Ipsec Pec July08

8/8/2019 Ipsec Pec July08

http://slidepdf.com/reader/full/ipsec-pec-july08 1/69

IP Security

Web Security

A. QayyumM. A. Jinnah University, Islamabad



2

IP Sec

● Internet standard for network layer security● Components:

– an authentication protocol (AuthenticationHeader – AH)

– a combined encryption and authenticationprotocol (Encapsulated Security Payload –ESP)

– key management protocols (the default is

ISAKMP/Oakley)● Many RFCs● IPSec mandatory for IPv6, optional for IPv4



3

An IP Security Scenario



4

IPSec Services

AHESP

(encryption only)

ESP

(encryption and

authentication)

integrity

data origin

authentication

replay detection

confidentiality

limited traffic flow

confidentiality

x

x

x x

x

x

x

x

x

x

x



5

Security Associations (SA)

● A one-way relationship between a sender and a receiver system

● Used either for AH or for ESP but never

for both● Uniquely identified by three parameters

– Security Parameters Index (SPI) – IP destination address – Security protocol identifier



6

SA Parameters

● sequence number counter – counts the packets sent using this SA

● sequence counter overflow flag – indicates whether overflow of the sequence number counter should

prevent further transmission using this SA

●

anti-replay window – used to determine whether an inbound AH or ESP packet is a replay

● AH / ESP information – algorithm, key, and related parameters

● lifetime – a time interval or byte count after which this SA must be terminated

● protocol mode – tunnel or transport mode

● path MTU – any observed maximum transmission unit



7

SA Selectors

● Security Policy Database (SPD) – Each entry defines a subset of IP traffic and

points to the SAs to be applied to that traffic – Subset of IP traffic is defined in terms of

selectors● Outbound processing

– Compare the selector fields of the packet tothe values in the SPD

– Determine which SAs should be used for thepacket and their SPIs

– Do the required IPSec processing



8

Modes of operation

● Transport mode – Provides protection primarily for upper layer

protocols – Protection is applied to the payload of the IP packet –

Usually used between end-systems● Tunnel mode

– Provides protection to the entire IP packet – Entire IP packet is considered as payload and

encapsulated in another IP packet (with potentially

different source and destination addresses) – Usually used between security gateways (routers,

firewalls)



9

IPSec Authentication Header



10

Authentication Header – AH

● Next header – type of header immediately following this header

(e.g., TCP, IP, etc.)

● Payload length – length of AH (in 32 bit words) minus 2

– e.g., 4 if Authentication data is 3x32 bits long

● Security Parameters Index – identifies the SA used to generate this header

● Sequence number

– sequence number of the packet● Authentication data

– a (truncated) MAC (default length is 3x32 bits)



11

Anti-Replay Service●

A replay attack is one in which anattacker obtains a copy of an

authenticated packet and later transmits

it to the intended destination

● The receipt of duplicate, authenticated IP

packets may disrupt service in some way

or may have some other undesired

consequence

● The Sequence Number field is designed

to thwart such attacks



12

Replay Detection

●

replay: the attacker obtains an authenticated packet andlater transmits (replays) it to the intended destination● receiver has an anti-replay window of default size W = 64



13

Outbound Processing

● Outbound Processing – Security Association Lookup – Sequence Number Generation – Integrity Check Value Calculation – Fragmentation



14

MAC● Implementations must support

– HMAC-MD5-96 – HMAC-SHA1-96

● MAC is calculated over – IP header fields that do not change in transit – AH header fields except Authentication data field

– entire upper layer protocol data● Fields not covered by MAC are set to 0 for

calculation

0000...

0000

0000...

