Ike
-
Upload
kuljit-kaur -
Category
Documents
-
view
17 -
download
0
description
Transcript of Ike
-
IKEInternetKeyExchange:BeforeIPSecsendsauthenticatedorencryptedIPdata,boththesenderandreceivermustagreeontheprotocols,encryptionalgorithmsandkeystouseformessageintegrity,authenticationandencryption.IKEisusedtonegotiatetheseandprovidesprimaryauthentication.
Keylifetimescanbesetandrekeyingcanbedoneautomatically
-
InternetKeyExchange:ProtocolfordoingmutualauthenticationandestablishingasharedsecretkeytocreateanIPSecSA.Uses:longtermkeys(publicsignatureonlykeys,presharedsecretkeys,publicencryptionkeys)Pieces:ISAKMP(InternetSecurityAssociationandKeyManagementProtocol)framework(OAKLEYimplementation)IKE(InternetKeyExchange)definesfields,choosesoptionsofISAKMPDOI(DomainofInterpretation)specifiesparticularuseofISAKMP
IKE
-
ISAKMP:FrameworkdevelopedbytheNSAmainlyconcernedwiththedetailsofSecurityAssociationmanagement
ConsistsofproceduresandfieldsforAuthenticationofpeersNegotiation,modification,deletionofSecurityAssociationskeygenerationtechniquesthreatmitigation(e.g.DoS,replayattacks)
Isdistinctfromkeyexchangeprotocolssodetailsofmanagingsecurityassociationsareseparatedfromdetailsofmanagingkeyexchange
IKE
-
ISAKMP:FrameworkdevelopedbytheNSAmainlyconcernedwiththedetailsofSecurityAssociationmanagement
ConsistsofproceduresandfieldsforAuthenticationofpeersNegotiation,modification,deletionofSecurityAssociationskeygenerationtechniquesthreatmitigation(e.g.DoS,replayattacks)
Isdistinctfromkeyexchangeprotocolssodetailsofmanagingsecurityassociationsareseparatedfromdetailsofmanagingkeyexchange
AnimplementationrequiresakeyexchangeprotocollikeIKE
IKE
-
ISAKMP:FrameworkdevelopedbytheNSAmainlyconcernedwiththedetailsofSecurityAssociationmanagement
ConsistsofproceduresandfieldsforAuthenticationofpeersNegotiation,modification,deletionofSecurityAssociationskeygenerationtechniquesthreatmitigation(e.g.DoS,replayattacks)
Isdistinctfromkeyexchangeprotocolssodetailsofmanagingsecurityassociationsareseparatedfromdetailsofmanagingkeyexchange
AnimplementationrequiresakeyexchangeprotocollikeIKE
CommonimplementationisOAKLEY,akeyagreementprotocolusingDH.BasisofIKE.
IKE
-
IKE:InternetKeyExchange(IKEorIKEv2)Theprotocolusedtosetupasecurityassociation(SA)inIPsec.
UsesDiffieHellmangetasharedsessionsecretThatsecretisusedtoderiveupto6cryptographickeys.
IKE
-
IKE:InternetKeyExchange(IKEorIKEv2)Theprotocolusedtosetupasecurityassociation(SA)inIPsec.
UsesDiffieHellmangetasharedsessionsecretThatsecretisusedtoderiveupto6cryptographickeys.
Publickeyalgorithmsorapresharedkeyareusedtomutuallyauthenticatecommunicatingparties.
IKE
-
IKE:InternetKeyExchange(IKEorIKEv2)Theprotocolusedtosetupasecurityassociation(SA)inIPsec.
UsesDiffieHellmangetasharedsessionsecretThatsecretisusedtoderiveupto6cryptographickeys.
Publickeyalgorithmsorapresharedkeyareusedtomutuallyauthenticatecommunicatingparties.
IKEbuildsupontheOakleyprotocol.
IKE
-
IKE:InternetKeyExchange(IKEorIKEv2)Theprotocolusedtosetupasecurityassociation(SA)inIPsec.
UsesDiffieHellmangetasharedsessionsecretThatsecretisusedtoderiveupto6cryptographickeys.
Publickeyalgorithmsorapresharedkeyareusedtomutuallyauthenticatecommunicatingparties.
IKEbuildsupontheOakleyprotocol.
Implementation:adaemoninuserspace(accesstodatabases)packetsparsedbykernelmodules(forspeed)
IKE
-
IKE:InternetKeyExchange(IKEorIKEv2)Theprotocolusedtosetupasecurityassociation(SA)inIPsec.
