SSL and IPSec
description
Transcript of SSL and IPSec
![Page 1: SSL and IPSec](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681666a550346895dda0104/html5/thumbnails/1.jpg)
SSL and IPSec
CS461/ECE422Spring 2012
![Page 2: SSL and IPSec](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681666a550346895dda0104/html5/thumbnails/2.jpg)
Reading
• Chapter 22 of text• Look at relevant IETF standards
![Page 3: SSL and IPSec](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681666a550346895dda0104/html5/thumbnails/3.jpg)
SSL
• Transport layer security– Provides confidentiality, integrity,
authentication of endpoints– Developed by Netscape for WWW browsers
and servers• Internet protocol version: TLS
– Compatible with SSL– Standard rfc2712
![Page 4: SSL and IPSec](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681666a550346895dda0104/html5/thumbnails/4.jpg)
Working at Transport Level
• Data link, Network, and Transport headers sent unchanged
• Original transport header can be protected if tunneling
EthernetFrameHeader
IPHeader
TCP Header
TCP data stream Encrypted/authenticatedRegardless of application
![Page 5: SSL and IPSec](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681666a550346895dda0104/html5/thumbnails/5.jpg)
SSL Sessions and Connections
• SSL Sessions– Association between client and server– Created by Handshake protocol– Defines set of cryptographic security parameters
• SSL Connections– A transport-level connection– Potentially many connections per session– Share cryptographic parameters of session
![Page 6: SSL and IPSec](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681666a550346895dda0104/html5/thumbnails/6.jpg)
SSL Protocol Stack
![Page 7: SSL and IPSec](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681666a550346895dda0104/html5/thumbnails/7.jpg)
SSL Record Protocol Operation
![Page 8: SSL and IPSec](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681666a550346895dda0104/html5/thumbnails/8.jpg)
Slide #11-8
Record Protocol Overview
• Lowest layer, taking messages from higher– Max block size 16,384 bytes– Bigger messages fragmented into multiple blocks
– Construction– Block b compressed; call it bc
– MAC computed for bc• If MAC key not selected, no MAC computed
– bc, MAC enciphered• If enciphering key not selected, no enciphering done
– SSL record header prepended
![Page 9: SSL and IPSec](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681666a550346895dda0104/html5/thumbnails/9.jpg)
SSL Handshake Protocol
• Used to initiate connection– Sets up parameters for record protocol– 4 rounds
• Upper layer protocol– Invokes Record Protocol
• Note: what follows assumes client, server using RSA as interchange cryptosystem
![Page 10: SSL and IPSec](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681666a550346895dda0104/html5/thumbnails/10.jpg)
Handshake Protocol: Phase 1 and 2
![Page 11: SSL and IPSec](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681666a550346895dda0104/html5/thumbnails/11.jpg)
Handshake Round 1
Client Server{ vC || r1 || s1 || ciphers || comps }
Client Server{v || r2 || s1 || cipher || comp }
vC Client’s version of SSLv Highest version of SSL that Client, Server both understandr1, r2 nonces (timestamp and 28 random bytes)s1 Current session id (0 if new session)ciphers Ciphers that client understandscomps Compression algorithms that client understandcipher Cipher to be usedcomp Compression algorithm to be used
![Page 12: SSL and IPSec](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681666a550346895dda0104/html5/thumbnails/12.jpg)
Handshake Round 2
Client Server{certificate }
Note: if Server not to authenticate itself, only last message sent; thirdstep omitted if Server does not need Client certificatekS Server’s private keyctype Certificate type requested (by cryptosystem)gca Acceptable certification authoritieser2 End round 2 message
Client Server{mod || exp || SigS(h(r1 || r2 || mod || exp)) }
Client Server{ctype || gca }
Client Server{er2 }
![Page 13: SSL and IPSec](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681666a550346895dda0104/html5/thumbnails/13.jpg)
Handshake Protocols: Phases 3 and 4
![Page 14: SSL and IPSec](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681666a550346895dda0104/html5/thumbnails/14.jpg)
Handshake Round 3
Client Server{ pre }PubS
msgs Concatenation of previous messages sent/received this handshakeopad, ipad As above
Client Server{ h(master || opad || h(msgs || master | ipad)) }
Both Client, Server compute master secret master:master = MD5(pre || SHA(‘A’ || pre || r1 || r2) ||
MD5(pre || SHA(‘BB’ || pre || r1 || r2) ||MD5(pre || SHA(‘CCC’ || pre || r1 || r2)
Client Server{ client_cert }
![Page 15: SSL and IPSec](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681666a550346895dda0104/html5/thumbnails/15.jpg)
Handshake Round 4
Client Server{ h(master || opad || h(msgs || 0x434C4E54 || master || ipad )) }
msgs Concatenation of messages sent/received this handshake inprevious rounds (does notinclude these messages)
