Ipsec Pec July08
-
Upload
rizwan0086 -
Category
Documents
-
view
226 -
download
0
Transcript of Ipsec Pec July08
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 1/69
IP Security
Web Security
A. QayyumM. A. Jinnah University, Islamabad
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 2/69
2
IP Sec
● Internet standard for network layer security● Components:
– an authentication protocol (AuthenticationHeader – AH)
– a combined encryption and authenticationprotocol (Encapsulated Security Payload –ESP)
– key management protocols (the default is
ISAKMP/Oakley)● Many RFCs● IPSec mandatory for IPv6, optional for IPv4
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 3/69
3
An IP Security Scenario
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 4/69
4
IPSec Services
AHESP
(encryption only)
ESP
(encryption and
authentication)
integrity
data origin
authentication
replay detection
confidentiality
limited traffic flow
confidentiality
x
x
x x
x
x
x
x
x
x
x
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 5/69
5
Security Associations (SA)
● A one-way relationship between a sender and a receiver system
● Used either for AH or for ESP but never
for both● Uniquely identified by three parameters
– Security Parameters Index (SPI) – IP destination address – Security protocol identifier
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 6/69
6
SA Parameters
● sequence number counter – counts the packets sent using this SA
● sequence counter overflow flag – indicates whether overflow of the sequence number counter should
prevent further transmission using this SA
●
anti-replay window – used to determine whether an inbound AH or ESP packet is a replay
● AH / ESP information – algorithm, key, and related parameters
● lifetime – a time interval or byte count after which this SA must be terminated
● protocol mode – tunnel or transport mode
● path MTU – any observed maximum transmission unit
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 7/69
7
SA Selectors
● Security Policy Database (SPD) – Each entry defines a subset of IP traffic and
points to the SAs to be applied to that traffic – Subset of IP traffic is defined in terms of
selectors● Outbound processing
– Compare the selector fields of the packet tothe values in the SPD
– Determine which SAs should be used for thepacket and their SPIs
– Do the required IPSec processing
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 8/69
8
Modes of operation
● Transport mode – Provides protection primarily for upper layer
protocols – Protection is applied to the payload of the IP packet –
Usually used between end-systems● Tunnel mode
– Provides protection to the entire IP packet – Entire IP packet is considered as payload and
encapsulated in another IP packet (with potentially
different source and destination addresses) – Usually used between security gateways (routers,
firewalls)
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 9/69
9
IPSec Authentication Header
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 10/69
10
Authentication Header – AH
● Next header – type of header immediately following this header
(e.g., TCP, IP, etc.)
● Payload length – length of AH (in 32 bit words) minus 2
– e.g., 4 if Authentication data is 3x32 bits long
● Security Parameters Index – identifies the SA used to generate this header
● Sequence number
– sequence number of the packet● Authentication data
– a (truncated) MAC (default length is 3x32 bits)
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 11/69
11
Anti-Replay Service●
A replay attack is one in which anattacker obtains a copy of an
authenticated packet and later transmits
it to the intended destination
● The receipt of duplicate, authenticated IP
packets may disrupt service in some way
or may have some other undesired
consequence
● The Sequence Number field is designed
to thwart such attacks
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 12/69
12
Replay Detection
●
replay: the attacker obtains an authenticated packet andlater transmits (replays) it to the intended destination● receiver has an anti-replay window of default size W = 64
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 13/69
13
Outbound Processing
● Outbound Processing – Security Association Lookup – Sequence Number Generation – Integrity Check Value Calculation – Fragmentation
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 14/69
14
MAC● Implementations must support
– HMAC-MD5-96 – HMAC-SHA1-96
● MAC is calculated over – IP header fields that do not change in transit – AH header fields except Authentication data field
– entire upper layer protocol data● Fields not covered by MAC are set to 0 for
calculation
0000...
0000
0000...