UsesDiffieHellmangetasharedsessionsecretThatsecretisusedtoderiveupto6cryptographickeys.
Publickeyalgorithmsorapresharedkeyareusedtomutuallyauthenticatecommunicatingparties.
IKEbuildsupontheOakleyprotocol.
Implementation:adaemoninuserspace(accesstodatabases)packetsparsedbykernelmodules(forspeed)
IKEv2solvedmanyIKEproblems:DoS,poorSAnegotiation,notcompletelyspecified.
IKE
-
DOI:DomainofInterpretationGroupsrelatedprotocolsusingISAKMPtonegotiateSAs.ProtocolssharingaDOIchoosesecurityprotocolandcryptotransformsfromacommonnamespaceandsharekeyexchangeprotocolidentifiers.TheyalsoshareacommoninterpretationofDOIspecificpayloaddatacontent,includingtheSAandIdentificationpayloads.
namingschemeforDOIspecificprotocolidentifiersinterpretationfortheSituationfieldSAfromassocIDpacket,needssecrecy,needsintegritychecksetofapplicablesecuritypoliciessyntaxforDOIspecificSAAttributessyntaxforDOIspecificpayloadcontentsadditionalKeyExchangetypes,ifneededadditionalNotificationMessagetypes,ifneeded
IKE
-
IKE
IPSec IPSec
Phase1
Phase2SA SA
NodeA NodeB
Phase1:Doesmutualauthenticationandestablishessessionkeysbasedonidentitiessuchasnames,andsecretsPhase2:SAsareestablishedbetweentwoentities
-
IKE
IPSec IPSec
Phase1
Phase2SA SA
NodeA NodeB
Phase1:Doesmutualauthenticationandestablishessessionkeysbasedonidentitiessuchasnames,andsecretsPhase2:SAsareestablishedbetweentwoentities
Reason:differentSAsmaybeestablishedfordifferenttrafficflows;phase1needbedoneonce,phase2usesthesamephase1sessionkeytogeneratemultipleSAs.
-
IKE
Cookies:usedtopreventDoS.BothsideshaveacookiewhichisahashovertheIPsourceanddestinationaddresses,thesourceanddestinationports,andalocallygeneratedsecretvalue.Cookiesaresentintheopeningtransaction.Ifcookieisnotreceivedinthesecondroundofmessages,connectioniscancelled.
-
IKE
Cookies:usedtopreventDoS.BothsideshaveacookiewhichisahashovertheIPsourceanddestinationaddresses,thesourceanddestinationports,andalocallygeneratedsecretvalue.Cookiesaresentintheopeningtransaction.Ifcookieisnotreceivedinthesecondroundofmessages,connectioniscancelled.
ButISAKMPrequiresthatthecookieisuniqueforeverySAsoSAinformationneedstobemaintainedduringhandshakeSothecookiesarenotactuallystateless
-
IKE
Cookies:usedtopreventDoS.BothsideshaveacookiewhichisahashovertheIPsourceanddestinationaddresses,thesourceanddestinationports,andalocallygeneratedsecretvalue.Cookiesaresentintheopeningtransaction.Ifcookieisnotreceivedinthesecondroundofmessages,connectioniscancelled.
ButISAKMPrequiresthatthecookieisuniqueforeverySAsoSAinformationneedstobemaintainedduringhandshakeSothecookiesarenotactuallystateless
Attackercanonlyforceanacknowledgment,notaDiffieHellmancalculation.
-
PossibleSecurityProblem:(encryptionw/ointegrity)
CcandecryptpacketsentbyAtoBRecordpacketfromAtoBandpacketfromCtoDSplicetheencryptedpartcontainsrcdstfromCtoDontoAtoBForwardpackettoFirewall,Firewalldecrypts,sendsresulttoD
Firewall Firewall
A C B D
IKE
-
InternetKeyExchangePhase1:
AggressiveMode:Accomplishesmutualauthenticationinthreemessages
Client Server
IKE
-
InternetKeyExchangePhase1:
AggressiveMode:Accomplishesmutualauthenticationinthreemessages
Client Server
DiffieHellmanExchange
IKE
gamodp,ID,cyptoprop.,nonceC.
-
InternetKeyExchangePhase1:
AggressiveMode:Accomplishesmutualauthenticationinthreemessages
Client Server
DiffieHellmanExchangeproof(ofID)mightbeasignature
gbmodp,proof,cypchoice,nonceS,[cert]
IKE
-
InternetKeyExchangePhase1:
AggressiveMode:Accomplishesmutualauthenticationinthreemessages
Client Serverproof,[cert]
IKE
-
InternetKeyExchangePhase1:
AggressiveModeProblems:
1.SomeoneotherthanServercansendarefusalbacktoClientandClientcannottellifitisfake(wouldwantsuchamessagetobesentencrypted).
