Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Layer Security: IPSec

Published byEsmond Chandler Modified over 9 years ago

Similar presentations

Presentation on theme: "Network Layer Security: IPSec"— Presentation transcript:

1 Network Layer Security: IPSec

2 Overview IPSec is an Internet standard for network layer security
components: an authentication protocol (Authentication Header – AH) a combined encryption and authentication protocol (Encapsulated Security Payload – ESP) key management protocols (the default is ISAKMP/Oakley) important RFCs RFC 2401: an overview of the IPSec security architecture RFC 2402: specification of AH RFC 2406: specification of ESP RFC 2408: specification of ISAKMP RFC 2412: specification of Oakley IPSec is mandatory for IPv6 and optional for IPv4

3 IPSec services ESP (encryption and authentication) ESP
(encryption only) AH integrity x x data origin authentication x x replay detection x x x confidentiality x x limited traffic flow confidentiality x x

4 Security associations (SA)
an SA is a one-way relationship between a sender and a receiver system an SA is used either for AH or for ESP but never for both an SA is uniquely identified by three parameters Security Parameters Index (SPI) a bit string assigned to the SA carried in AH and ESP headers to allow the receiving party to select the SA which must be used to process the packet IP destination address address of an end-system or a network element (e.g., router) security protocol identifier indicates whether the SA is an AH or an ESP SA Security Associations

5 SA parameters sequence number counter sequence counter overflow flag
counts the packets sent using this SA sequence counter overflow flag indicates whether overflow of the sequence number counter should prevent further transmission using this SA anti-replay window used to determine whether an inbound AH or ESP packet is a replay AH / ESP information algorithm, key, and related parameters lifetime a time interval or byte count after which this SA must be terminated protocol mode tunnel or transport mode path MTU any observed maximum transmission unit Security Associations

6 SA selectors Security Policy Database (SPD) outbound processing
each entry defines a subset of IP traffic and points to the SAs to be applied to that traffic subset of IP traffic is defined in terms of selectors destination IP address (single, enumerated list, range, or mask) source IP address (single, enumerated list, range, or mask) transport layer protocol (single, enumerated list, or range) destination port (single, enumerated list, range, or wildcard) outbound processing compare the selector fields of the packet to the values in the SPD determine which SAs should be used for the packet and their SPIs do the requiered IPSec processing Security Associations

7 Modes of operation transport mode tunnel mode
provides protection primarily for upper layer protocols protection is applied to the payload of the IP packet ESP in transport mode encrypts and optionally authenticates the IP payload but not the IP header AH in transport mode authenticates the IP payload and selected fields of the IP header usually used between end-systems tunnel mode provides protection to the entire IP packet the entire IP packet is considered as payload and encapsulated in another IP packet (with potentially different source and destination addresses) ESP in tunnel mode encrypts and optionally authenticates the entire inner IP packet AH in transport mode authenticates the entire inner IP packet and selected fields of the outer IP header usually used between security gateways (routers, firewalls)

8 Authentication Header – AH
Next header type of header immediately following this header (e.g., TCP, IP, etc.) Payload length length of AH (in 32 bit words) minus 2 e.g., 4 if Authentication data is 3x32 bits long Security Parameters Index identifies the SA used to generate this header Sequence number sequence number of the packet Authentication data a (truncated) MAC (default length is 3x32 bits) 8 16 31 Next header Payload length Reserved Security Parameters Index (SPI) Sequence number Authentication data (variable length) Authentication Header – AH

9 Replay detection replay: the attacker obtains an authenticated packet and later transmits (replays) it to the intended destination receiver has an anti-replay window of default size W = 64 last received packet packets received window (of size 7) ... ... dropped dropped if MAC is correct then mark otherwise drop advance window Authentication Header – AH

10 MAC implementations must support the MAC is calculated over
HMAC-MD5-96 HMAC-SHA1-96 the MAC is calculated over IP header fields that do not change in transit the AH header fields except the Authentication data field entire upper layer protocol data the fields not covered by the MAC are set to 0 for the calculation Header checksum TTL 0000 IP AH Authentication Header – AH MAC Authentication data payload