TTLHeader

checksum

I P

A H

p a y l o a d

MAC Authentication data



15

AH – Inbound processing

● If there is more than one IPsec header /extension present, the processing for each one ignores (does not zero, does

not use) any IPsec headers appliedsubsequent to the header beingprocessed – Reassembly

– Security Association Lookup – Sequence Number Verification – Integrity Check Value Verification



16

End to End versus End toIntermediate Authentication



17

Scope of AH Authentication



18

Scope of AH Authentication



19

Encapsulating Security Payload – ESP

●

Security Parameters Index – identifies the SA used to generate this encryptedpacket

● Sequence number ● Payload

–

transport level segment (transport mode) or encapsulated IP packet (tunnel mode)● Padding

– variable length padding● Pad length

● Next header – identifies the type of data contained in the header

● Authentication data – a (truncated) MAC computed over the ESP packet

(SPI ... Next Header)



20

IPSec ESP Format



21

Encryption and MAC algorithms● Encryption

– Applied to the payload, padding, pad length,and next header fields

– Implementations must support DES-CBC – Other suggested algorithms: 3DES, RC5,

IDEA, 3IDEA, CAST, Blowfish● MAC

– Computed over SPI, sequence number,encrypted payload, padding, pad length, and

next header fields● Unlike in AH, here the MAC does not cover thepreceding IP header

– Implementations must support HMAC-MD5-96 and HMAC-SHA1-96



22

Outbound Packet Processing

● In transport mode, sender encapsulates the upper layer protocol information in ESP header/trailer,and retains the specified IP header

● If there is more than one IPsec header/extension

required by security policy, the order of applicationof security headers must be defined by securitypolicy

● Processing involves – Security Association Lookup

– Packet Encryption

– Sequence Number Generation

– Integrity Check Value Calculation

– Fragmentation



23

Inbound Packet Processing

● Involves – Reassembly – Security Association Lookup – Sequence Number Verification – Integrity Check Value Verification – Packet Decryption



24

What is a Tunnel?

●

A tunnel identifies packets in a datastream – Identify by encapsulation (new header

possibly new trailer) – Identify by labeling

● Entry into a tunnel gives the data streamdifferent characteristics – E.g., Privacy, authentication, different

routing characteristics

– Security is not always the goal of the tunnel



25

Tunnel Protocols for all Levels

●

Layer 2 – 802.1Q VLANs – labels ethernet frames for trafficseparation

– Proprietary link encryption● Layer 3

– IPSec –

IPv6 in IPv4 – Carry IPv6 traffic over IPv4 networks – Generic Routing Encapsulation (GRE) – Multiprotocol Label Switching (MPLS) – uses labels to

implement circuit switching at layer 3● Layer 4

– SSL/TLS

● Layer 7 – SMIME – DNSSec



26

Transport Level Security vs TunnelMode Security



27

Transport Level Security vs TunnelMode Security



28

ESP in Transport and TunnelMode

ESP in transport mode

ESP in tunnel mode

original

IP header

TCP/UDP

headerdata

original IPv4 packet

original

IP header

TCP/UDP

header

ESP

header

encrypted

new

IP header

ESP

header

original

IP header

TCP/UDP

header

ESP

trailer

ESP

MACdata

data

authenticated

ESP

trailer

ESP

MAC

encrypted

authenticated



29

Combining SecurityAssociations

Basic ESP-AH combination1. apply ESP in transport mode without authentication

2. apply AH in transport mode

Basic AH-ESP combination1. apply AH in transport mode

2. apply ESP in tunnel mode without authentication

originalIP header

TCP/UDPheader

ESPheader

ESPtrailer

dataAH

authenticated except for mutable fields in the IP header

new

IP header

ESP

header

original

IP header

TCP/UDP

headerdata

ESP

trailerAH

authenticated except for mutable fields in the inner IP header



30

Combining SAsHost-host Security



31

Combining SAsGateway-gateway Security



32

Combining SAsHost-gateway Security



33

Combining SAsHost-gateway Security



34

IPSec Challenges

●

Scaling – Numerous SAs eat up too much memory for

small routers – Configurations in a hub and spoke network

grow n^2 in the number of spokes● Dynamic Multipoint VPN (DMVPN)

● Performance – Even symmetric encryption can be too much

for high bandwidth environments

● Symmetry – Both sides must have a means to prove

identity to each other ● Implies the need for a PKI or other broad identity

proof mechanism



35

Key Management

● Two types must be supported by implementations – manual

● system admin configures system with necessary keys

– automated● on-demand creation of keys for SAs

● Default automated method is ISAKMP / Oakley – Oakley key determination protocol

● a key exchange protocol based on Diffie-Hellman● provides added security (e.g., authentication)

