Distributed Systems Security Protocols (Network-/Transport Layer)

PD Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck http://www.itm.uni-luebeck.de/people/pfisterer

Overview • Until now – Security on Different Layers – Security on Physical & Data-Link Layer • Mostly security in wireless networks • Bluetooth, GSM / GPRS / UMTS, Wireless LANs

• Today – Security on Network & Transport Layer – IPSec – Secure Sockets Layer (SSL) / Transport Layer Security (TLS) Security - 07c Network and Transport Layer

#2

Why is IP unsecure? Attack Security Objective Traffic-Analysis Anonymity Message Interception Confidentiality Modification of Messages Integrity Discard messages / Availability (Denial-of-Service attack) TTL-Field modification IP-address spoofing Authenticity Security - 07c Network and Transport Layer

#3

IPSec

IPSec • IPSec = IP security – Initiated 1994 by the Internet Architecture Board (IAB) – Reaction to increasing number of attacks on IP (IP Spoofing,…) – Addition to IPv6, integral part of IPv6

• Defined in numerous RFCs – Architecture, Authentication, Confidentiality, and Key Management/Distribution – – – – –

RFC 4301: Security Architecture for IP RFC 4302: IP Authentication Header RFC 4303: IP Encapsulating Security Payload (ESP) RFC 4306: Internet Key Exchange (IKEv2) Protocol ... Security - 07c Network and Transport Layer

#5

IPSec

HTTP

• Security service on Network Layer – Typically supplied by the OS – Transparent for applications (can remain unchanged)

FTP

SMTP

UDP / TCP IP / IPSec

• Often used for Virtual Private Networks (VPNs) – Secure data transmission over unsecure Internet links – Interconnection of different organization-internal networks – Cost-effective interconnection means Security - 07c Network and Transport Layer

#6

IPSec Application Examples

Security - 07c Network and Transport Layer

#7

IPSec Clients • Often IPSec clients are so-called „road warriors “ • Mobile clients that require secure access to company networks • Support exists in many operations systems – Windows, Linux, Mac OS, iOS, ... Security - 04 Cryptology

#8

Fundamentals & Concepts

Protocols

Algorithms

Architecture (RFC 4301)

ESP (RFC 4303)

AH (RFC 4302)

Encryption (RFC 2405)

Authentication (RFC 2404)

DOI (RFC 2407)

Key Management DOI: Domain of Interpretation

ISAKMP, IKE, others Security - 07c Network and Transport Layer #9

IPSec architecture • Security mechanisms implemented using IP Extension Header • Two types

– Authentication Header (AH) – Encapsulating Security Payload Header (ESP)

• Implemented security services AH

ESP (w/o auth.)

ESP (with Auth)

Access Control

✪

✪

✪

Integrity (connection-less)

✪

✪

Authentication

✪

✪

Replay-Mitigation

✪

✪

✪

Confidentiality

✪

✪

Traffic Flow Confidentiality

✪

✪

Security - 07c Network and Transport Layer

#10

0

IPSec and IP

Vers ion

Hdr Len

8

16

Type of Service

Total Length

Identification TTL

31

Flag s

Protocol

Fragment Offset Header Checksum

Source Address Destination Address Options & Padding Data (