Ike

IKEInternetKeyExchange:BeforeIPSecsendsauthenticatedorencryptedIPdata,boththesenderandreceivermustagreeontheprotocols,encryptionalgorithmsandkeystouseformessageintegrity,authenticationandencryption.IKEisusedtonegotiatetheseandprovidesprimaryauthentication.

Keylifetimescanbesetandrekeyingcanbedoneautomatically

InternetKeyExchange:ProtocolfordoingmutualauthenticationandestablishingasharedsecretkeytocreateanIPSecSA.Uses:longtermkeys(publicsignatureonlykeys,presharedsecretkeys,publicencryptionkeys)Pieces:ISAKMP(InternetSecurityAssociationandKeyManagementProtocol)framework(OAKLEYimplementation)IKE(InternetKeyExchange)definesfields,choosesoptionsofISAKMPDOI(DomainofInterpretation)specifiesparticularuseofISAKMP

IKE

ISAKMP:FrameworkdevelopedbytheNSAmainlyconcernedwiththedetailsofSecurityAssociationmanagement

ConsistsofproceduresandfieldsforAuthenticationofpeersNegotiation,modification,deletionofSecurityAssociationskeygenerationtechniquesthreatmitigation(e.g.DoS,replayattacks)

Isdistinctfromkeyexchangeprotocolssodetailsofmanagingsecurityassociationsareseparatedfromdetailsofmanagingkeyexchange

IKE




AnimplementationrequiresakeyexchangeprotocollikeIKE

IKE




AnimplementationrequiresakeyexchangeprotocollikeIKE

CommonimplementationisOAKLEY,akeyagreementprotocolusingDH.BasisofIKE.

IKE

IKE:InternetKeyExchange(IKEorIKEv2)Theprotocolusedtosetupasecurityassociation(SA)inIPsec.

UsesDiffieHellmangetasharedsessionsecretThatsecretisusedtoderiveupto6cryptographickeys.

IKE



Publickeyalgorithmsorapresharedkeyareusedtomutuallyauthenticatecommunicatingparties.

IKE




IKEbuildsupontheOakleyprotocol.

IKE





Implementation:adaemoninuserspace(accesstodatabases)packetsparsedbykernelmodules(forspeed)

IKE





Implementation:adaemoninuserspace(accesstodatabases)packetsparsedbykernelmodules(forspeed)

IKEv2solvedmanyIKEproblems:DoS,poorSAnegotiation,notcompletelyspecified.

IKE

DOI:DomainofInterpretationGroupsrelatedprotocolsusingISAKMPtonegotiateSAs.ProtocolssharingaDOIchoosesecurityprotocolandcryptotransformsfromacommonnamespaceandsharekeyexchangeprotocolidentifiers.TheyalsoshareacommoninterpretationofDOIspecificpayloaddatacontent,includingtheSAandIdentificationpayloads.

namingschemeforDOIspecificprotocolidentifiersinterpretationfortheSituationfieldSAfromassocIDpacket,needssecrecy,needsintegritychecksetofapplicablesecuritypoliciessyntaxforDOIspecificSAAttributessyntaxforDOIspecificpayloadcontentsadditionalKeyExchangetypes,ifneededadditionalNotificationMessagetypes,ifneeded

IKE

IKE

IPSec IPSec

Phase1

Phase2SA SA

NodeA NodeB

Phase1:Doesmutualauthenticationandestablishessessionkeysbasedonidentitiessuchasnames,andsecretsPhase2:SAsareestablishedbetweentwoentities

IKE

IPSec IPSec

Phase1

Phase2SA SA

NodeA NodeB

Phase1:Doesmutualauthenticationandestablishessessionkeysbasedonidentitiessuchasnames,andsecretsPhase2:SAsareestablishedbetweentwoentities

Reason:differentSAsmaybeestablishedfordifferenttrafficflows;phase1needbedoneonce,phase2usesthesamephase1sessionkeytogeneratemultipleSAs.

IKE

Cookies:usedtopreventDoS.BothsideshaveacookiewhichisahashovertheIPsourceanddestinationaddresses,thesourceanddestinationports,andalocallygeneratedsecretvalue.Cookiesaresentintheopeningtransaction.Ifcookieisnotreceivedinthesecondroundofmessages,connectioniscancelled.

IKE


ButISAKMPrequiresthatthecookieisuniqueforeverySAsoSAinformationneedstobemaintainedduringhandshakeSothecookiesarenotactuallystateless

IKE


ButISAKMPrequiresthatthecookieisuniqueforeverySAsoSAinformationneedstobemaintainedduringhandshakeSothecookiesarenotactuallystateless

Attackercanonlyforceanacknowledgment,notaDiffieHellmancalculation.

