IP Security
CSCI 454/554
What’s IP Security (IPsec) w IETF standard for network layer security n
Layer-3 security protocol for IP
w Three related things IPsec data protocols: 51 (AH) and 50 (ESP) n Key management protocol: IKE/ISAKMP n Configuration languages, GUIs and management software (still missing) n
1
IPsec Does w Provide n n n n
Authentication Confidentiality Integrity Key management
w Applicable to use over LANs, across public & private WANs, & for the Internet
Layer-3 Security w Network layer is choke-point in the network stack w “Hourgalss” figure
w Putting security in the network layer allows both higher and lower-layer protocol to use it
2
Benefits of IPsec w Link encryption become almost obsolete w Any network node can be a security endpoint n
end-to-end, end-to-edge, edge-to-edge (VPN)
w Applications can be written without explicit support for communication security Code economy (transparent to applications) n Decouple security policy management from application management n
IPsec Documents w specification is quite complex w defined in numerous RFC’s n n n n n
RFC 2401: overview of architecture RFC 2402: packet authentication (AH) RFC 2406: packet encryption (ESP) RFC 2408: key management many others, grouped by category
3
IPSec Services
Security Associations w an one-way relationship between sender & receiver that affords security service for IP traffic w defined by 3 parameters: n n n
Security Parameters Index (SPI) IP Destination Address Security Protocol Identifier
w has a number of other parameters n
seq no, AH & ESP info, lifetime etc
w have a table (database) of Security Associations
4
Key exchange
IKEv2
IKEv2 IKE SA
SPD Security policy database
IPsecv3
SAD
Security association database
IPsec SA Pair
ESP protects data
SPD Security policy database
IPsecv3
Security association database
SAD
Figure 20.2 IPsec Architecture
Security Association Database (SAD) w Defines the parameters associated with each SA w Using the following parameters in a SAD entry: n n n n n n n
Security parameter index Sequence number counter Sequence counter overflow Anti-replay window AH information ESP information Lifetime of this security association
5
Security Policy Database (SPD) w The means by which IP traffic is related to specific SAs Contains entries, each of which defines a subset of IP traffic and points to an SA for that traffic n Each SPD entry is defined by a set of IP and upper-layer protocol field values called selectors n These are used to filter outgoing traffic in order to map it into a particular SA n
Authentication Header (AH) w provides support for data integrity & authentication of IP packet header n n n
detect modification on packet’s content prevents address spoofing attacks counter reply attacks by tracking sequence numbers
w based on the use of HMAC n
HMAC-MD5-96 or HMAC-SHA-1-96
w parties must share a secret key
6
Encapsulating Security Payload (ESP) w provides message content confidentiality & limited traffic flow confidentiality w can optionally provide the authentication services as AH, but only cover IP payload w supports range of ciphers, modes, padding n n n
DES, Triple-DES, RC5, etc CBC most common pad to meet block size, for traffic flow
Transport & Tunnel Modes w Both AH and ESP support two modes of use n
transport and tunnel mode
w Transport mode n
protection primarily for IP payload (upper-layer protocols)
w Tunnel mode n
protection covered the entire IP packet
7
Transport mode in AH
Tunnel mode in AH
8
Authentication Header
AH (bigger scope)
9
Transport & Tunnel Modes in Authentication
Transport mode in ESP
10
Tunnel Mode in ESP
ESP Format
11
ESP Format (bigger scope)
Transport Mode Encryption
12
Tunnel Mode Encryption
Transport vs Tunnel Mode ESP w transport mode is used to encrypt & optionally authenticate IP data n n
data protected but header left in clear good for ESP host to host traffic (end-to-end)
w tunnel mode encrypts entire IP packet add new header for next hop n good for VPNs, gateway to gateway security (edge-to-edge) n
13
Combining Security Associations w SA’s can implement either AH or ESP but not both w to implement both need to combine SA’s n
form a security bundle
w security association bundle n n
Transport adjacency (no tunnelling) Iterated tunnelling (multi-level nesting)
Combining SAs (Cont’d) w Transport adjacent (two bundled transport SAs) n
Inner ESP transport SA, while outer AH transport SA
w Transport-Tunnel Bundle n
Inner AH transport SA, while outer ESP tunnel SA
14
Combining Security Associations
Key Management w handles key generation & distribution w typically need 2 pairs of session keys n
2 per direction for AH & ESP
w automated key management automated system for on demand creation of keys for SA’s in large systems n ISAKMP and IKE (Oakley) n
15
ISAKMP w Internet Security Association and Key Management Protocol w only provides framework for key management w defines procedures and packet formats to establish, negotiate, modify, & delete SAs w independent of key exchange protocol, encryption alg, & authentication method
Internet Key Exchange (IKE) w Default key management protocol w Re-synchronize two ends of an IPsec SA n n n
Authenticate endpoints Choose cryptographic keys Reset sequence numbers to zero
w IKE are based on OAKLEY, and using ISAKMP syntax n n
IKE implements a subset of the OAKLEY protocol borrows fast rekeying technique from SKEME
16
Oakley w a key exchange protocol before IKE w based on Diffie-Hellman key exchange w adds features to address weaknesses n n n n
Cookies groups (global params of DH key exchange) nonces DH key exchange with authentication
Conceptual IKE w Diffie-Hellman for perfect forward security w Signed D-H to avoid man-in-the-middle attack w Cookies for DoS protection
17
Perfect Forward Security w Two parties communicate use different session keys at different time periods w Image an adversary n n
records all communication between Alice and Bob is able to break into Alice (or Bob)’s computer and obtain all of her secrets at some point
w PFS is achieved if he cannot decrypt message that occurred before the latest session change
Diffie-Hellman
18
Man in the Middle
Signed D-H Exchange
19
But … if already have RSA
IKE Phases w Two phases w Phase 1: expensive mutual authentication (based on public keys), establish ISAKMP SA (or IKE SA) n n
Aggressive mode (three messages in IKEv1) Main mode (six messages in IKEv1)
w Phase 2: leverage the phase 1 SA to create AH or ESP SAs.
20
Summary w have considered: n n n n
IPSec security framework AH ESP key management (ISAKMP & IKE)
21