IKE
-
InternetKeyExchangePhase1:
MainMode:Accomplishesmutualauthenticationinsixmsgs.Includesabilitytohideendpointidentifiersfromeavesdroppersandflexibilityinnegotiatingcryptoalgorithms
Client Servercryptoproposal
Parameternegotiation
IKE
-
InternetKeyExchangePhase1:
MainMode:Accomplishesmutualauthenticationinsixmsgs.Includesabilitytohideendpointidentifiersfromeavesdroppersandflexibilityinnegotiatingcryptoalgorithms
Client Servercryptochoose
Parameternegotiation
IKE
-
InternetKeyExchangePhase1:
MainMode:Accomplishesmutualauthenticationinsixmsgs.Includesabilitytohideendpointidentifiersfromeavesdroppersandflexibilityinnegotiatingcryptoalgorithms
Client Server
DiffieHellmanexchange
gmodp,non1a
IKE
-
InternetKeyExchangePhase1:
MainMode:Accomplishesmutualauthenticationinsixmsgs.Includesabilitytohideendpointidentifiersfromeavesdroppersandflexibilityinnegotiatingcryptoalgorithms
Client Server
DiffieHellmanexchange
gmodp,non2b
IKE
-
InternetKeyExchangePhase1:
MainMode:Accomplishesmutualauthenticationinsixmsgs.Includesabilitytohideendpointidentifiersfromeavesdroppersandflexibilityinnegotiatingcryptoalgorithms
Client Server
authenticate,encryptednoncesallowsameDiffieHellmanprivatevalueformanytransactionsproofofID:signatureonahashofID,DHvalues,nonces,cryptochoices
K{ID,proofofID,[cert]}
abK=f(gmodp,non1,non2)
IKE
-
InternetKeyExchangePhase1:
MainMode:Accomplishesmutualauthenticationinsixmsgs.Includesabilitytohideendpointidentifiersfromeavesdroppersandflexibilityinnegotiatingcryptoalgorithms
Client Server
authenticate,encrypted
K{ID,proofofID,[cert]}
IKE
-
InternetKeyExchangePhase1:
ProofofIdentity:Somehashofthekeyassociatedwiththeidentity,theDiffieHellmanvalues,nonces,cryptographicchoices,andcookies.
Problem:choiceofcryptographicsuitebyserverisnotencrypted.Amaninthemiddlemightactuallyreplaceagoodchoicewithapoor(crackable)choicethendecryptandimpersonateserverfromthenon.
Statelesscookies?No,mustremembercryptoproposalsDuplicateconnectionidentifiers?Possibletohavetwoconnectionswiththesamecryptoparameters
IKE
-
InternetKeyExchangePhase1:
CryptoParameters:1.Encryptionalgorithm(DES,3DES,IDEA)2.Hashalgorithm(MD5,SHA)3.Authenticationmethod(RSAsignature,DSS...)4.DiffieHellmangroup((g,p),ellipticcurves)
IKE
-
InternetKeyExchangePhase1:
Certificates:ClientnorServercanasktheothersideforacertificate.Iftheydonotknowtheotherside'spublickeytheycannotusetheprotocol.Ifcertificatesaresentinfirsttwomessagesthenidentitiesarerevealed.
IKE
-
InternetKeyExchangePhase1:
Threekeys:
Encryption:
Authentication:
NonIPSec:
Thesekeyswillbeusedtoprotectthelastphase1transactionandallthephase2transactions
IKE
Ke=f(K,Ka|gabmodp|cookiea|cookieb|2)
Ka=f(K,Kd|gabmodp|cookiea|cookieb|1)
Kd=f(K,gabmodp|cookiea|cookieb|0)
-
InternetKeyExchangePhase1:
MainModeRevised:requiresasingleprivatekeyoperationoneitherside.
