ece579s/6 #1 spring 2011 © 2000-2011, richard a. stanley ece579s computer security 6: access...

Spring 2011© 2000-2011, Richard A. Stanley

ECE579S/6 #1

ECE579SComputer Security

6: Access Control Revisited, IPSec

Profssor Richard A. Stanley, P.E.


ECE579S/6 #2

Summary of Access Control

• It’s all about protection

• Identification ties a physical entity to an abstract identity

• Authentication verifies the identity of both entities: the user and the computer

• Policy and audit trails are critical

• No shortage of folks trying to break in


ECE579S/6 #3

Perspective

• Computer security field is relatively new – Most of the key contributors to the theory are still

practicing professionals• LaPadula at MITRE in MA• Bell consulting in VA• Lipner at Microsoft in Redmond, WA• Ken Biba is co-founder of Novarum in CA• …etc.

– This field is still developing, and all of us can have a major part in that.

• What other area today can make that claim?


ECE579S/6 #4

Access Control

• The basic method of providing any kind of security

• Much easier to describe than to implement• Must operate within bounds

– Theoretical– Legal– Sociologically acceptable– …etc.


ECE579S/6 #5

Discretionary and MandatoryAccess Control

• Who decides the access rights?• Discretionary access control (DAC): the

owner of a resource decides• Mandatory access control (MAC): the

administration decides (based on the policy in use)

• Most widely-used operating systems have discretionary access control


ECE579S/6 #6

Other Problems

• Disclosure– Some would argue that in a military setting, this

is a non-problem, where it might be significant issue in a commercial system. What say you?

• Aggregation– Obtaining sensitive information by collecting

lots of “unsensitive” information– How can this be a problem?


ECE579S/6 #7

Different Types of Access Control

• Originator-controlled

• Role-based

• Issues:– Who should access data vs. who will access it?– Implementation of MAC and DAC

• Detailed analysis left for student based on readings


ECE579S/6 #8

Bell & LaPadula: What’s the Big Fuss?

• The BLP model was the first formal computer security model, and led the way for developments by others

• The BLP model captures many of the critical issues that must be instantiated in a security policy if it is to be meaningful

• This model is fairly easily transformed into actual security policies aimed at people


ECE579S/6 #9

Computer Security Models

• Deal with computers (doh!)– Which have no memory unless we give it to

them– Which have no social organization that makes

them vulnerable to risks that plague humans

• Don’t necessarily capture or map well to human behavior


ECE579S/6 #10

Lipner’s Security Requirements

• Users will not write their own programs• Program development will not be done on

production systems• Special process required to install program from

development to production system• The above special process must be both controlled

and audited• Managers and auditors must have access to both

system state and system logs


ECE579S/6 #11

Principles of Operation

• These follow from Lipner’s Rules• Separation of duties

– Critical functions broken into steps, where no single individual can perform all needed steps

• Separation of functions– Development and production systems separated to prevent info

leakage from one to the other

• Audit– Analyze what actually was done, compare to policies, identify

inappropriate actions (if any)– Done by still another group of individuals from above


ECE579S/6 #12

Lipner Again

• Merged Bell-LaPadula and Biba models to obtain an integrity matrix model

• Focused on Lipner’s impression of commercial needs

• Requires implementation of a lattice of security and integrity labels


ECE579S/6 #13

Lattice Models

• Labels consist of both security label and some other label(s), the second one typically called a compartment or category

• Managing a lattice security model can be a challenge, especially as the number of entries in the lattice grows


ECE579S/6 #14

What’s a Lattice?

• A lattice is a mathematical structure whose elements:– Are under a relational operator. – Are ordered under a partial ordering

• For all a,b,c L, if a b, b c, then a c (transitive)

• For all a,b L, if a b, b a, then a b (antisymmetric)


ECE579S/6 #15

Lattice Example

confidential, {a}

These are NOT the same point in the lattice!


