IPsec – IKE CS 470 Introduction to Applied Cryptography

Slides:



Advertisements
Similar presentations
IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
Advertisements

ISA 662 IKE Key management for IPSEC Prof. Ravi Sandhu.
Internet Protocol Security (IP Sec)
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.
CSC 474 Information Systems Security
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
ISAKMP RFC 2408 Internet Security Association & Key Management Protocol Protocol Establish, modify, and delete SAs Negotiate crypto keys Procedures Authentication.
Header and Payload Formats
Security at the Network Layer: IPSec
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
1 IPSec—An Overview Somesh Jha Somesh Jha University of Wisconsin University of Wisconsin.
Chapter 5 Network Security Protocols in Practice Part I
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:
IKE message flow IKE message flow always consists of a request followed by a response. It is the responsibility of the requester to ensure reliability.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
Internet Key Exchange. IPSec – Reminder SPI SA1 2 3 …… SAD.
W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T IKE Tutorial.
IPSec: Internet Key Exchange
Internet Security CSCE 813 IPsec. CSCE Farkas2 Reading Today: – Oppliger: IPSec: Chapter 14 – Stalllings: Network Security Essentials, 3 rd edition,
CMSC 414 Computer (and Network) Security Lecture 25 Jonathan Katz.
Creating an IPsec VPN using IOS command syntax. What is IPSec IPsec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering.
IPsec: IKE, Internet Key Exchange IPsec does not use Public Key Infrastructure and exchanging keys before an IPsec connection is established is a problem.
1 Lecture 14: Real-Time Communication Security real-time communication – two parties interact in real time (as opposed to delayed communication like )
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
IP Security Lawrence Taub IPSEC IP security — security built into the IP layer Provides host-to-host (or router-to-router) encryption and.
CSCE 715: Network Systems Security
Lecture 14 ISAKMP / IKE Internet Security Association and Key Management Protocol / Internet Key Exchange CIS CIS 5357 Network Security.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
COEN 350 IPSec, SSL, SSH,. IPSec RFC 1636 identified key areas where the internet needs to be made more secure. Spoofing: Creating packets with false.
SMUCSE 5349/49 IP Sec. SMUCSE 5349/7349 Basics Network-level: all IP datagrams covered Mandatory for next-generation IP (v6), optional for current-generation.
Information management 1 Groep T Leuven – Information department 1/26 IPSec IP Security (IPSec)
1 Lecture 16: IPsec IKE history of IKE Photurus IKE phases –phase 1 aggressive mode main mode –phase 2.
Karlstad University IP security Ge Zhang
IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.
1 Methods and Protocols for Secure Key Negotiation Using IKE Author : Michael S. Borella, 3Com Corp.
IP Security.  In CERTs 2001 annual report it listed 52,000 security incidents  the most serious involving:  IP spoofing intruders creating packets.
IPSEC : KEY MANAGEMENT PRESENTATION BY: SNEHA A MITTAL(121427)
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.
Chapter 8 IP Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
Internet Key Exchange IKE ● RFC 2409 ● Services – Constructs shared authenticated keys – Establishes shared security parameters – Common SAs between IPSec.
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
IPSec VPN Chapter 13 of Malik. 2 Outline Types of IPsec VPNs IKE (or Internet Key Exchange) protocol.
Cryptography and Network Security (CS435) Part Thirteen (IP Security)
IPSec  general IP Security mechanisms  provides  authentication  confidentiality  key management  Applications include Secure connectivity over.
1 Authenticated Key Exchange Rocky K. C. Chang 20 March 2007.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
CMSC 414 Computer and Network Security Lecture 27 Jonathan Katz.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Network Layer Security Network Systems Security Mort Anvari.
IPSEC Modes of Operation. Breno de MedeirosFlorida State University Fall 2005 IPSEC  To establish a secure IPSEC connection two nodes must execute a.
1 Internet Key Exchange Rocky K. C. Chang 20 March 2007.
8-1Network Security Virtual Private Networks (VPNs) motivation:  institutions often want private networks for security.  costly: separate routers, links,
VPNs & IPsec Dr. X Slides adopted by Prof. William Enck, NCSU.
Somesh Jha University of Wisconsin
CSE 4905 IPsec II.
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
Guevara Noubir CSG254: Network Security
Presentation transcript:

IPsec – IKE CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk CS470, A.Selcuk IPsec – IKE

History of IKE Early contenders: ISAKMP: Photuris: Authenticated DH with cookies & identity hiding SKIP: Auth. DH with long-term exponents ISAKMP: A protocol specifying only payload formats & exchanges (i.e., an empty protocol) Adopted by the IPsec working group Oakley: Modified Photuris; can work with ISAKMP IKE: A particular Oakley-ISAKMP combination CS470, A.Selcuk IPsec – IKE

Photuris CA: Alice’s cookie; for connection ID CA,CB, crypto offered CA,CB, ga mod p, crypto selected Alice CA,CB, gb mod p Bob (K = gab mod p) CA,CB, K{“Alice”, signature on previous messages} CA,CB, K{“Bob”, signature on previous messages} CA: Alice’s cookie; for connection ID CB: Bob’s cookie; against DoS CS470, A.Selcuk IPsec – IKE

Photuris – Features DoS protection by cookies (note: CB can be stateless) Authentication & integrity protection of the messages by a combined signature at the last rounds Identity hiding from passive attackers (How?) CS470, A.Selcuk IPsec – IKE