– ISAKMP – Internet Security Association and KeyManagement Protocol

● provides a framework for key exchange● defines message formats that can carry the messages

of various key exchange protocols

NAT T t IPS



36

NAT Transparent IPSec● Initially IPSec could not handle address

translation in the middle – RFC 3715 describes the problems

– AH includes the addresses in the outer IP header in its authentication calculation

– Changes to the IP addresses affect the TCP/UDP

checksums, which are encrypted in ESP – Addresses and ports encrypted or authenticated

– For remote users this was a big use case

● Introduced NAT-traversal extensions RFC 3947

● Detect NAT during IKE – Move from standard IKE port on 500 to negotiate

on port 4500

– Encapsulate the IPSec traffic using UDP to

preserve the original headers from NAT



37

Scope for ESP Encryption andAuthentication



38

Scope for ESP Encryption andAuthentication



Web Security



40

Web Security

● Web now widely used by business,government, individuals

● But Internet & Web are vulnerable● Have a variety of threats

– integrity – confidentiality – denial of service – authentication

● Need added security mechanisms



41

Relative Location of Security

Facilities in TCP/IP Stack



42

What are SSL and TLS?

● SSL – Secure Socket Layer ● TLS – Transport Layer Security● Both provide a secure transport connection

between applications – e.g., a web server and a browser

● SSL was developed by Netscape● SSL v3.0 was specified in an Internet Draft● Evolved into TLS specified in RFC 2246● TLS can be viewed as SSL v3.1



43

SSL Architecture

SSL Record Protocol

SSL

Handshake

Protocol

SSL Change

Cipher Spec

Protocol

SSL

Alert

Protocol

applications

(e.g., HTTP)

TCP

IP



44

Encryption-Supported Algorithms

● Block ciphers (in CBC mode) – RC2_40

– DES_40

–

DES_56 – 3DES_168

– IDEA_128

– FORTEZZA_80

●

Stream ciphers – RC4_40

– RC4_128



45

SSL Components

● SSL Record Protocol – fragmentation

– compression

–

message authentication and integrityprotection

– Encryption

● The SSL Record Layer receives

uninterrupted data from higher layers innon-empty blocks of arbitrary size



46

SSL Components

● SSL Handshake Protocol – negotiation of security algorithms and parameters

– key exchange

– server authentication and optionally clientauthentication

● SSL Alert Protocol – error messages (fatal alerts and warnings)

● SSL Change Cipher Spec Protocol –

a single message that indicates the end of the SSLhandshake



47

SSL Sessions

● An association between a client and aserver

● Sessions are stateful; the session state

includes security algorithms andparameters

● Session may include multiple secure

connections between the same client andserver



48

SSL Connections

● Connections of the same session sharethe session state

● Sessions are used to avoid expensivenegotiation of new security parameters for each connection

● There may be multiple simultaneoussessions between the same two parties,

but this feature is not used in practice

S i d C ti St t



49

Session and Connection States- Session State

●

Session identifier – arbitrary byte sequence chosen by the server

● Peer certificate – X.509 certificate of the peer (may be null)

●

Compression method● Cipher spec

– Data encryption algo (null, 3DES, …), MAC algo(MD5, SHA-1), cryptographic attributes (hash size)

●

Master secret – Shared between the client and the server

● Is resumeable – a flag indicating whether the session can be used to

initiate new connections



50

Connection States

● Server and client random – random byte sequences chosen by server and the client

● Server write MAC secret – secret key used in MAC operations on data sent by server

● Client write MAC secret

– secret key used in MAC operations on data sent by client● Server write key

– secret encryption key for data encrypted by the server ● Client write key

– secret encryption key for data encrypted by the client● Initialization vectors

– IV is maintained for each encryption key (for CBC mode)● Sending and receiving sequence numbers

– reset to zero after each Change Cipher Spec message

St t Ch



51

State Changes

● Operating state –

currently used state● Pending state

– state to be used – built using the current state

● Operating state Pending state –

at the transmission and reception of a Change Cipher Specmessage

party A

(client or server)

party B

(server or client)

the sending part of the

pending state is copied

into the sending part

of the operating state the receiving part of thepending state is copied

into the receiving part

of the operating state

C h a n g e C i p h e r S p e c

SSL R d P t l P i



52

SSL Record Protocol – ProcessingOverview

MAC

application data

paddingtype

fragmentation

compression

msg authentication andencryption (with padding if necessary)

version length

SSLPlaintext

SSLCompressed

SSLCiphertext



53

Header

● Type – higher level protocol used to process the enclosed fragment

– possible types:● change_cipher_spec● alert● handshake● application_data

● Version – SSL version, currently 3.0

● Length – length of the enclosed fragment or compressed fragment

– max value is 214 + 2048



54

SSL Record Format



55

SSL Record Protocol Payload



56

SSL Alert Protocol

● Each alert message consists of 2 fields(bytes)