ECE579S/6 #16

Comparability

• Not every pair in the lattice needs to be comparable

• Largest element: <Top Level; all compartments>• Smallest element: <Unclassified; no

compartments>


ECE579S/6 #17

Combining Different Models

• Combinations of models can be useful, but they must be made carefully

• For example when combining BLP and Biba there is a decision: use the same security labels for both model rules or not?– If yes, then special care has to be paid to avoid

a system where access is allowed only to same level objects (unless you really know that that is what you want)


ECE579S/6 #18

The Objectives

• Secure computing systems– Software– Hardware

• Security policies that can be tracked to the underlying, proven security model

• This is not easy to do• Important not to let the model become the

objective; it is a tool to get you there


ECE579S/6 #19

Operating System Security

Hardware

OS Kernel

Operating System

Services

Applications

We have been here

If the goal is to do security at the lowest level,

what are we doing here?

It falls to the O/S to implement many, if not most, of the tasksneeded to implement computer security.


ECE579S/6 #20

YASM: Yet Another Security Model

Accounts

Users Privileges

OS Security

ID & Auth.

Permissions

Configuration Audit Log

Authorization


ECE579S/6 #21

Operating Systems of Interest

• Unix– Many versions, discussion is generic– Basis for Mac OS X

• Windows NT– Also many versions, much in common– Security model for Win 2K, XP, Vista, etc.


ECE579S/6 #22

Unix Security Architecture

• Utilizes hardware security levels

• Users and passwords

• Groups and passwords

• Superuser--kernel executes in Level 0

• Controlled invocation

• Permissions attached to files -- ACL


ECE579S/6 #23

Unix Permissions• Only three:

– r: read– w: write– x: execute

• Others– s: SUID program (in user permissions)– s: SGID program (in group permissions)

• Permissions are called modes


ECE579S/6 #24

Unix Users

• All users have a user ID

• UID is a 16-bit number

• Linked to passwords in /etc/passwd

• Unix does not distinguish among users who have the same UID; there is a many to one correlation of actual users to UID

• UID 0 is the superuser


ECE579S/6 #25

Unix Groups

• All Unix users belong to a group• Association of users to groups is found in

/etc/group, which looks like group name:group password:GID:users

• All members of the group enjoy the group permissions


ECE579S/6 #26

Unix File Structure

• Directory entry is pointer to the inode• Inode listing looks like:

-rw-r--r-- 2 rstanley ece 153 Feb 28 04:55 sample

• Permissions are checked from left to right

• Unix files all look like text files


ECE579S/6 #27

Files and Other Things

• Unix regards everything as a file, and a text file at that

• Devices look like files, so they are accessed by the path specified

• Placing a “ringer” in the path can lead to security compromises


ECE579S/6 #28

Sequence is Everything

• The order in which things are checked is critical to security

• You must know in intimate detail how things are checked to know if your security measures are adequate

• If privileges are checked in the order user>group>others, will you get a different result than checking others>group>users?


ECE579S/6 #29

Unix Passwords

• Often 8 characters long

• Encrypted using modified DES algorithm

• Stored in etc/passwd • Format user name: encrypted password: user ID:

group ID: ID string: home directory: login shell


ECE579S/6 #30

Password File Example


ECE579S/6 #31

Password Crackers • Crack

– Original Unix password cracker

• John the Ripper– Command-line tool, dictionary-based

• Star Cracker– Command-line, brute force– Runs on DOS

• Cracker Jack– Cracks Unix passwords, runs on DOS


ECE579S/6 #32

Password Shadowing

• Actual encrypted passwords kept in shadow password file

• etc/passwd entries for passwords are *

• etc/passwd is world readable, but shadow file is not

• Makes getting the password file harder, but not impossible


ECE579S/6 #33

SET Mischief• Must find a way to allow users to execute

certain OS functions w/o being superuser• Solution: SUID and SGID

– Run with permissions of the owner– Provide temporary access not normally

available

• Root often owns SUID and SGID• Is there a problem here?


