Presentation is loading. Please wait.

Presentation is loading. Please wait.

IP Security and Key Establishment CS 395T. Plan for the Next Few Lectures uToday: “systems” lecture on IP Security and design of key exchange protocols.

Published byJoella Dixon Modified over 9 years ago

Similar presentations

Presentation on theme: "IP Security and Key Establishment CS 395T. Plan for the Next Few Lectures uToday: “systems” lecture on IP Security and design of key exchange protocols."— Presentation transcript:

1 IP Security and Key Establishment CS 395T

2 Plan for the Next Few Lectures uToday: “systems” lecture on IP Security and design of key exchange protocols for IPSec Defending against denial of service “Real-world” considerations for protocol design No formal methods (yet) –But see Cathy Meadows’ paper on the website uMonday: no class (Labor Day) uNext Wednesday: process algebras Homework assigned (using Mur  ) uThen bring all together – use process algebra and rational reconstruction to understand JFK protocol

3 IP Security Issues uEavesdropping uModification of packets in transit uIdentity spoofing (forged source IP addresses) uDenial of service uMany solutions are application-specific TLS for Web, S/MIME for email, SSH for remote login uIPSec aims to provide a framework of open standards for secure communications over IP Protect every protocol running on top of IPv4 and IPv6

4 IPSec = AH + ESP + IPcomp + IKE IPSec: Network Layer Security Protection for IP traffic AH provides integrity and origin authentication ESP also confidentiality Compression Sets up keys and algorithms for AH and ESP uAH and ESP rely on existing security association Roughly, peers must share a set of secret keys and agree on each other’s IP addresses and crypto schemes uInternet Key Exchange (IKE) Goal: establish security association for AH and ESP If IKE is broken, AH and ESP provide no protection!

5 uTransport mode secures packet payload and leaves IP header unchanged Typically, client-gateway (e.g., PC to remote host) uTunnel mode encapsulates both IP header and payload into IPSec packets Typically, gateway-gateway (e.g., router to firewall) Transport Mode vs. Tunnel Mode IP header (end-to-end) IPSec headerTCP/UDP header + data IP header (end-to-end) IPSec headerTCP/UDP header + data IP header (tunnel)

6 uProvides integrity and origin authentication uAuthenticates portions of the IP header uAnti-replay service (to counter denial of service) uNo confidentiality AH: Authentication Header Next headerPayload lengthReserved Security parameters index (SPI) Sequence number Authentication data (MAC of IP header, AH data, TCP payload) Identifies security association (shared keys and algorithms) Anti-replay Authenticates source, verifies integrity of payload

7 New IP header uConfidentiality and integrity for packet payload Symmetric cipher negotiated as part of security assoc uOptionally provides authentication (similar to AH) uCan work in transport… u…or tunnel mode ESP: Encapsulated Secure Payload Original IP header ESP headerTCP/UDP segmentESP trailerESP auth encrypted authenticated Original IP header ESP headerTCP/UDP segmentESP trailerESP auth

8 Key Management uOut of band Can set up some keys this way (Kerberos) uPublic-key infrastructure (PKI) Leverage small number of public signing keys by using certificate chains uProtocols for establishing short-lived session keys Avoid extended use of permanent secrets Forward secrecy –Compromise of one session key does not help the attacker to compromise subsequent session keys Cryptography reduces many problems to key management

9 Key Distribution in Kerberos Client Key Center Server share symmetric key Kc (offline) share symmetric key Ks (offline) {Kcs, {Kcs} Ks } Kc {Kcs} Ks, {msg} Kcs Key Center generates session key Kcs and distributes it using shared long-term keys

10 Public-Key Infrastructure (PKI) Client Certificate Authority Server Everyone knows CA’s public signature verification key Ka certificate sig Ka (S,Ks) (offline) sig Ka (S,Ks), sig Ks (msg) Server certificate can be verified by any client that has CA’s public key Ka Certificate authority is “offline” Ks

11 Properties of Key Exchange Protocols uGoal: generate and agree on session key using some shared initial information uWhat other properties are needed? Authentication (know identity of other party) Secrecy (generated key not known to any others) Prevent replay of old key material Forward secrecy Prevent denial of service Protect identities (avoid disclosure to others) Other properties you can think of???

12 Diffie-Hellman Key Exchange uAssume finite group G =  S,   Choose generator g so every x  S is x = g n for some n Example: integers modulo prime p uProtocol g a mod p g b mod p A B Alice, Bob share g ab mod p not known to anyone else

13 Diffie-Hellman Key Exchange Authentication? Secrecy? Replay attack? Forward secrecy? Denial of service? Identity protection? g a mod p g b mod p A B No Only against passive attacker Vulnerable Yes Vulnerable Participants can’t tell g x mod p from a random number: send them garbage and they’ll do expensive exponentiations

14 IKE Genealogy Diffie-Hellman 1976 Station-to-Station Diffie, van Oorschot, Wiener 1992 + authentication, identity protection Photuris Karn, Simpson 1994-99 + defense against denial of service ISAKMP NSA 1998 “generic” protocol for establishing security associations + defense against replay Oakley Orman 1998 + compatibility with ISAKMP IKE Cisco 1998 IKEv2 IETF draft August 13, 2004 JFK Aiello et al. 2002

15 , sign B (m1,m2) sign A (m1,m2) Basic Idea A, (g a mod p) B, (g b mod p) Result: A and B share session key g ab mod p Signatures provide authentication, as long as signature verification keys are known AB m1 m2