11 AH in transport and tunnel mode
original IPv4 packet original IP header TCP/UDP header data AH in transport mode original IP header AH TCP/UDP header data authenticated except for mutable fields in the IP header AH in tunnel mode Authentication Header – AH new IP header AH original IP header TCP/UDP header data authenticated except for mutable fields in the outer IP header

12 Encapsulating Security Payload – ESP
Security Parameters Index identifies the SA used to generate this encrypted packet Sequence number payload transport level segment (transfer mode) or encapsulated IP packet (tunnel mode) padding variable length padding Pad length Next header identifies the type of data contained in the header Authentication data a (truncated) MAC computed over the ESP packet (SPI ... Next Header) 16 24 31 Security Parameters Index (SPI) Sequence number payload (variable length) padding (0-255 bytes) Pad length Next header Encapsulating Security PAyload – ESP Authentication data (variable length)

13 Encryption and MAC algorithms
applied to the payload, padding, pad length, and next header fields if an IV is needed, then it is explicitly carried at the beginning of the payload data (the IV is not encrypted) implementations must support DES-CBC other suggested algorithms: 3DES, RC5, IDEA, 3IDEA, CAST, Blowfish MAC default length is 3x32 bits implementations must support HMAC-MD5-96 and HMAC-SHA1-96 MAC is computed over the SPI, sequence number, and encrypted payload, padding, pad length, and next header fields unlike in AH, here the MAC does not cover the preceding IP header Encapsulating Security PAyload – ESP

14 ESP in transport and tunnel mode
original IPv4 packet original IP header TCP/UDP header data ESP in transport mode original IP header ESP header TCP/UDP header data ESP trailer ESP MAC encrypted authenticated Encapsulating Security PAyload – ESP ESP in tunnel mode new IP header ESP header original IP header TCP/UDP header data ESP trailer ESP MAC encrypted authenticated

15 Combining security associations
basic ESP-AH combination apply ESP in transport mode without authentication apply AH in transport mode basic AH-ESP combination apply ESP in tunnel mode without authentication original IP header AH ESP header TCP/UDP header data ESP trailer authenticated except for mutable fields in the IP header Combining security associations new IP header ESP header original IP header AH TCP/UDP header data ESP trailer authenticated except for mutable fields in the inner IP header

16 Combining security associations cont’d
case 1: host-to-host security one or more SAs local intranet Internet local intranet Combining security associations

17 Combining security associations cont’d
case 2: gateway-to-gateway security single tunnel SA local intranet Internet local intranet Combining security associations

18 Combining security associations cont’d
case 3: host-to-gateway security single tunnel SA Internet local intranet Combining security associations

19 Combining security associations cont’d
combinations of the 3 cases single tunnel SA one or more SAs local intranet Internet local intranet Combining security associations

20 Key management two types must be supported by implementations
manual system administrator configures each system with the necessary keys automated on-demand creation of keys for SAs default automated method is ISAKMP/Oakley Oakley key determination protocol a key exchange protocol based on Diffie-Hellman provides added security (e.g., authentication) ISAKMP – Internet Security Association and Key Management Protocol provides a framework for key exchange defines message formats that can carry the messages of various key exchange protocols Key management

21 Oakley key determination protocol
problems with basic DH: it is subject to a man-in-the-middle type attack it is vulnerable to a clogging attack attacker sends fake DH messages to a victim from a forged IP address victim starts performing modular exponentiations to compute a secret key victim can be blocked with useless work added security features of Oakley cookie exchange to thwart clogging attacks hash(src IP addr, dst IP addr, src UDP port, dst UDP port, local secret) local secret is periodically changed uses nonces to detect replay attacks authenticates the DH exchange to thwart man-in-the-middle attacks based on digital signatures, public key encryption, or symmetric key encryption enables the parties to negotiate the global parameters of the DH exchange (e.g., the prime p that defines the group and the generator g of the group) few predefined groups Key management / Oakley