TTLHeader
checksum
I P
A H
p a y l o a d
MAC Authentication data
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 15/69
15
AH – Inbound processing
● If there is more than one IPsec header /extension present, the processing for each one ignores (does not zero, does
not use) any IPsec headers appliedsubsequent to the header beingprocessed – Reassembly
– Security Association Lookup – Sequence Number Verification – Integrity Check Value Verification
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 16/69
16
End to End versus End toIntermediate Authentication
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 17/69
17
Scope of AH Authentication
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 18/69
18
Scope of AH Authentication
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 19/69
19
Encapsulating Security Payload – ESP
●
Security Parameters Index – identifies the SA used to generate this encryptedpacket
● Sequence number ● Payload
–
transport level segment (transport mode) or encapsulated IP packet (tunnel mode)● Padding
– variable length padding● Pad length
● Next header – identifies the type of data contained in the header
● Authentication data – a (truncated) MAC computed over the ESP packet
(SPI ... Next Header)
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 20/69
20
IPSec ESP Format
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 21/69
21
Encryption and MAC algorithms● Encryption
– Applied to the payload, padding, pad length,and next header fields
– Implementations must support DES-CBC – Other suggested algorithms: 3DES, RC5,
IDEA, 3IDEA, CAST, Blowfish● MAC
– Computed over SPI, sequence number,encrypted payload, padding, pad length, and
next header fields● Unlike in AH, here the MAC does not cover thepreceding IP header
– Implementations must support HMAC-MD5-96 and HMAC-SHA1-96
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 22/69
22
Outbound Packet Processing
● In transport mode, sender encapsulates the upper layer protocol information in ESP header/trailer,and retains the specified IP header
● If there is more than one IPsec header/extension
required by security policy, the order of applicationof security headers must be defined by securitypolicy
● Processing involves – Security Association Lookup
– Packet Encryption
– Sequence Number Generation
– Integrity Check Value Calculation
– Fragmentation
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 23/69
23
Inbound Packet Processing
● Involves – Reassembly – Security Association Lookup – Sequence Number Verification – Integrity Check Value Verification – Packet Decryption
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 24/69
24
What is a Tunnel?
●
A tunnel identifies packets in a datastream – Identify by encapsulation (new header
possibly new trailer) – Identify by labeling
● Entry into a tunnel gives the data streamdifferent characteristics – E.g., Privacy, authentication, different
routing characteristics
– Security is not always the goal of the tunnel
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 25/69
25
Tunnel Protocols for all Levels
●
Layer 2 – 802.1Q VLANs – labels ethernet frames for trafficseparation
– Proprietary link encryption● Layer 3
– IPSec –
IPv6 in IPv4 – Carry IPv6 traffic over IPv4 networks – Generic Routing Encapsulation (GRE) – Multiprotocol Label Switching (MPLS) – uses labels to
implement circuit switching at layer 3● Layer 4
– SSL/TLS
● Layer 7 – SMIME – DNSSec
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 26/69
26
Transport Level Security vs TunnelMode Security
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 27/69
27
Transport Level Security vs TunnelMode Security
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 28/69
28
ESP in Transport and TunnelMode
ESP in transport mode
ESP in tunnel mode
original
IP header
TCP/UDP
headerdata
original IPv4 packet
original
IP header
TCP/UDP
header
ESP
header
encrypted
new
IP header
ESP
header
original
IP header
TCP/UDP
header
ESP
trailer
ESP
MACdata
data
authenticated
ESP
trailer
ESP
MAC
encrypted
authenticated
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 29/69
29
Combining SecurityAssociations
Basic ESP-AH combination1. apply ESP in transport mode without authentication
2. apply AH in transport mode
Basic AH-ESP combination1. apply AH in transport mode
2. apply ESP in tunnel mode without authentication
originalIP header
TCP/UDPheader
ESPheader
ESPtrailer
dataAH
authenticated except for mutable fields in the IP header
new
IP header
ESP
header
original
IP header
TCP/UDP
headerdata
ESP
trailerAH
authenticated except for mutable fields in the inner IP header
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 30/69
30
Combining SAsHost-host Security
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 31/69
31
Combining SAsGateway-gateway Security
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 32/69
32
Combining SAsHost-gateway Security
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 33/69
33
Combining SAsHost-gateway Security
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 34/69
34
IPSec Challenges
●
Scaling – Numerous SAs eat up too much memory for
small routers – Configurations in a hub and spoke network
grow n^2 in the number of spokes● Dynamic Multipoint VPN (DMVPN)
● Performance – Even symmetric encryption can be too much
for high bandwidth environments
● Symmetry – Both sides must have a means to prove
identity to each other ● Implies the need for a PKI or other broad identity
proof mechanism
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 35/69
35
Key Management
● Two types must be supported by implementations – manual
● system admin configures system with necessary keys
– automated● on-demand creation of keys for SAs
● Default automated method is ISAKMP / Oakley – Oakley key determination protocol
● a key exchange protocol based on Diffie-Hellman● provides added security (e.g., authentication)
– ISAKMP – Internet Security Association and KeyManagement Protocol
● provides a framework for key exchange● defines message formats that can carry the messages
of various key exchange protocols
NAT T t IPS
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 36/69
36
NAT Transparent IPSec● Initially IPSec could not handle address
translation in the middle – RFC 3715 describes the problems
– AH includes the addresses in the outer IP header in its authentication calculation
– Changes to the IP addresses affect the TCP/UDP
checksums, which are encrypted in ESP – Addresses and ports encrypted or authenticated
– For remote users this was a big use case
● Introduced NAT-traversal extensions RFC 3947
● Detect NAT during IKE – Move from standard IKE port on 500 to negotiate
on port 4500
– Encapsulate the IPSec traffic using UDP to
preserve the original headers from NAT
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 37/69
37
Scope for ESP Encryption andAuthentication
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 38/69
38
Scope for ESP Encryption andAuthentication
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 39/69
Web Security
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 40/69
40
Web Security
● Web now widely used by business,government, individuals
● But Internet & Web are vulnerable● Have a variety of threats
– integrity – confidentiality – denial of service – authentication
● Need added security mechanisms
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 41/69
41
Relative Location of Security
Facilities in TCP/IP Stack
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 42/69
42
What are SSL and TLS?