Client Servercryptoproposal
ParameternegotiationStartsoutasbefore
IKE
-
InternetKeyExchangePhase1:
MainModeRevised:
Client Servercryptochoose
ParameternegotiationNochangeyet
IKE
-
InternetKeyExchangePhase1:
MainModeRevised:
Client Server
DiffieHellmanexchangeServerusesprivatekeytodecryptnon1thendeterminesK1thendecryptsID,andeverythingelse
K1{gmodp},K1{ID},K1{[certificate]},ServerPublicKey{non1}
a
K1=hash(non1,cookie1)
IKE
-
InternetKeyExchangePhase1:
MainModeRevised:
Client Server
DiffieHellmanexchange
K2=hash(non2,cookie2)
K2{gmodp},K2{ID},ClientPublicKey{non2}
b
IKE
-
InternetKeyExchangePhase1:
MainModeRevised:
Client Server
authenticate,encrypted
K{proofofID}
abK=f(gmodp,nons,cooks)
IKE
-
InternetKeyExchangePhase1:
SharedSecretMainMode:Onlyrequiredprotocol.RequiresClientandServertoalreadyshareasecretintendedforlaptopstryingtogetintoafirewallatworkwhileontheroad?
Client Servercryptoproposal
Parameternegotiation
SharedSecretJ
IKE
-
InternetKeyExchangePhase1:
SharedSecretMainMode:Onlyrequiredprotocol.RequiresClientandServertoalreadyshareasecretintendedforlaptopstryingtogetintoafirewallatworkwhileontheroad?
Client Servercryptochoose
Parameternegotiation
SharedSecretJ
IKE
-
InternetKeyExchangePhase1:
SharedSecretMainMode:Onlyrequiredprotocol.RequiresClientandServertoalreadyshareasecretintendedforlaptopstryingtogetintoafirewallatworkwhileontheroad?
Client Server
DiffieHellman
SharedSecretJ
gmodp,non1a
IKE
-
InternetKeyExchangePhase1:
SharedSecretMainMode:Onlyrequiredprotocol.RequiresClientandServertoalreadyshareasecretintendedforlaptopstryingtogetintoafirewallatworkwhileontheroad?
Client Server
DiffieHellman
SharedSecretJ
gmodp,non2b
IKE
-
InternetKeyExchangePhase1:
SharedSecretMainMode:Onlyrequiredprotocol.RequiresClientandServertoalreadyshareasecretintendedforlaptopstryingtogetintoafirewallatworkwhileontheroad?
Client Server
authentication
SharedSecretJ
K=f(J,gmodp,nons,coks)ab
K{ID,proof(ID)}
IKE
-
InternetKeyExchangePhase1:
SharedSecretMainMode:Onlyrequiredprotocol.RequiresClientandServertoalreadyshareasecretintendedforlaptopstryingtogetintoafirewallatworkwhileontheroad?
Client Server
authentication
SharedSecretJ
K=f(J,gmodp,nons,coks)ab
K{ID,proof(ID)}
IKE
-
InternetKeyExchangePhase1:
Problems:1.Clientsendsidentityinmessage5encryptedwithkeyKwhichisafunctionofsharedsecretJ.ServercannotdecryptthatmessagetofindoutwhotheClientisunlessitknowsJ.ButthatmeansServermustknowwhotheClientisinthefirstplace!SothespecificationrequiresthatidentitiesareIPaddresses.
2.IfidentitiesmustbeIPaddresses,thisprotocolcannotseriouslybeusedinroadwarriorapplication
IKE
-
InternetKeyExchangePhase1:
Problems:1.Clientsendsidentityinmessage5encryptedwithkeyKwhichisafunctionofsharedsecretJ.ServercannotdecryptthatmessagetofindoutwhotheClientisunlessitknowsJ.ButthatmeansServermustknowwhotheClientisinthefirstplace!SothespecificationrequiresthatidentitiesareIPaddresses.
2.IfidentitiesmustbeIPaddresses,thisprotocolcannotseriouslybeusedinroadwarriorapplication
Fix:DonotmakeKafunctionofJ.OKsinceJisincludedinthehashwhichisproofofidentity.
IKE
-
InternetKeyExchangePhase1:NegotiatingCryptographicParameters:encryptionalgorithm:DES,3DES,IDEAhash:MD5,SHAauthenticationmethod:presharedkeys,RSAsigning,RSAencryption,DSSDiffieHellmantype:p,g
SessionKeys:Twoestablished:integrity,encryptionforprotectingthelastphase1transactionandallthephase2transactions
IKE
Kd=f(K,gabmodp|cookiea|cookieb|0)
Ka=f(K,Kd|gabmodp|cookiea|cookieb|1)
Ke=f(K,Ka|gabmodp|cookiea|cookieb|2)
-
InternetKeyExchangePhase2:
SettingupIPSecSAs:AllmessagesareencryptedwithPhase1SA'sencryptionkeyKeandintegrityprotectedwithphase1SA'sintegritykeyKa.
