ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

Slides:



Advertisements
Similar presentations
ISA 662 IKE Key management for IPSEC Prof. Ravi Sandhu.
Advertisements

Internet Protocol Security (IP Sec)
L8. Reviews Rocky K. C. Chang, May Foci of this course 2 Rocky K. C. Chang  Understand the 3 fundamental cryptographic functions and how they are.
Web security: SSL and TLS
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.
CSC 474 Information Systems Security
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
Security at the Network Layer: IPSec
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 5 Network Security Protocols in Practice Part I
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
IPsec – IKE CS 470 Introduction to Applied Cryptography
IKE message flow IKE message flow always consists of a request followed by a response. It is the responsibility of the requester to ensure reliability.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
Internet Key Exchange. IPSec – Reminder SPI SA1 2 3 …… SAD.
1 IPsec Youngjip Kim Objective Providing interoperable, high quality, cryptographically-based security for IPv4 and IPv6 Services  Access.
W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T IKE Tutorial.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Internet Security CSCE 813 IPsec. CSCE Farkas2 Reading Today: – Oppliger: IPSec: Chapter 14 – Stalllings: Network Security Essentials, 3 rd edition,
CMSC 414 Computer (and Network) Security Lecture 25 Jonathan Katz.
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.
Creating an IPsec VPN using IOS command syntax. What is IPSec IPsec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering.
IPsec: IKE, Internet Key Exchange IPsec does not use Public Key Infrastructure and exchanging keys before an IPsec connection is established is a problem.
1 Lecture 14: Real-Time Communication Security real-time communication – two parties interact in real time (as opposed to delayed communication like )
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
406 NW’98 1 © 1998, Cisco Systems, Inc. IPSec Loss of Privacy Security Threats Impersonation Loss of Integrity Denial of Service m-y-p-a-s-s-w-o-r-d.
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
IP Security Lawrence Taub IPSEC IP security — security built into the IP layer Provides host-to-host (or router-to-router) encryption and.
CSCE 715: Network Systems Security
Lecture 14 ISAKMP / IKE Internet Security Association and Key Management Protocol / Internet Key Exchange CIS CIS 5357 Network Security.
COEN 350 IPSec, SSL, SSH,. IPSec RFC 1636 identified key areas where the internet needs to be made more secure. Spoofing: Creating packets with false.
SMUCSE 5349/49 IP Sec. SMUCSE 5349/7349 Basics Network-level: all IP datagrams covered Mandatory for next-generation IP (v6), optional for current-generation.
Information management 1 Groep T Leuven – Information department 1/26 IPSec IP Security (IPSec)
IT:Network:Apps.  RRAS does nice job of routing ◦ NAT is nice ◦ BASIC firewall ok but somewhat weak  Communication on network (WS to SRV) is in clear.
1 Lecture 16: IPsec IKE history of IKE Photurus IKE phases –phase 1 aggressive mode main mode –phase 2.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 Module 3 City College of San.
IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.
Chapter 8: Implementing Virtual Private Networks
1 Methods and Protocols for Secure Key Negotiation Using IKE Author : Michael S. Borella, 3Com Corp.
IPSEC : KEY MANAGEMENT PRESENTATION BY: SNEHA A MITTAL(121427)
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.
Attacking IPsec VPNs Charles D George Jr. Overview Internet Protocol Security (IPSec) is a suite of protocols for authenticating and encrypting packets.
IPSec VPN: How does it really work? Yasushi Kono (ComputerLinks Frankfurt)
1 CMPT 471 Networking II Authentication and Encryption © Janice Regan,
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
Group 9 Chapter 8.3 – 8.6. Public Key Algorithms  Symmetric Key Algorithms face an inherent problem  Keys must be distributed to all parties but kept.
IPSec VPN Chapter 13 of Malik. 2 Outline Types of IPsec VPNs IKE (or Internet Key Exchange) protocol.
Cryptography and Network Security (CS435) Part Thirteen (IP Security)
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
1 Secure Key Exchange: Diffie-Hellman Exchange Dr. Rocky K. C. Chang 19 February, 2002.
CMSC 414 Computer and Network Security Lecture 27 Jonathan Katz.
Network Layer Security Network Systems Security Mort Anvari.
IPSEC Modes of Operation. Breno de MedeirosFlorida State University Fall 2005 IPSEC  To establish a secure IPSEC connection two nodes must execute a.
1 Internet Key Exchange Rocky K. C. Chang 20 March 2007.
@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.
Cryptography CSS 329 Lecture 13:SSL.
8-1Network Security Virtual Private Networks (VPNs) motivation:  institutions often want private networks for security.  costly: separate routers, links,
IP Security (IPSec) Internet Key Exchange (IKE) Dr Milan Marković.
Chapter 5 Network Security Protocols in Practice Part I
Reviews Rocky K. C. Chang 20 April 2007.
CSE 4905 IPsec II.
VPNs and IPSec Review VPN concepts Encryption IPSec Lab.
Guevara Noubir CSG254: Network Security
Presentation transcript:

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall

IPsec: IKE Photuris and SKIP PHASE 1 IKE PHASE 2 IKE

Security Association Issues How is SA established? ◦ How do parties negotiate a common set of cryptographic algorithms and keys to use? More than one SA can apply to a packet! ◦ E.g., end-to-end authentication (AH) and additional encryption (ESP) on the public part of the network

IKE: Internet Key Exchange Purpose ◦ Mutual Authentication ◦ Shared Secret Establishment ◦ Crypto Algorithms Negotiation ◦ Security Association Establishment

IPsec Key Management Data transmitted needs to be secured ◦ IPsec SA, session keys, AH or ESP Messages for establishing IPsec SA need to be secured ◦ IKE SA, negotiated secret Negotiation for establishing IKE SA need to be authenticated ◦ Pre-shared secret key ◦ Public/private keys