16 (Simplified) Photuris IR [Karn and Simpson] Cookie I Random number (identifies connection) Cookie I, Cookie R, offer crypto Hash(source & dest IP addrs, Cookie I, ports, local secret) Cookie I, Cookie R, g a mod p, select crypto Cookie I, Cookie R, g b mod p switch to K=g ab mod p Cookie I, Cookie R, { “I”, sig I (previous msgs) } K Cookie I, Cookie R, { “R”, sig R (previous msgs) } K

17 Preventing Denial of Service uResource-clogging attacks are a serious issue If responder opens a state for each connection attempt, attacker can initiate thousands of connections from bogus or forged IP addresses uCookies ensure that the responder is stateless until initiator produced at least 2 messages Responder’s state (IP addresses and ports of the con- nection) is stored in a cookie and sent to initiator After initiator responds, cookie is regenerated and compared with the cookie returned by the initiator The cost is 2 extra messages in each execution!

18 Cookies in Photuris and ISAKMP uPhoturis cookies are derived from local secret, IP addresses and ports, counter, crypto schemes Same (frequently updated) secret for all connections uISAKMP requires unique cookie for each connect Add timestamp to each cookie for uniqueness Now responder needs to keep state (“cookie crumb”) –Vulnerable to DoS (see Simpson’s rant on the course website) uInherent conflict: to prevent replay, need to keep state (remember values that you’ve seen before), but keeping state allows denial of service JFK design gets it right (we’ll talk about JFK later)

19 IKE Overview uGoal: create security association between 2 hosts Shared encryption and authentication keys, agreement on crypto algorithms (a-la carte, not like SSL suites) uTwo phases: 1 st phase establishes security association (IKE-SA) for the 2 nd phase Always by authenticated Diffie-Hellman (expensive) u2 nd phase uses IKE-SA to create actual security association (child-SA) to be used by AH and ESP Use keys derived in the 1 st phase to avoid DH exchange Can be executed cheaply in “quick” mode

20 Why Two-Phase Design? uExpensive 1 st phase creates “main” SA uCheap 2 nd phase allows to create multiple child SAs (based on “main” SA) between same 2 hosts Avoid multiplexing several conversations over same SA –For example, if encryption is used without integrity protection (bad idea!), it may be possible to splice the conversations Different conversations may need different protection –Some traffic only needs integrity protection or short-key crypto –Too expensive to always use strongest available protection Different SAs for different classes of service uJFK is a single-phase protocol (talk about it later)

21 IKEv1 Was a Mess uTwo modes for 1 st phase: “main” and “aggressive” Fewer messages in “aggressive” mode, but no identity protection and no defense against denial of service Main mode vulnerable to DoS due to bad cookie design Many field sizes not verified; poor error handling uFour authentication options for each mode Shared keys; signatures; public keys in 2 different ways uSpecial “group” mode for group key establishment uGrand total of 13 different variants Difficult to implement, impossible to analyze Security problems stem directly from complexity

22 Instead of running 2 nd phase, “piggyback” establishment of child-SA on initial exchange IKEv2: Phase One I R g a mod p, crypto proposal, N i Initiator reveals identity first Prevents “polling” attacks where attacker initiates IKE connections to find out who lives at an IP addr Optional: refuse 1 st message and demand return of stateless cookie Cookie R Cookie R, g a mod p, crypto proposal, N i g b mod p, crypto accepted, N r switch to K=f(N i,N r,crypto,g ab mod p) { “I”, sig I (m 1-4 ), [cert], child-SA } K { “R”, sig R (m 1-4 ), [cert], child-SA } K

23 IP address range, ports, protocol id Optional re-key Crypto suites, protocol (AH, ESP or IPcomp) IKEv2: Phase Two (Create Child-SA) I R { proposal, N i, [g a mod p], traffic} K { proposal, N r, [g b mod p], traffic} K Can run this several times to create multiple SAs After Phase One, I and R share key K

24 Other Aspects of IKE We did not talk about… uInteraction with other network protocols How to run IPSec through NAT (Network Address Translation) gateways? uError handling Very important! Bleichenbacher attacked SSL by cryptanalyzing error messages from an SSL server uProtocol management Dead peer detection, rekeying, etc. uLegacy authentication What if one of the parties does not have a public key?

Download ppt "IP Security and Key Establishment CS 395T. Plan for the Next Few Lectures uToday: “systems” lecture on IP Security and design of key exchange protocols."

Similar presentations

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Key Exchange Protocols J. Mitchell CS 259. Next few lectures uToday Key exchange protocols and properties uThursday Cathy Meadows: GDOI uNext Tues Contract-signing.

Key Exchange Protocols J. Mitchell CS 259. Next few lectures uToday Key exchange protocols and properties uThursday Cathy Meadows: GDOI uNext Tues Contract-signing.
Key Management Protocols and Compositionality John Mitchell Stanford TECS Week2005.

Key Management Protocols and Compositionality John Mitchell Stanford TECS Week2005.
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Security at the Network Layer: IPSec

Security at the Network Layer: IPSec
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
1 IPSec—An Overview Somesh Jha Somesh Jha University of Wisconsin University of Wisconsin.

1 IPSec—An Overview Somesh Jha Somesh Jha University of Wisconsin University of Wisconsin.
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
IPSec Isaac Ghansah.

IPSec Isaac Ghansah.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.

Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.

Similar presentations

Ads by Google