opad, ipad, master As above
Client Server{ h(master || opad || h(msgs || 0x53525652 || master | ipad)) }
Server sends “change cipher spec” message using that protocol
Client Server
Client sends “change cipher spec” message using that protocol
Client Server
![Page 16: SSL and IPSec](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681666a550346895dda0104/html5/thumbnails/16.jpg)
Supporting Crypto Algorithms
• The standard dictates algorithms that must be supported– Classical ciphers ensure confidentiality, cryptographic– checksums added for integrity
• Only certain combinations allowed– Won’t allow really weak confidentiality algorithm
with really strong authentication algorithm• Standard is augmented over time– E.g., AES added in 2002 by rfc3268
![Page 17: SSL and IPSec](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681666a550346895dda0104/html5/thumbnails/17.jpg)
RSA: Cipher, MAC Algorithms
![Page 18: SSL and IPSec](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681666a550346895dda0104/html5/thumbnails/18.jpg)
MITM Attacks
• Classic attack foiled by certificates• Assuming certificates can be verified correctly• Not necessarily the case if the root certificates cannot be
trusted• More subtle attacks appear over time
– TLS Authentication Gap• Interaction of TLS and HTTP • http://www.phonefactor.com/sslgap
• Application above SSL/TLS tends to be HTTP but does not have to be
![Page 19: SSL and IPSec](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681666a550346895dda0104/html5/thumbnails/19.jpg)
IPsec
• Network layer security– Provides confidentiality, integrity,
authentication of endpoints, replay detection• Protects all messages sent along a path
dest gw2 gw1 srcIP IP+IPsec IP
security gateway
![Page 20: SSL and IPSec](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681666a550346895dda0104/html5/thumbnails/20.jpg)
Standards
• Original RFC’s 2401-2412• Mandatory portion of IPv6• Bolted onto IPv4• Newer standards
– IKE: Standardized Key Management Protocol RFC 2409
– NAT-T: UDP encapsulation for traversing address translation RFC 3948
![Page 21: SSL and IPSec](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681666a550346895dda0104/html5/thumbnails/21.jpg)
Network Level Encryption
• Data link header and network header is unchanged
• With tunneling original IP header can be protected
EthernetFrameHeader
IPHeader
IP packet Encrypted/authenticatedRegardless of application
![Page 22: SSL and IPSec](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681666a550346895dda0104/html5/thumbnails/22.jpg)
IPsec Transport Mode
• Encapsulate IP packet data area• Use IP to send IPsec-wrapped data packet• Note: IP header not protected
encapsulateddata body
IPheader
![Page 23: SSL and IPSec](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681666a550346895dda0104/html5/thumbnails/23.jpg)
IPsec Tunnel Mode
• Encapsulate IP packet (IP header and IP data)• Use IP to send IPsec-wrapped packet• Note: IP header protected
encapsulatedIP header and data body
IPheader
![Page 24: SSL and IPSec](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681666a550346895dda0104/html5/thumbnails/24.jpg)
IPsec Protocols
• Authentication Header (AH)– Integrity of payload– Integrity of outer header– Anti-replay
• Encapsulating Security Payload (ESP)– Confidentiality of payload and inner header– Integrity of payload (and now header)
![Page 25: SSL and IPSec](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681666a550346895dda0104/html5/thumbnails/25.jpg)
ESP and integrity
• Originally design, use AH to add integrity if needed.
• Bellovin showed integrity is always needed– So added directly to ESP– http://www.cs.columbia.edu/~smb/pape
rs/badesp.pdf
![Page 26: SSL and IPSec](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681666a550346895dda0104/html5/thumbnails/26.jpg)
IPsec Architecture
• Security Association (SA)– Association between peers for security services
• Identified uniquely by dest address, security protocol (AH or ESP), unique 32-bit number (security parameter index, or SPI)
– Unidirectional• Can apply different services in either direction
– SA uses either ESP or AH; if both required, 2 SAs needed
![Page 27: SSL and IPSec](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681666a550346895dda0104/html5/thumbnails/27.jpg)
SA Database Entries
• Sequence number counter• Sequence counter overflow• Anti-replay window• AH or ESP information: algorithms, keys, key
lifetimes• Lifetime of SA• IPSec mode: Tunnel or transport• PathMTU
![Page 28: SSL and IPSec](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681666a550346895dda0104/html5/thumbnails/28.jpg)
ESP Header
![Page 29: SSL and IPSec](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681666a550346895dda0104/html5/thumbnails/29.jpg)
Slide #11-29
Key Points
• Separation of negotiation phase and operational phase
• Standardized elements for algorithm support• Similar functionality between SSL and IPSec
• Difference in network stack level