ECE579S/6 #34

Changing Permissions

• Modes can be changed by file owner or SU

• In absolute mode, permissions are granted by octal number codes

• Real people prefer literal mode: chmod u+wx, g-rwx, o-rwx sample

• If mode is changed improperly, problems!


ECE579S/6 #35

Changing Owners

• Since the file owner gets to decide about permissions, can the owner be changed?

• Yes! And so can the group.

• chown and chgrp permit exactly those changes to be accomplished, normally only by the superuser (UID 0)

• Lots of opportunity for mischief here


ECE579S/6 #36

Stacks of Trouble

• Stack/buffer overflow: what does this mean?

• What is the stack or buffer, anyway?

• If you know how the OS allocates memory, can you think of a way to exploit this?

• Is it difficult to find out how Unix allocates memory?


ECE579S/6 #37

Exploiting OS Syntax

• In Unix commands, - precedes a flag• -f is the “force” flag• So...

– What if we create lots of copies of a file named -foobar.doc?

– How do we delete it?• rm -foobar.doc: what does this do?


ECE579S/6 #38

Caveats

• Common security tools are usually indicative of where the worst problems can be found

• We have not addressed network security problems; those come next semester

• Be careful of tools and utilities– You don’t know where they have been!– Here there may be Trojan Horses


ECE579S/6 #39

Unix Security Summary• Reasonable security features in the OS• Superuser can do anything, so anyone who

can become superuser can subvert security• There are a lot of ways to use “holes” in the

system to compromise security• As anywhere else, achieving good security

takes effort and time -- two things that are usually in short supply


ECE579S/6 #40

Windows Taxonomy

• The security features of Windows NT, 2000, and XP have their basis in NT– We’ll refer to all of them as “NT” in the course,

but bear in mind that they are quite different• NT began it all by integrating network and computer

operating systems, introducing real security features

• 2000 is essentially NT v5.0

• XP is a re-write; although much functional equivalence, implementing code is very different


ECE579S/6 #41

Windows NT Security Architecture• Users and kernel in separate rings (3 & 0)• Object locking• Data in proprietary formats• Object oriented--access can vary by object• Security subsystem

– Security Reference Monitor (SRM, in kernel)– Local Security Authority (creates SAT in user mode)– Security Account Manager (user mode)– Login Process (authenticates user)


ECE579S/6 #42

Registry

• Central configuration database

• Hives contain keys– HKEY_LOCAL_MACHINE– HKEY_CLASSES_ROOT– HKEY_CURRENT_USER– HKEY_USERS

• Stored in proprietary format


ECE579S/6 #43

Not Only Massachusetts Has Registry Problems

• Default settings allow nearly everyone to change nearly everything

• If a key doesn’t exist, if it is checked, no exception is raised

• Proprietary format is no barrier to modification of the registry

• Registry is the key to the system operation


ECE579S/6 #44

Login

• Users login to a user account on a domain– Domain is set of machines sharing common

user database and security policy– Login begins with secure attention sequence– User name and password matched by LSA with

database– LSA creates a System Access Token containing

the SID, attached to access control process


ECE579S/6 #45

NT Password System

• Passwords stored in encrypted form, à la Unix

• Password filtering can be activated by registry key (>5 char., mixed mode, etc.)

• Encrypted passwords stored in SAM database, which is part of the registry

• There is a backup copy of the password file


ECE579S/6 #46

Windows NT Password

• Hashed using a one-way function– Same approach as Unix, different algorithms

• Stored in SAM database• SAM database is proprietary format, but

tools exist to permit reading it• Encrypted passwords can be obtained from

the database by subterfuge


ECE579S/6 #47

NT Password Crackers • L0phtcrack

– GUI, fast

• John the Ripper– Command-line tool, dictionary-based– Unix, but cracks LanMan hashes

• Crack 5 with NT extensions– Many permutations used to crack– Not easy to use, but powerful


ECE579S/6 #48

Anti-Cracking Countermeasures• Choose good NT passwords

– Above discussion on length pertains– Include non-printable ASCII characters for key

accounts (like Admin)• ALT-255 = NUM LOCK

– Protect the SAM• Physical security for the server• Keep track of the Admin group

– Implement SYSKEY (NT SP2)


ECE579S/6 #49

SAM’s the Man -- And the Target!

