IP Security

CSCI 454/554

What’s IP Security (IPsec) w  IETF standard for network layer security n 

Layer-3 security protocol for IP

w  Three related things IPsec data protocols: 51 (AH) and 50 (ESP) n  Key management protocol: IKE/ISAKMP n  Configuration languages, GUIs and management software (still missing) n 

1

IPsec Does w  Provide n  n  n  n 

Authentication Confidentiality Integrity Key management

w  Applicable to use over LANs, across public & private WANs, & for the Internet

Layer-3 Security w  Network layer is choke-point in the network stack w  “Hourgalss” figure

w  Putting security in the network layer allows both higher and lower-layer protocol to use it

2

Benefits of IPsec w  Link encryption become almost obsolete w  Any network node can be a security endpoint n 

end-to-end, end-to-edge, edge-to-edge (VPN)

w  Applications can be written without explicit support for communication security Code economy (transparent to applications) n  Decouple security policy management from application management n 

IPsec Documents w  specification is quite complex w  defined in numerous RFC’s n  n  n  n  n 

RFC 2401: overview of architecture RFC 2402: packet authentication (AH) RFC 2406: packet encryption (ESP) RFC 2408: key management many others, grouped by category

3

IPSec Services

Security Associations w  an one-way relationship between sender & receiver that affords security service for IP traffic w  defined by 3 parameters: n  n  n 

Security Parameters Index (SPI) IP Destination Address Security Protocol Identifier

w  has a number of other parameters n 

seq no, AH & ESP info, lifetime etc

w  have a table (database) of Security Associations

4

Key exchange

IKEv2

IKEv2 IKE SA

SPD Security policy database

IPsecv3

SAD

Security association database

IPsec SA Pair

ESP protects data

SPD Security policy database

IPsecv3

Security association database

SAD

Figure 20.2 IPsec Architecture

Security Association Database (SAD) w  Defines the parameters associated with each SA w  Using the following parameters in a SAD entry: n  n  n  n  n  n  n 

Security parameter index Sequence number counter Sequence counter overflow Anti-replay window AH information ESP information Lifetime of this security association

5

Security Policy Database (SPD) w  The means by which IP traffic is related to specific SAs Contains entries, each of which defines a subset of IP traffic and points to an SA for that traffic n  Each SPD entry is defined by a set of IP and upper-layer protocol field values called selectors n  These are used to filter outgoing traffic in order to map it into a particular SA n 

Authentication Header (AH) w  provides support for data integrity & authentication of IP packet header n  n  n 

detect modification on packet’s content prevents address spoofing attacks counter reply attacks by tracking sequence numbers

w  based on the use of HMAC n 

HMAC-MD5-96 or HMAC-SHA-1-96

w  parties must share a secret key

6

Encapsulating Security Payload (ESP) w  provides message content confidentiality & limited traffic flow confidentiality w  can optionally provide the authentication services as AH, but only cover IP payload w  supports range of ciphers, modes, padding n  n  n 

DES, Triple-DES, RC5, etc CBC most common pad to meet block size, for traffic flow

Transport & Tunnel Modes w  Both AH and ESP support two modes of use n 

transport and tunnel mode

w  Transport mode n 

protection primarily for IP payload (upper-layer protocols)

w  Tunnel mode n 

protection covered the entire IP packet

7

Transport mode in AH

Tunnel mode in AH

8

Authentication Header

AH (bigger scope)

9

Transport & Tunnel Modes in Authentication

Transport mode in ESP

10

Tunnel Mode in ESP

ESP Format

11

ESP Format (bigger scope)

Transport Mode Encryption

12

Tunnel Mode Encryption

Transport vs Tunnel Mode ESP w  transport mode is used to encrypt & optionally authenticate IP data n  n 

data protected but header left in clear good for ESP host to host traffic (end-to-end)

w  tunnel mode encrypts entire IP packet add new header for next hop n  good for VPNs, gateway to gateway security (edge-to-edge) n 

13

Combining Security Associations w  SA’s can implement either AH or ESP but not both w  to implement both need to combine SA’s n 

form a security bundle

w  security association bundle n  n 

Transport adjacency (no tunnelling) Iterated tunnelling (multi-level nesting)

Combining SAs (Cont’d) w  Transport adjacent (two bundled transport SAs) n 

Inner ESP transport SA, while outer AH transport SA

w  Transport-Tunnel Bundle n 

Inner AH transport SA, while outer ESP tunnel SA

14

Combining Security Associations

Key Management w  handles key generation & distribution w  typically need 2 pairs of session keys n 

2 per direction for AH & ESP

w  automated key management automated system for on demand creation of keys for SA’s in large systems n  ISAKMP and IKE (Oakley) n 

15

ISAKMP w  Internet Security Association and Key Management Protocol w  only provides framework for key management w  defines procedures and packet formats to establish, negotiate, modify, & delete SAs w  independent of key exchange protocol, encryption alg, & authentication method

Internet Key Exchange (IKE) w  Default key management protocol w  Re-synchronize two ends of an IPsec SA n  n  n 

Authenticate endpoints Choose cryptographic keys Reset sequence numbers to zero

w  IKE are based on OAKLEY, and using ISAKMP syntax n  n 

IKE implements a subset of the OAKLEY protocol borrows fast rekeying technique from SKEME

16

Oakley w  a key exchange protocol before IKE w  based on Diffie-Hellman key exchange w  adds features to address weaknesses n  n  n  n 

Cookies groups (global params of DH key exchange) nonces DH key exchange with authentication

Conceptual IKE w  Diffie-Hellman for perfect forward security w  Signed D-H to avoid man-in-the-middle attack w  Cookies for DoS protection

17

Perfect Forward Security w  Two parties communicate use different session keys at different time periods w  Image an adversary n  n 

records all communication between Alice and Bob is able to break into Alice (or Bob)’s computer and obtain all of her secrets at some point

w  PFS is achieved if he cannot decrypt message that occurred before the latest session change

Diffie-Hellman

18

Man in the Middle

Signed D-H Exchange

19

But … if already have RSA

IKE Phases w  Two phases w  Phase 1: expensive mutual authentication (based on public keys), establish ISAKMP SA (or IKE SA) n  n 

Aggressive mode (three messages in IKEv1) Main mode (six messages in IKEv1)

w  Phase 2: leverage the phase 1 SA to create AH or ESP SAs.

20

Summary w  have considered: n  n  n  n 

IPSec security framework AH ESP key management (ISAKMP & IKE)

21