● First field (byte): “warning” or “fatal”● Second field (byte):

– fatal● unexpected_message● bad_record_MAC● decompression_failure● handshake_failure● illegal_parameter



57

SSL Alert Protocol

● Warning – close_notify – no_certificate – bad_certificate – unsupported_certificate

– certificate_revoked – certificate_expired – certificate_unknown

● In case of a fatal alert – connection is terminated

– session ID is invalidated no new connection canbe established within this session

SSL Handshake Protocol overview



58

SSL Handshake Protocol – overviewclient server

client_hello

server_hello

certificate

server_key_exchange

certificate_request

server_hello_done

certificate

client_key_exchange

certificate_verify

change_cipher_spec

finished

change_cipher_spec

finished

Phase 1: Negotiation of the session ID, key exchange

algorithm, MAC algorithm, encryption algorithm, and

exchange of initial random numbers

Phase 2: Server may send its certificate and key

exchange message, and it may request the client

to send a certificate. Server signals end of hello

phase.

Phase 3: Client sends certificate if requested and may

send an explicit certificate verification message.

Client always sends its key exchange message.

Phase 4: Change cipher spec and finish handshake



59

Hello Messages



60

Hello Messages-Client

●

client_hello – client_version

● the highest version supported by the client

– client_random● current time (4 bytes) + pseudo random bytes (28 bytes)

– session_id● empty if the client wants to create a new session, or ● the session ID of an old session within which the client

wants to create the new connection



61

Client Messages

●

cipher_suites – list of cryptographic options supported by the client

ordered by preference – a cipher suite contains the specification of the

● key exchange method, the encryption and the MACalgorithm

● the algorithms implicitly specify the hash_size, IV_size, andkey_material parameters (part of the Cipher Spec of thesession state)

– exmaple: SSL_RSA_with_3DES_EDE_CBC_SHA● compression_methods

– list of compression methods supported by the client

Hello Messages



62

Hello MessagesServer

●

server_hello – server_version

● min( highest version supported by client, highest versionsupported by server )

– server_random● current time + random bytes● random bytes must be independent of the client random



63

Server Messages

●

session_id – session ID chosen by the server – if the client wanted to resume an old session:

● server checks if the session is resumable● if so, it responds with the session ID and the parties proceed to

the finished messages

–

if the client wanted a new session● server generates a new session ID

● cipher_suite – single cipher suite selected by the server from the list given by

the client

● compression_method – single compression method selected by the server

Certificate request and server



64

Certificate request and server hello done msgs

● certificate_request – sent if the client needs to authenticate itself

– specifies which type of certificate isrequested (rsa_sign, dss_sign, rsa_fixed_dh,

dss_fixed_dh, …)



65

server_hello_done

● Sent to indicate that the server is finished itspart of the key exchange

● After sending this message the server waits for client response

● The client should verify that the server provideda valid certificate and the server parameters areacceptable



66

Finished messages

● finished – sent immediately after the

change_cipher_spec message

– first message that uses the newly negotiated

algorithms, keys, IVs, etc. – used to verify that the key exchange and

authentication was successful



67

TLS vs. SSL

● Version number – for TLS the current version number is 3.1

● MAC – TLS uses HMAC

– the MAC covers the version field of therecord header too

● More alert codes

● Cipher suites – TLS doesn’t support Fortezza key exchange

and Fortezza encryption



68

TLS vs. SSL

● certificate_verify message – the hash is computed only over the

handshake messages

– in SSL the hash contained the master_secret

and pads● Padding before block cipher encryption

– variable length padding is allowed (max 255padding bytes)



Thank You

Questions ...

Ipsec Pec July08

Documents

Transcript of Ipsec Pec July08