PossibleSecurityProblem:(encryptionw/ointegrity)

CcandecryptpacketsentbyAtoBRecordpacketfromAtoBandpacketfromCtoDSplicetheencryptedpartcontainsrcdstfromCtoDontoAtoBForwardpackettoFirewall,Firewalldecrypts,sendsresulttoD

Firewall Firewall

A C B D

IKE

InternetKeyExchangePhase1:

AggressiveMode:Accomplishesmutualauthenticationinthreemessages

Client Server

IKE



Client Server

DiffieHellmanExchange

IKE

gamodp,ID,cyptoprop.,nonceC.



Client Server

DiffieHellmanExchangeproof(ofID)mightbeasignature

gbmodp,proof,cypchoice,nonceS,[cert]

IKE



Client Serverproof,[cert]

IKE


AggressiveModeProblems:

1.SomeoneotherthanServercansendarefusalbacktoClientandClientcannottellifitisfake(wouldwantsuchamessagetobesentencrypted).

IKE


MainMode:Accomplishesmutualauthenticationinsixmsgs.Includesabilitytohideendpointidentifiersfromeavesdroppersandflexibilityinnegotiatingcryptoalgorithms

Client Servercryptoproposal

Parameternegotiation

IKE



Client Servercryptochoose


IKE



Client Server

DiffieHellmanexchange

gmodp,non1a

IKE



Client Server


gmodp,non2b

IKE



Client Server

authenticate,encryptednoncesallowsameDiffieHellmanprivatevalueformanytransactionsproofofID:signatureonahashofID,DHvalues,nonces,cryptochoices

K{ID,proofofID,[cert]}

abK=f(gmodp,non1,non2)

IKE



Client Server

authenticate,encrypted

K{ID,proofofID,[cert]}

IKE


ProofofIdentity:Somehashofthekeyassociatedwiththeidentity,theDiffieHellmanvalues,nonces,cryptographicchoices,andcookies.

Problem:choiceofcryptographicsuitebyserverisnotencrypted.Amaninthemiddlemightactuallyreplaceagoodchoicewithapoor(crackable)choicethendecryptandimpersonateserverfromthenon.

Statelesscookies?No,mustremembercryptoproposalsDuplicateconnectionidentifiers?Possibletohavetwoconnectionswiththesamecryptoparameters

IKE


CryptoParameters:1.Encryptionalgorithm(DES,3DES,IDEA)2.Hashalgorithm(MD5,SHA)3.Authenticationmethod(RSAsignature,DSS...)4.DiffieHellmangroup((g,p),ellipticcurves)

IKE


Certificates:ClientnorServercanasktheothersideforacertificate.Iftheydonotknowtheotherside'spublickeytheycannotusetheprotocol.Ifcertificatesaresentinfirsttwomessagesthenidentitiesarerevealed.

IKE


MainModeRevised:requiresasingleprivatekeyoperationoneitherside.


ParameternegotiationStartsoutasbefore

IKE


MainModeRevised:


ParameternegotiationNochangeyet

IKE


MainModeRevised:

Client Server

DiffieHellmanexchangeServerusesprivatekeytodecryptnon1thendeterminesK1thendecryptsID,andeverythingelse

K1{gmodp},K1{ID},K1{[certificate]},ServerPublicKey{non1}

a

K1=hash(non1,cookie1)

IKE


MainModeRevised:

Client Server


K2=hash(non2,cookie2)

K2{gmodp},K2{ID},ClientPublicKey{non2}

b

IKE


MainModeRevised:

Client Server

authenticate,encrypted

K{proofofID}

abK=f(gmodp,nons,cooks)

IKE


SharedSecretMainMode:Onlyrequiredprotocol.RequiresClientandServertoalreadyshareasecretintendedforlaptopstryingtogetintoafirewallatworkwhileontheroad?



SharedSecretJ

IKE





SharedSecretJ

IKE



Client Server

DiffieHellman

SharedSecretJ

gmodp,non1a

IKE



Client Server

DiffieHellman

SharedSecretJ

gmodp,non2b

IKE



Client Server

authentication

SharedSecretJ

K=f(J,gmodp,nons,coks)ab

K{ID,proof(ID)}

IKE


Problems:1.Clientsendsidentityinmessage5encryptedwithkeyKwhichisafunctionofsharedsecretJ.ServercannotdecryptthatmessagetofindoutwhotheClientisunlessitknowsJ.ButthatmeansServermustknowwhotheClientisinthefirstplace!SothespecificationrequiresthatidentitiesareIPaddresses.