IKE/ISAKMP Phases Phase 1: Phase 2: does authenticated DH, establishes session key & “ISAKMP SA” two possible modes: Main & Aggressive two keys are derived from the session key: SKEYID_e: to encrypt Phase 2 messages SKEYID_a: to authenticate Phase 2 messages Phase 2: IPsec SA & session key established; messages encrypted & authenticated with Phase 1 keys Additional DH exchange is optional (for PFS) CS470, A.Selcuk IPsec – IKE

Phase 1 Exchange Two possible modes: Types of authentication: Main mode: 6 rounds; provides identity hiding Aggressive mode: 3 rounds Types of authentication: MAC with pre-shared secret key digital signatures public key encryption original: all public key encryption revised: public + secret key encryption (Each type has its benefits; but is it worth the complexity?) CS470, A.Selcuk IPsec – IKE

Phase 1 – Main Mode (generic) crypto offered crypto selected ga mod p Alice gb mod p Bob (K = gab mod p) K{“Alice”, proof I’m Alice} K{“Bob”, proof I’m Bob} CS470, A.Selcuk IPsec – IKE

Phase 1 – Aggressive Mode (generic) ga mod p, “Alice”, crypto offered gb mod p, crypto selected, proof I’m Bob Alice Bob proof I’m Alice CS470, A.Selcuk IPsec – IKE

Phase 1 Issues & Problems Crypto parameters: Alice presents all algorithm combinations she can support (may be too many combinations) Authentication: certain fields (why not all?!) of the protocol messages are hashed & signed/encrypted in the final rounds not included: Bob’s accepted parameters (problematic) Cookies & Statelessness: Cookie protection: similar to Photuris cookies Bob is no longer stateless (problematic) since “crypto offered” must be remembered from message 1. CS470, A.Selcuk IPsec – IKE

Phase 1 Issues (cont’d) Session Keys: Complexity: 2 session keys (1 for enc. & 1 for auth.) are generated. Better to generate 4 keys; 2 for each direction. (may be subject to reflection attack) Complexity: 8 different protocols are defined (2 modes, each with 4 types of authentication) Unnecessarily flexible and complex CS470, A.Selcuk IPsec – IKE

Phase 2 Exchange Establishes IPsec SA & session key Runs over the IKE SA established in Phase 1. (message are encrypted/authenticated with Phase 1 keys) Key generation: based on Phase 1 key, SPI, nonces. DH exchange: Optional (for PFS). IPsec Traffic Selector: Established optionally. Specifies what traffic is acceptable. (e.g., What port numbers are allowed to use this SA.) CS470, A.Selcuk IPsec – IKE

Phase 2 X: pair of cookies generated in Phase 1 Y: session identifier Phase1 SA X, Y, CP, SPIA, nonceA, [traffic], [ga mod p] Alice Bob X, Y, CPA, SPIB, nonceB, [traffic], [gb mod p] X, Y, ack X: pair of cookies generated in Phase 1 Y: session identifier traffic: IPsec traffic selector (optional) CS470, A.Selcuk IPsec – IKE

IKEv2 Protocol Initiated by Perlman & Kaufman, with the aims of simplifying IKEv1 fixing the bugs fixing the ambiguities while remaining as close to IKEv1 as possible. (“no gratuitous changes”) CS470, A.Selcuk IPsec – IKE

IKEv2 – Main Features Only one mode of authentication: Public key signatures. IKE SA + IPsec SA are established in the same protocol, in 4 messages. (~ Phase 1) Additional child SAs, if needed, are established in 2 messages. (~ Phase 2) DoS protection optional, via cookies (stateless). Crypto negotiation is simplified support for “suites” ability to say “any of these enc., with any of these hash...” CS470, A.Selcuk IPsec – IKE

IKEv2 – The Exchange Protocol ga mod p, crypto offered, nA, [certreq] gb mod p, crypto selected, nB, [certreq] K = f(nonces, SPIs, gab mod p) Alice Bob K{“Alice”, sign on 1/2 msgs, [cert], child} K{“Bob”, sign on 1/2 msgs, [cert], child} Bob can optionally refuse the first message and require return of a cookie. Adds extra 2 messages. CS470, A.Selcuk IPsec – IKE

IKEv2 – The Exchange Protocol (cont’d) DoS protection: Optional; by Bob responding the first message with a (stateless) cookie. Originally, designed with 3 rounds. Later 4 rounds is agreed on: Initiator needs a 4th message anyway to know when to start the transmission. Extra msgs for cookie exchange can be incorporated into 4 msgs, if Alice repeats msg.1 info in msg.3 Preserves identity hiding from passive attackers. CS470, A.Selcuk IPsec – IKE

IKEv2 – Child SA Creation proposal, nonce, [ga mod p], TS Alice Bob proposal, nonce, [gb mod p], TS proposal: crypto suites, SPI, protocol (ESP, AH, IP compression) TS: Traffic selector Derived keys: Function of IKE keying material, nonces of this exchange, plus optional DH output. CS470, A.Selcuk IPsec – IKE

Other IKEv2 Features Reliability: Traffic selector negotiation: All messages are request/response. Initiator is responsible for retransmission if it doesn’t receive a response. Traffic selector negotiation: IKEv1: Responder can just say yes/no. IKEv2: Negotiation ability added. Rekeying: Either side can rekey at any time. Rekeyed IKE-SA inherits all the child-SAs. CS470, A.Selcuk IPsec – IKE