● SSL – Secure Socket Layer ● TLS – Transport Layer Security● Both provide a secure transport connection
between applications – e.g., a web server and a browser
● SSL was developed by Netscape● SSL v3.0 was specified in an Internet Draft● Evolved into TLS specified in RFC 2246● TLS can be viewed as SSL v3.1
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 43/69
43
SSL Architecture
SSL Record Protocol
SSL
Handshake
Protocol
SSL Change
Cipher Spec
Protocol
SSL
Alert
Protocol
applications
(e.g., HTTP)
TCP
IP
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 44/69
44
Encryption-Supported Algorithms
● Block ciphers (in CBC mode) – RC2_40
– DES_40
–
DES_56 – 3DES_168
– IDEA_128
– FORTEZZA_80
●
Stream ciphers – RC4_40
– RC4_128
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 45/69
45
SSL Components
● SSL Record Protocol – fragmentation
– compression
–
message authentication and integrityprotection
– Encryption
● The SSL Record Layer receives
uninterrupted data from higher layers innon-empty blocks of arbitrary size
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 46/69
46
SSL Components
● SSL Handshake Protocol – negotiation of security algorithms and parameters
– key exchange
– server authentication and optionally clientauthentication
● SSL Alert Protocol – error messages (fatal alerts and warnings)
● SSL Change Cipher Spec Protocol –
a single message that indicates the end of the SSLhandshake
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 47/69
47
SSL Sessions
● An association between a client and aserver
● Sessions are stateful; the session state
includes security algorithms andparameters
● Session may include multiple secure
connections between the same client andserver
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 48/69
48
SSL Connections
● Connections of the same session sharethe session state
● Sessions are used to avoid expensivenegotiation of new security parameters for each connection
● There may be multiple simultaneoussessions between the same two parties,
but this feature is not used in practice
S i d C ti St t
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 49/69
49
Session and Connection States- Session State
●
Session identifier – arbitrary byte sequence chosen by the server
● Peer certificate – X.509 certificate of the peer (may be null)
●
Compression method● Cipher spec
– Data encryption algo (null, 3DES, …), MAC algo(MD5, SHA-1), cryptographic attributes (hash size)
●
Master secret – Shared between the client and the server
● Is resumeable – a flag indicating whether the session can be used to
initiate new connections
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 50/69
50
Connection States
● Server and client random – random byte sequences chosen by server and the client
● Server write MAC secret – secret key used in MAC operations on data sent by server
● Client write MAC secret
– secret key used in MAC operations on data sent by client● Server write key
– secret encryption key for data encrypted by the server ● Client write key
– secret encryption key for data encrypted by the client● Initialization vectors
– IV is maintained for each encryption key (for CBC mode)● Sending and receiving sequence numbers
– reset to zero after each Change Cipher Spec message
St t Ch
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 51/69
51
State Changes
● Operating state –
currently used state● Pending state
– state to be used – built using the current state
● Operating state Pending state –
at the transmission and reception of a Change Cipher Specmessage
party A
(client or server)
party B
(server or client)
the sending part of the
pending state is copied
into the sending part
of the operating state the receiving part of thepending state is copied
into the receiving part
of the operating state
C h a n g e C i p h e r S p e c
SSL R d P t l P i
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 52/69
52
SSL Record Protocol – ProcessingOverview
MAC
application data
paddingtype
fragmentation
compression
msg authentication andencryption (with padding if necessary)
version length
SSLPlaintext
SSLCompressed
SSLCiphertext
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 53/69
53
Header
● Type – higher level protocol used to process the enclosed fragment
– possible types:● change_cipher_spec● alert● handshake● application_data
● Version – SSL version, currently 3.0
● Length – length of the enclosed fragment or compressed fragment
– max value is 214 + 2048
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 54/69
54
SSL Record Format
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 55/69
55
SSL Record Protocol Payload
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 56/69
56
SSL Alert Protocol
● Each alert message consists of 2 fields(bytes)
● First field (byte): “warning” or “fatal”● Second field (byte):