• SAM=Security Accounts Manager• NT equivalent to Unix /etc/password• Once you have Admin privileges, this is where the

user names and PWs are found– Backwards compatibility hinders crypto

– LanManager crypto has been broken

– Relatively easy to crack PWs with tools (L0phtcrack can crack all alphanumeric PWs in <24 hrs with a Pentium II @ 450 mHz


ECE579S/6 #50

Getting the SAM

• Boot to another OS and copy the file

• Get the backup SAM from the repair directory

• Extract PW hashes from the SAM (e.g. with pwdump or pwdump2)– Newer version bypasses SYSKEY

• Network eavesdropping


ECE579S/6 #51

Exploiting Trust • Good account administration

– User accounts don’t have Admin privileges– Local Admin, Domain Admin not mirrored

• Exploit data in Local Security Authority – passwords, hashes, dialup info, etc.

• Autologon• Keystroke logging

– Many loggers around, often as spyware


ECE579S/6 #52

TOCTTOU

• It’s not a tropical bird

• Time Of Check To Time Of Use

• Critical security parameter in many instances

• Important in Windows NT vis-à-vis the login cache


ECE579S/6 #53

User Account Entries• User name (login name)• Full name (real name)• Password (up to 14 characters)• Login hours and workstations• Profile path and login script• Home directory• Account type (global or local)• Expiration date (default is never--is this good?)


ECE579S/6 #54

Windows NT Permissions

• Read: R

• Write: W

• Execute: X

• Delete: D

• Change Access Permissions: P

• Take Ownership: O


ECE579S/6 #55

File Access Permissions

• No Access

• Read (RX)

• Change (RWXD)

• Full Control (all)

• Special Access (any combination)


ECE579S/6 #56

Directory Access Permissions

• Directories have a different permission set from files

• New files inherit permissions from the directory, if it has a permissions set

• Otherwise, everyone has full control for newly created files!

• Another opportunity for mischief


ECE579S/6 #57

Object Access

• Discretionary access based on object type

• Security descriptor stored with object– Security ID– Access Control List

• AccessDenied

• AccessAllowed

• SystemAudit

– System Access Control List


ECE579S/6 #58

Access Control

• Local and global groups• User rights• Built-in groups• Trust relationships

– Set up by system administrator– Trust is NOT transitive– Trust is NOT reflexive

• Mandatory profiles


ECE579S/6 #59

Audit Log

• Windows NT keeps an audit log– Events generated by SRM

• Maximum log size is settable

• Options when full– Overwrite, beginning with oldest entries– Overwrite events older than specified interval– Halt (i.e., do not overwrite)


ECE579S/6 #60

DLL’s• Dynamic Link Libraries are software

modules linked to executing programs at run time

• DLL’s run with rights of the host program• DLL’s are found by searching the path• Can be spoofed by putting Trojan Horse

earlier in the search sequence, for example, or by replacing with bogus DLL


ECE579S/6 #61

Windows NT Security Summary• Comprehensive set of security tools,

arguably better than Unix• Complexity is also an opportunity to

subvert• Windows NT not markedly more secure

than Unix


ECE579S/6 #62

Machine Logon Security

• This is beneath the OS

• BIOS-level user identity check– What happens if you forget your ID?– Is this a foolproof approach?

• Consider the machine as an assemblage of parts rather than a unified and inseparable whole


ECE579S/6 #63

O/S Summary

• We depend on the OS to implement low-level security features

• OS security varies widely with the OS• Security features are valuable, but not bulletproof• The OS is an adjunct level for security

implementation, but not the root level

• Security measures must be designed into an OS; they cannot be bolted on later.


