr
original IP hdr
Original IP datagram payload
ESP trl
ESP auth
padding pad length
next header SPI Seq
#
encrypted
“enchilada” authenticated
IPsec 24-12
IPsec tunnel mode packet format
Finally, a new IP header with standard IPv4 fields is prepended
to the payload
new IP header
ESP hdr
original IP hdr
Original IP datagram payload
ESP trl
ESP auth
encrypted
“enchilada” authenticated
padding pad length
next header SPI Seq
#
The original IP datagram has 172.16.1.17 for the source IP address and 172.16.2.48 for the destination
IP address. What do you suppose the source and destination IP addresses are in the new IP header?
4
IPsec 24-13
Not surprisingly, ...
193.68.2.23 200.168.1.100
172.16.1/24 172.16.2/24
security association
Internet Wellesley College French House
R1 R2
Source and destination IP addresses in new IP header are set to the ends of
the tunnel
*Also, the protocl number in the new IPv4 header is not set to TCP, UDP, or SMTP, but instead to 50, designating an IPsec datagram using the ESP protocol
IPsec 24-14
At the receiving end ...
R2 realizes from the protocol field of the new header (50) that this is
an IPsec ESP datagram ...
new IP header
ESP hdr
original IP hdr
Original IP datagram payload
ESP trl
ESP auth
encrypted
“enchilada” authenticated
padding pad length
next header SPI Seq
#
... and examines the ESP header to determine to which SA the datagram
belongs.
IPsec 24-15
At the receiving end ... R2 then calculates the MAC of the
enchilada and verifies that the MAC is consistent with... the value in the ESP
MAC fields
ESP hdr
original IP hdr
Original IP datagram payload
ESP trl
ESP auth
encrypted
“enchilada” authenticated
padding pad length
next header SPI Seq
#
... the value in the ESP MAC
fields
IPsec 24-16
At the receiving end ... Next the sequence-number field is
checked to verify that the datagram is fresh (and not a replayed datagram).
ESP hdr
original IP hdr
Original IP datagram payload
ESP trl
encrypted
“enchilada” authenticated
padding pad length
next header SPI Seq
#
5
IPsec 24-17
At the receiving end ...
The payload is decrypted using the decryption algorithm and key
associated with SA.
original IP hdr
Original IP datagram payload
ESP trl
padding pad length
next header
IPsec 24-18
At the receiving end ...
Determine the padding length and removed
original IP hdr
Original IP datagram payload
ESP trl
padding pad length
next header
IPsec 24-19
At the receiving end ...
Original IP datagram is passed to its ultimate destination
original IP hdr
Original IP datagram payload
IPsec 24-20
Security Policy Database (SPD) o When R1 receives an
unsecured datagram from a host at Wellesley College, how does it know whether it should be converted to an IPsec datagram?
o And if it is to be processed by IPsec, how does R1 know which SA should be used?
6
IPsec 24-21
Key management in IPsec o When a VPN has a small
number of end points, the network administrator can manually enter the SA information into the SADs.
o This scheme does not scale.
o Large, geographically distributed deployments require an automated mechanism for creating SAs.
IPsec 24-22
Internet Key Exchange (IKE) protocol o Each IPsec entity has a certificate, which includes its
public key.
o As with SSL, IKE has the two entities exchange certificates, negotiate authentication, encryption algorithms, and secretly exchange key material for creating session keys.
o This is done in two phases.
193.68.2.23 200.168.1.100
172.16.1/24 172.16.2/24
security association
Internet Wellesley College French House
R1 R2
IPsec 24-23
Internet Key Exchange – Phase 1
193.68.2.23 200.168.1.100
172.16.1/24 172.16.2/24
security association
Internet Wellesley College French House
R1 R2
Two sides use Diffie-Hellman to create a bi-directional IKE SA* between the two entities
*To keep us all confused,this SA is entirely different from the IPsec SAs just discussed.
IPsec 24-24
Internet Key Exchange – Phase 1
193.68.2.23 200.168.1.100
172.16.1/24 172.16.2/24
security association
Internet Wellesley College French House
R1 R2
The IKE SA provides an authenticated and encrypted channel between the two routers ...
... and established a master secret that will be used to compute IPsec SA keys in
phase 2.
7
IPsec 24-25
Internet Key Exchange – Phase 2
193.68.2.23 200.168.1.100
172.16.1/24 172.16.2/24
security association
Internet Wellesley College French House
R1 R2
Both sides reveal their identities to each other by signing their messages and sending them over the secured IKE SA channel.
The two sides then negotiate the IPsec encryption and authentication algorithms
to be employed by the IPsec SAs.
IPsec 24-26
Securing wireless LANs o Radio waves carries frames
don’t necessarily stay within one room or even one building raising serious concerns.
o Wired Equivalent Privacy (WEP) was the initial 802.11 standard.
o It was intended to provide a level of security similar to that found in wired networks.