2.IfidentitiesmustbeIPaddresses,thisprotocolcannotseriouslybeusedinroadwarriorapplication

IKE


Problems:1.Clientsendsidentityinmessage5encryptedwithkeyKwhichisafunctionofsharedsecretJ.ServercannotdecryptthatmessagetofindoutwhotheClientisunlessitknowsJ.ButthatmeansServermustknowwhotheClientisinthefirstplace!SothespecificationrequiresthatidentitiesareIPaddresses.

2.IfidentitiesmustbeIPaddresses,thisprotocolcannotseriouslybeusedinroadwarriorapplication

Fix:DonotmakeKafunctionofJ.OKsinceJisincludedinthehashwhichisproofofidentity.

IKE


SettingupIPSecSAs:AllmessagesareencryptedwithPhase1SA'sencryptionkeyKeandintegrityprotectedwithphase1SA'sintegritykeyKa.

Client Server

Phase1SA

X,Y,CP,traffic,SPI1,nonce1,[gmodp]a

Xisapairofcookiesfromphase1Yisa32bitnumberchosentodistinguishthissetupfromothersthatmaybesetupsimultaneouslyinphase1.XandYareunencrypted.

IKE



Client Server

Phase1SA


Restofmessage:cryptoparameters,optionalDiffieHellmanvaluesforPerfectForwardSecrecy,optionaldescriptionoftraffic.IntegrityProtected:withKaEncrypted:withKe

IKE



Client Server

Phase1SA


Encryption:Initializationvectoristhefinalciphertextblockoflastmessageofphase1hashedwithY.

IKE


SettingupIPSecSAs:

Client Server

Phase1SA

X,Y,CPA,traffic,SPI2,nonce2,[gmodp]b

Encryption:Initializationvectoristhefinalciphertextblockoflastmessageofpreviousphase2messagehashedwithY.

IKE


SettingupIPSecSAs:

Client Server

Phase1SA

X,Y,ack

Encryption:Initializationvectoristhefinalciphertextblockoflastmessageofpreviousphase2messagehashedwithY.

IKE

InternetKeyExchangePhase2:Results:NewKeyingmaterial:Keymat=f(Kd,protocol|[g

xymodp|]SPI|nonce1|nonce2)

partiesdecidehowtousethekeyingmaterialtogeneratesixkeysforthesession.

IKE

InternetKeyExchangePhase2:Problems:1.Canbevulnerabletoreplay:a.IfYis"random"insteadofbasedonasequence#,todetectareplayattackonemustrememberallY'sgenerated.b.Ifheadersandsessionkeysarethesameinbothdirections,attackercanreplayeasily.2.Canbevulnerabletoreflectionattack.

Whattodo:Usedifferentkeysindifferentdirections.UsesequencenumbersinsteadofmessageIDs.

IKE

ISAKMP/IKEEncoding:

Messageshaveafixedheaderfollowedbyasequenceofpayloads.Eachpayloadstartswith"typeofnextpayload"and"lengthofthispayload".

IKE

FixedHeader:

initiator'scookie(64bits)responder'scookienextpayloadtype

(64bits)(8bits)

exchangetype(32bits)messageID(80bits)

messagelengthflags

(64bits)

version

IKE

payloadtype:End,SA,Proposal,Transform(cryptochoices),KeyExchange,ID,Certificate,CertificateRequest,Checksum(hash),signature,nonce,Notification,delete(closingtheSPI),vendorID(fortellingtheImplementationbeingused)

FixedHeader:

initiator'scookie(64bits)responder'scookienextpayloadtype

(64bits)(8bits)

exchangetype(32bits)messageID(80bits)

messagelengthflags

(64bits)

version

exchangetype:baseaddsextramessagetoaggresivemodetoallowDHnegot.identityprotection(mainmode)authenticationonlyaggressiveinformationalflags:encrypted,commit,authenticationonly(setonlyduringphase2),messageID:differentiatesmessageswithsamephase1SA

IKE

Payload,startingfields:

nexttypeofpayload(8bits)unused

lengthofthispayload(8bits)

(16bits)

IKEIKE

Example,cryptochoices:

SA:typeofpayload=bundlelength

nextpayload=T

IKEIKE

nextpayload=Tnextpayload=0

nextpayload=Tnextpayload=Tnextpayload=0

nextpayload=P

nextpayload=0

Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Slide 22Slide 23Slide 24Slide 25Slide 26Slide 27Slide 28Slide 29Slide 30Slide 31Slide 32Slide 33Slide 34Slide 35Slide 36Slide 37Slide 38Slide 39Slide 40Slide 41Slide 42Slide 43Slide 44Slide 45Slide 46Slide 47Slide 48Slide 49Slide 50Slide 51Slide 52Slide 53Slide 54Slide 55Slide 56Slide 57Slide 58

Ike

Documents

Transcript of Ike