– fatal● unexpected_message● bad_record_MAC● decompression_failure● handshake_failure● illegal_parameter
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 57/69
57
SSL Alert Protocol
● Warning – close_notify – no_certificate – bad_certificate – unsupported_certificate
– certificate_revoked – certificate_expired – certificate_unknown
● In case of a fatal alert – connection is terminated
– session ID is invalidated no new connection canbe established within this session
SSL Handshake Protocol overview
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 58/69
58
SSL Handshake Protocol – overviewclient server
client_hello
server_hello
certificate
server_key_exchange
certificate_request
server_hello_done
certificate
client_key_exchange
certificate_verify
change_cipher_spec
finished
change_cipher_spec
finished
Phase 1: Negotiation of the session ID, key exchange
algorithm, MAC algorithm, encryption algorithm, and
exchange of initial random numbers
Phase 2: Server may send its certificate and key
exchange message, and it may request the client
to send a certificate. Server signals end of hello
phase.
Phase 3: Client sends certificate if requested and may
send an explicit certificate verification message.
Client always sends its key exchange message.
Phase 4: Change cipher spec and finish handshake
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 59/69
59
Hello Messages
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 60/69
60
Hello Messages-Client
●
client_hello – client_version
● the highest version supported by the client
– client_random● current time (4 bytes) + pseudo random bytes (28 bytes)
– session_id● empty if the client wants to create a new session, or ● the session ID of an old session within which the client
wants to create the new connection
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 61/69
61
Client Messages
●
cipher_suites – list of cryptographic options supported by the client
ordered by preference – a cipher suite contains the specification of the
● key exchange method, the encryption and the MACalgorithm
● the algorithms implicitly specify the hash_size, IV_size, andkey_material parameters (part of the Cipher Spec of thesession state)
– exmaple: SSL_RSA_with_3DES_EDE_CBC_SHA● compression_methods
– list of compression methods supported by the client
Hello Messages
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 62/69
62
Hello MessagesServer
●
server_hello – server_version
● min( highest version supported by client, highest versionsupported by server )
– server_random● current time + random bytes● random bytes must be independent of the client random
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 63/69
63
Server Messages
●
session_id – session ID chosen by the server – if the client wanted to resume an old session:
● server checks if the session is resumable● if so, it responds with the session ID and the parties proceed to
the finished messages
–
if the client wanted a new session● server generates a new session ID
● cipher_suite – single cipher suite selected by the server from the list given by
the client
● compression_method – single compression method selected by the server
Certificate request and server
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 64/69
64
Certificate request and server hello done msgs
● certificate_request – sent if the client needs to authenticate itself
– specifies which type of certificate isrequested (rsa_sign, dss_sign, rsa_fixed_dh,
dss_fixed_dh, …)
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 65/69
65
server_hello_done
● Sent to indicate that the server is finished itspart of the key exchange
● After sending this message the server waits for client response
● The client should verify that the server provideda valid certificate and the server parameters areacceptable
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 66/69
66
Finished messages
● finished – sent immediately after the
change_cipher_spec message
– first message that uses the newly negotiated
algorithms, keys, IVs, etc. – used to verify that the key exchange and
authentication was successful
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 67/69
67
TLS vs. SSL
● Version number – for TLS the current version number is 3.1
● MAC – TLS uses HMAC
– the MAC covers the version field of therecord header too
● More alert codes
● Cipher suites – TLS doesn’t support Fortezza key exchange
and Fortezza encryption
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 68/69
68
TLS vs. SSL
● certificate_verify message – the hash is computed only over the
handshake messages
– in SSL the hash contained the master_secret
and pads● Padding before block cipher encryption
– variable length padding is allowed (max 255padding bytes)
8/8/2019 Ipsec Pec July08
http://slidepdf.com/reader/full/ipsec-pec-july08 69/69
Thank You
Questions ...