Review: Cookies Clogging attacks ◦ An opponent forges the source address of a legitimate user and send a public Diffie-Hellman key to the victim; The victim then performs a modular exponentiation to compute the secret key; Repeated messages of this type can clog the victim’s system with useless work. First proposed in Photuris; Cookie ◦ A number chosen by responder; When receiving a request from S, send the cookie to S in clear; start the processing after the cookie comes back from the initiator. Stateless cookies ◦ The responder does not have to remember (store) the cookies he sent out; The cookie is a function of the IP address and a secret known to the responder

A Stateless Cookie Protocol

Photuris

Features of Photuris Denial of service protection: ◦ Stateless cookie C B in message 2 Signed Diffie-Hellman exchange ◦ Signature on the previous message in message 5 and 6 Identity hiding ◦ Anonymous Diffie-Hellman ◦ Identities are encrypted in message 5 and 6 (for active man-in-the-middle, the initiator’s identity is revealed, but not the responder)

SKIP uses long term Diffie-Hellman public keys ◦ Alice finds Bob’s public key (g B mod p ) via a certificate from Bob or a directory. Bob finds Alice’s public key (g A mod p ). Then they will have a common secret (g AB mod p). Data encryption ◦ Long term common secret should not be used to encrypt data. Instead each message has a SKIP header where the long term secret is used to encrypt a short-term data encryption key, which is used to encrypt the message. SKIP: Simple Key Management for Internet Protocols

IKE Phases Phase One ◦ Mutual authentication ◦ Session key establishment ◦ ISAKMP SA/IKE SA Phase Two ◦ Negotiating IPsec SAs (AH, ESP)

Why two phases? ISAKMP would be used by other protocols to set up SAs, not only to set up IPsec SAs. Phase 1 exchange is relatively expensive. ISAKMP/IKE SA has a longer timeout period. It can be used to negotiate multiple phase 2 IPsec SAs, which reduces the usage of pre-shared secret or private key.

Phase 1 IKE Two modes Aggressive mode ◦ 3 messages ◦ Mutual authentication ◦ Session key establishment Main Mode ◦ 6 messages ◦ Mutual authentication ◦ Session key establishment ◦ Hiding endpoint identity ◦ Negotiating cryptographic algorithms

Phase 1: Aggressive Mode

Phase 1: Main Mode

Negotiating Cryptographic Parameters Encryption algorithm (e.g., DES, 3DES, IDEA) Hash algorithm (e.g., MD5, SHA) Authentication method (e.g., pre-shared keys, RSA public key signature, DSS, RSA public key encryption) Diffie-Hellman group (e.g., g and p)

Crypto Proposals Alice sends Bob a list of proposals, each consisting of an encryption algorithm, a hash algorithm, authentication method, and a Diffie- Hellman group. Bob replies one as the accepted proposal. The parameters in the proposal are used in Phase 1 and Phase 2 (IKE SA), with hash algorithm used for various purposes.

Key Types Mutual authentication based on ◦ Pre-shared secret key ◦ Public encryption key  Original protocol design  Improved Protocol design ◦ Public signature key

Cookie Issues IKE is stateful, starting from the first message. ◦ Alice’s crypto proposal is in the identity proof ◦ ISAKMP requires randomly chosen cookies Identifier:

Session Keys After Diffie-Hellman key exchange, each side knows g xy mod p Encryption key and Integrity key for the rest of IKE SA Keys for IPSec SAs

Session Keys Pseudo Random function – prf(key, data), e.g., CBC residue, HMAC SKEYID ◦ For signature public keys, prf(nonces, g xy ) ◦ For encryption public keys, prf(hash(nonces), cookies) ◦ For pre-shared secret keys, prf(pre-shared secret key, nonces) SKEYID_d: secret bits used to create other keys ◦ prf(SKEYID, g xy | cookies | 0) SKEYID_a: the integrity protection key ◦ prf(SKEYID, SKEYID_d | g xy | cookies | 1) SKEYID_e: the encryption key ◦ prf(SKEYID, SKEYID_d | g xy | cookies | 2)

Proof of Identity Proof of the key associated with the identity ◦ pre-shared secret key ◦ private encryption key ◦ private signature key Integrity-check on the previous messages, such as identity, Diffie-Hellman values, nonce, Alice’s crypto proposal, and the cookies.

Proof of Identity (Cont’d) Alice’s proof of identity ◦ prf ( SKEYID, g x | g y | cookies | Alice’s initial proposals | Alice’s identity ) Bob’s proof of identity ◦ prf ( SKEYID, g x | g y | cookies | Alice’s initial proposal | Bob’s identity )

IKE phase 1 protocols 8 phase-1 protocols ◦ 2 modes ◦ 4 types of keys Common features ◦ Message 1 starts with Alice’s cookie ◦ All other messages start with (initiator cookie, responder cookie), which serves as the IKE connection identifier

Phase 1: Public Signature Keys, Main Mode

Phase 1: Public Signature Keys, Aggressive Mode

Phase 1: Public Encryption Keys, Main Mode, Original

Phase 1: Public Encryption Keys, Aggressive Mode, Original

Phase 1: Public Encryption Keys, Main Mode, Revised

Phase 1: Public Encryption Keys, Aggressive Mode, Revised

Phase 1: Pre-Shared Secret Keys, Main Mode

Phase 1: Pre-Shared Secret Keys, Aggressive Mode

Phase 2, Quick Mode Establish IPSec SAs (e.g., ESP and/or AH) ◦ Crypto parameters ◦ Diffie-Hellman numbers (optional) ◦ Traffic type (optional) All messages (except X,Y) encrypted and integrity protected

Reading Assignment [Kaufman] Chapter 18