ECE579S/6 #64

ISO Protocol Model (again)

IP

Ethernet, token ring

Electrical standards

Protocols


ECE579S/6 #65

Protocol Layering & Internetworking


ECE579S/6 #66

Consider DECNET


ECE579S/6 #67

DECNET

• Supports many Layer 2 protocols

• Address is of form 10.1, where10 = Area number

1 = node number

• Addresses NOT associated with physical networks to which nodes are connected


ECE579S/6 #68

Compare Appletalk

Source: http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/applet.htm


ECE579S/6 #69

Appletalk

• Like DECNET, supports several Layer 2 protocols

• Network addressing schema:


ECE579S/6 #70

How Could We Connect These Two?

• Addressing completely different

• Routing structure different

• Electrical standards different

• …etc.

• In fact, not much similar except that they are both digital networks

• This is why IP came in, and why it remains!


ECE579S/6 #71

IP Overview

• Layer 3 protocol

• Provides packet routing

• Does not ensure reliable delivery—that is left to higher-level protocols, like TCP & UDP

• Facilitates interconnection of dissimilar computers, which is why it is important


ECE579S/6 #72

IP Versions

• Most commonly used version is IP v4, which is widely used worldwide

• Next version is IP v6 (there is no v5)– Adds address space

– Adds security, QoS

– Provides for additional routing capabilities

– Improves housekeeping

– Ability to add features in the future.

– Being implemented by US DoD


ECE579S/6 #73

IP Version 4 Structure

Source: http://www.freesoft.org/CIE/Course/Section3/7.htm

4


ECE579S/6 #74

IP Version 6 Structure

Source: http://courseptr.com/downloads/chapterpreview/MUDGameProgch1.pdf

6


ECE579S/6 #75

IP in Short

• “Democracy is the worst form of government except for all those others that have been tried.” -Winston Churchill

• This kind of describes IP– Not the best protocol ever established– But one of the most ubiquitous– It isn’t going away—huge investment in it


ECE579S/6 #76

The Future: One Version

• Every outlet, light, and appliance in a home or office will have its own IP address

• IP-enabled appliances are already available

• Security issues here?

LG GR-D267DTU Internet Refrigerator


ECE579S/6 #77

IP Security

• Using the original IP standards, this is an oxymoron

• Needs– Protection from eavesdropping– Protection from spoofing– Provision for secure user-to-user traffic

• Problems– IP not designed for this


ECE579S/6 #78

Enter IPSec• IPSec intended to meet the security needs of

IP networks, especially the Internet – Originally intended to come in as part of IP v6– IP v6 may never come for many folks, and most

of the IPSec functionality has become available in IP v4

– Widely available in products such as virtual private networks, etc.

– More info at http://unixwiz.net/techtips/iguide-ipsec.html


ECE579S/6 #79

What Does IPSec Do?• Enables secure VPNs over public networks• Allows secure remote access over public

networks• Facilitates secure connectivity with business

partners, especially temporarily• Improves eCommerce security• It does all this using the cryptographic tools

we have studied. Now we’ll see how.


ECE579S/6 #80

IPSec Features

• Can be applied at the perimeter– In-house traffic avoids security overhead that

may not actually be needed

• Lies below the transport layer, so is transparent to applications

• Can be made transparent to end users, which keeps training and support costs low

• Can support individual user security


ECE579S/6 #81

Services

• Access control

• Datagram integrity

• Sender authenticity

• Replay protection

• Message body confidentiality

• Traffic flow security (very limited, though)


ECE579S/6 #82

Security Association• IPSec concept that defines the relationship

between one party and another for security– ONE-WAY! (i.e., not reflexive)– If A & B have bilateral security needs, two security

associations are required

• Defined by– Security parameters index (SPI)– Destination IP address– Security protocol identifier


ECE579S/6 #83

So...

• Security association (SA) is uniquely defined by – Destination address in the IP header, and– SPI in the enclosed extension header (AH or

ESP)

• What’s an extension header?