Client Server
Phase1SA
X,Y,CP,traffic,SPI1,nonce1,[gmodp]a
Xisapairofcookiesfromphase1Yisa32bitnumberchosentodistinguishthissetupfromothersthatmaybesetupsimultaneouslyinphase1.XandYareunencrypted.
IKE
-
InternetKeyExchangePhase2:
SettingupIPSecSAs:AllmessagesareencryptedwithPhase1SA'sencryptionkeyKeandintegrityprotectedwithphase1SA'sintegritykeyKa.
Client Server
Phase1SA
X,Y,CP,traffic,SPI1,nonce1,[gmodp]a
Restofmessage:cryptoparameters,optionalDiffieHellmanvaluesforPerfectForwardSecrecy,optionaldescriptionoftraffic.IntegrityProtected:withKaEncrypted:withKe
IKE
-
InternetKeyExchangePhase2:
SettingupIPSecSAs:AllmessagesareencryptedwithPhase1SA'sencryptionkeyKeandintegrityprotectedwithphase1SA'sintegritykeyKa.
Client Server
Phase1SA
X,Y,CP,traffic,SPI1,nonce1,[gmodp]a
Encryption:Initializationvectoristhefinalciphertextblockoflastmessageofphase1hashedwithY.
IKE
-
InternetKeyExchangePhase2:
SettingupIPSecSAs:
Client Server
Phase1SA
X,Y,CPA,traffic,SPI2,nonce2,[gmodp]b
Encryption:Initializationvectoristhefinalciphertextblockoflastmessageofpreviousphase2messagehashedwithY.
IKE
-
InternetKeyExchangePhase2:
SettingupIPSecSAs:
Client Server
Phase1SA
X,Y,ack
Encryption:Initializationvectoristhefinalciphertextblockoflastmessageofpreviousphase2messagehashedwithY.
IKE
-
InternetKeyExchangePhase2:Results:NewKeyingmaterial:Keymat=f(Kd,protocol|[g
xymodp|]SPI|nonce1|nonce2)
partiesdecidehowtousethekeyingmaterialtogeneratesixkeysforthesession.
IKE
-
InternetKeyExchangePhase2:Problems:1.Canbevulnerabletoreplay:a.IfYis"random"insteadofbasedonasequence#,todetectareplayattackonemustrememberallY'sgenerated.b.Ifheadersandsessionkeysarethesameinbothdirections,attackercanreplayeasily.2.Canbevulnerabletoreflectionattack.
Whattodo:Usedifferentkeysindifferentdirections.UsesequencenumbersinsteadofmessageIDs.
IKE
-
ISAKMP/IKEEncoding:
Messageshaveafixedheaderfollowedbyasequenceofpayloads.Eachpayloadstartswith"typeofnextpayload"and"lengthofthispayload".
IKE
-
FixedHeader:
initiator'scookie(64bits)responder'scookienextpayloadtype
(64bits)(8bits)
exchangetype(32bits)messageID(80bits)
messagelengthflags
(64bits)
version
IKE
payloadtype:End,SA,Proposal,Transform(cryptochoices),KeyExchange,ID,Certificate,CertificateRequest,Checksum(hash),signature,nonce,Notification,delete(closingtheSPI),vendorID(fortellingtheImplementationbeingused)
-
FixedHeader:
initiator'scookie(64bits)responder'scookienextpayloadtype
(64bits)(8bits)
exchangetype(32bits)messageID(80bits)
messagelengthflags
(64bits)
version
exchangetype:baseaddsextramessagetoaggresivemodetoallowDHnegot.identityprotection(mainmode)authenticationonlyaggressiveinformationalflags:encrypted,commit,authenticationonly(setonlyduringphase2),messageID:differentiatesmessageswithsamephase1SA
IKE
-
Payload,startingfields:
nexttypeofpayload(8bits)unused
lengthofthispayload(8bits)
(16bits)
IKEIKE
-
Example,cryptochoices:
SA:typeofpayload=bundlelength
nextpayload=T
IKEIKE
nextpayload=Tnextpayload=0
nextpayload=Tnextpayload=Tnextpayload=0
nextpayload=P
nextpayload=0
Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Slide 22Slide 23Slide 24Slide 25Slide 26Slide 27Slide 28Slide 29Slide 30Slide 31Slide 32Slide 33Slide 34Slide 35Slide 36Slide 37Slide 38Slide 39Slide 40Slide 41Slide 42Slide 43Slide 44Slide 45Slide 46Slide 47Slide 48Slide 49Slide 50Slide 51Slide 52Slide 53Slide 54Slide 55Slide 56Slide 57Slide 58