IPsec 24-27
Wired Equivalent Privacy o Designed in 1999, WEP was
intended to provide authentication and data encryption between a host and a wireless access point.
o It did not specify a key management algorithm, so somehow the host and wireless access have to agree on the key via some out-of-band method.
IPsec 24-28
WEP Authentication 1. Wireless host request
authentication by an access point.
2. Access point responds with a 128-byte nonce value.
3. Wireless host encrypts the nonce using the symmetric key that it shares with the access point.
4. Access point decrypts the host-encrypted nonce.
8
IPsec 24-29
WEP Encryption o A secret 40-bit symmetric key, KS, is assumed known by both
parties. o In addition a 24-bit Initialization Vector (IV) is appended to
the 40-key to create a 64-bit key that will be used to encrypt a single frame.
o The IV will change from one frame to another, hence each
frame will be encrypted with a different 64-bit key.
keystream generator Key+IVpacket keystreampacket
IPsec 24-30
WEP Encryption
24-bit IV (per frame)
KS: 40-bit secret
symmetric key k1
IV k2IV k3
IV … kNIV kN+1
IV… kN+1IV
d1 d2 d3 … dN
CRC1 … CRC4
c1 c2 c3 … cN
cN+1 … cN+4
plaintext frame data
plus CRC
key sequence generator ( for given KS, IV)
802.11 header IV
&
WEP-encrypted data plus CRC
A 4-byte CRC is computed for
the data payload
The payload and CRC bytes are encrypted using the RC4 stream
cipher.
The IV changes from one frame to the next and is included in
plaintext in the header of each WEP-encrypted 802.11 frame.
IPsec 24-31
Problem with using duplicate keys* 1. Trudy IP spoofs a request
to Alice to transmit a file with known content d1, d2, d2, ...
2. Trudy also observes the encrypted data c1, c2, c2, ...
3. Since di = ci XOR kiIV,
XORing ci with each side yields:
di XOR ci = kiIV.
*Soon after it 1999 release, work began on a new and improved version with strong security mechanisms.
IPsec 24-32
AP: access point AS: Authentication server
wired network
STA: client station
1 Discovery of security capabilities
STA and AS mutually authenticate, together generate Master Key (MK). AP serves as “pass through”
2
3 3 STA derives
Pairwise Master Key (PMK)
AS derives same PMK, sends to AP
4 STA, AP use PMK to derive Temporal Key (TK) used for message encryption, integrity
802.11i four phase operation – phase 1
9
IPsec 24-33
AP: access point AS: Authentication server
wired network
STA: client station
1 Discovery of security capabilities
STA and AS mutually authenticate, together generate Master Key (MK). AP serves as “pass through”
2
3 3 STA derives
Pairwise Master Key (PMK)
AS derives same PMK, sends to AP
4 STA, AP use PMK to derive Temporal Key (TK) used for message encryption, integrity
802.11i four phase operation – phase 2
24-34
Extensible Authentication Protocol (EAP)
EAP TLS EAP
EAP over LAN (EAPoL) IEEE 802.11
RADIUS UDP/IP
wired network
EAP messages are encapsulated
using EAPoL (EOP over LAN) and sent over 802.11 to the
AP ...
IPsec
24-35
Extensible Authentication Protocol (EAP)
... where they are decapsulated and then re-encapsulated using the
RADIUS protocol for transmission over UDP/IP between AP and
authentication server
EAP TLS EAP
EAP over LAN (EAPoL) IEEE 802.11
RADIUS UDP/IP
wired network
24-36
Extensible Authentication Protocol (EAP) While 802.11i does not mandate a particular authentication method,
EAP-TLS is often used.
EAP TLS EAP
EAP over LAN (EAPoL) IEEE 802.11
RADIUS UDP/IP
wired network
10
IPsec 24-37
AP: access point AS: Authentication server
wired network
STA: client station
1 Discovery of security capabilities
STA and AS mutually authenticate, together generate Master Key (MK). AP serves as “pass through”
2
3 3 STA derives
Pairwise Master Key (PMK)
AS derives same PMK, sends to AP
4 STA, AP use PMK to derive Temporal Key (TK) used for message encryption, integrity
802.11i four phase operation – phase 3
IPsec 24-38
AP: access point AS: Authentication server
wired network
STA: client station
1 Discovery of security capabilities
STA and AS mutually authenticate, together generate Master Key (MK). AP serves as “pass through”
2
3 3 STA derives
Pairwise Master Key (PMK)
AS derives same PMK, sends to AP
4 STA, AP use PMK to derive Temporal Key (TK) used for message encryption, integrity
802.11i four phase operation – phase 4