22 Oakley example – conservative
I  R: CKYi | 0 | OK_KEYX | GRP | gx | EHAO R  I: CKYr | CKYi | OK_KEYX | GRP | gy | EHAS I  R: CKYi | CKYr | OK_KEYX | GRP | gx | NIDP | IDi | IDr | {Ni}Kr R  I: CKYr | CKYi | OK_KEYX | GRP | NIDP | { Nr | Ni }Ki | IDr | IDi | MAC(Kir, IDr | IDi | GRP | gy | gx | EHAS ) I  R: CKYi | CKYr | OK_KEYX | GRP | NIDP | MAC(Kir, IDi | IDr | GRP | gx | gy | EHAS ) where CKY: cookie OK_KEYX: message type is Oakley key exchange GRP: group EHAO/EHAS: encryption, hash, authentication alg. offered/selected NIDP: no ID protection N: nonce and Kir = hash( Ni | Nr ) shared secret key = f( Ni, Nr, gxy, CKYi, CKYr ) Key management / Oakley

23 Oakley example – aggressive
I  R: CKYi | 0 | OK_KEYX | GRP | gx | EHAO | NIDP | IDi | IDr | Ni | 0 | Sig( Ki-1, IDi | IDr | Ni | 0 | GRP | gx | 0 | EHAO ) R  I: CKYr | CKYi | OK_KEYX | GRP | gy | EHAS | NIDP | IDr | IDi | Nr | Ni | Sig( Kr-1, IDr | IDi | Nr | Ni | GRP | gy | gx | EHAS ) I  R: CKYi | CKYr | OK_KEYX | GRP | gx | NIDP | IDi | IDr | Ni | Nr | Sig( Ki-1, IDi | IDr | Ni | Nr | GRP | gx | gy | EHAS ) Key management / Oakley

24 ISAKMP generic message format
Next payload type of next payload (e.g., transform, key exchange, certificate, …) 0 if this is the last payload Exchange type 5 default exchange types (base, ID protection, auth only, aggressive, informational) Message ID unique ID of this message Length length of header + all payloads Initiator cookie Responder cookie Next payload Mj ver Mn Ver Exchange type Flags Message ID Length Key management / ISAKMP Next payload Reserved Payload length payload

25 ISAKMP payload types Security Association (SA) Proposal (P)
used to begin the setup of a new SA; carries various attributes Proposal (P) used during SA setup; indicates protocol to be used (AH or ESP) and number of transforms Transform (T) used during SA setup; indicates transform (e.g., DES, 3DES) and its attributes Key exchange (KE) used to carry key exchange data (e.g., Oakley) Identification (ID) used to exchange identification information (e.g., IP address) Certificate (CR) carries a public key certificate (PGP, X.509, SPKI, …) Hash (HASH) Signature (SIG) Nonce (NONCE) Notification (N) contains error or status information Delete (D) indicates one or more SAs that the sender has deleted from its database (no longer valid) Key management / ISAKMP

26 ISAKMP exchange types base exchange identity protection exchange
I  R : SA; NONCE R  I : SA; NONCE I  R : KE; IDi; AUTH R  I : KE; IDr; AUTH identity protection exchange I  R : SA R  I : SA I  R : KE; NONCE R  I : KE; NONCE I  R : IDi; AUTH R  I : IDr; AUTH Key management / ISAKMP

27 ISAKMP exchange types cont’d
authentication only exchange I  R : SA; NONCE R  I : SA; NONCE; IDr; AUTH I  R : IDi; AUTH aggressive exchange I  R : SA; KE; NONCE; IDi R  I : SA; KE; NONCE; IDr; AUTH I  R : AUTH informational exchange I  R : N/D Key management / ISAKMP

Download ppt "Network Layer Security: IPSec"

Similar presentations

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
Cryptography and Network Security

Cryptography and Network Security
CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Internet Security CSCE 813 IPsec

Internet Security CSCE 813 IPsec
IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.

IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.

IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.
Security at the Network Layer: IPSec

Security at the Network Layer: IPSec
Network Security Essentials Chapter 8 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Network Security Essentials Chapter 8 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
IP SECURITY – Chapter 16 IP SECURITY – Chapter 16 Security Mechanisms: email – S/MIME, PGP client/server - Kerberos web access - Secure Sockets Layer network.

IP SECURITY – Chapter 16 IP SECURITY – Chapter 16 Security Mechanisms: – S/MIME, PGP client/server - Kerberos web access - Secure Sockets Layer network.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.

1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.

Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.

Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

Similar presentations

Ads by Google