• What are AH and ESP?

• Stick around!


ECE579S/6 #84

Security Parameters

• Encapsulating Security Payload (ESP)– Deals with packet encryption

• Authentication Header (AH)– Deals with packet authentication

• Encryption algorithm (several available)

• Authentication algorithm (ditto)

• Key management scheme


ECE579S/6 #85

SA Parameters

• Sequence number counter• Sequence counter overflow flag• Anti-replay window• AH information• ESP information• SA lifetime• IPSec protocol mode (tunnel, transport, wildcard)• Path MTU


ECE579S/6 #86

Policy

• Association of traffic with SAs is done by the Security Policy Database (SPD)

• Each SPD entry is defined by a selector– Selectors filter outbound traffic

• Compare packet selector fields with SPD to find matching SPD entry; points to zero or more SAs

• Determine SA for this packet and its SPI (Security Parameters Index)

• Perform the required processing (AH or ESP)


ECE579S/6 #87

Authentication Header (AH)

• Supports data integrity and authentication– Assures data modification will be detected– Also guards against replay

• Based on Message Authentication Code (MAC) – Requires shared secret key


ECE579S/6 #88

AH Fields

• Next header– Identifies type of header that follows

• Payload length

• Reserved for future use

• SPI (defines an SA)

• Sequence number

• Authentication data


ECE579S/6 #89

AH Overview

0 8 16 31

Next header PayloadLength (reserved)

SPI

Sequence number

Authentication data (variable length)


ECE579S/6 #90

Overview of Headers(IP v4)

OriginalIP header TCP Payload (data)

OriginalIP header TCP Payload (data)AH

Standard

Transport mode

OriginalIP header TCP Payload (data)AHNew

IP headerTunneling

mode


ECE579S/6 #91

Integrity Check Value (ICV)• Included in the Authentication Data field

– Based on HMAC (keyed hash)• HMAC MD5• HMAC SHA-1

– 96 MSB of HMAC result used for ICV– HMAC calculated over

• Immutable or predictable IP header fields• The AH header except the Authentication Data field• The entire upper-level protocol data


ECE579S/6 #92

Anti-Replay Service

• Replay: retransmission of an already-authenticated packet at a later time– A favorite way to break into or disrupt services

• IPSec implements anti-replay using the Sequence Number field (32 bits), so the maximum Sequence Number is 232

• If the Sequence Number would wrap around, a new SA, with new key, is needed


ECE579S/6 #93

Anti-Replay in Action

• Sender initializes sequence counter to 0, increments counter by 1 for every packet sent

• Counter value is placed in SN field• Receiver has a problem:

– IP is connectionless, so packets can arrive in any order

– IP doesn’t guarantee delivery (that is done by TCP), so packets can -- and do -- go missing


ECE579S/6 #94

Anti-Replay at the Receiver

• Receiver maintains a sliding window over received packets, default width = 64 = W

• Right edge of window holds highest SN packet so far received that is valid

• All slots from (N-W+1) to N that have been authenticated are marked


ECE579S/6 #95

Window Management

• If new packet is within the window and is new, the corresponding slot is marked

• If new packet is outside window to the right, and is authenticated, window is moved to the right and slot is marked

• If new packet is outside the window to the left, or if not authenticated, packet discarded and audit event raised


ECE579S/6 #96

The Window in Action

Window

N-W

N

Space for valid packetnot yet received

Received, valid, marked

The window makes replay attacks much more difficult, as they would have to occur within the width of the window: possible, but unlikely (most of the time)


ECE579S/6 #97

IPSec Authentication: Transport Mode

• Transport Mode uses the Authentication Header (AH)– IP v4: AH inserted after original IP header, but

before the IP payload– IP v6: AH is an end-to-end payload, not

examined by intermediate routers. So, AH comes after the other IP v6 header routing fields (base, hop-to-hop, etc.)

• Clearly, AH does not provide data confidentiality


ECE579S/6 #98

IPSec Authentication: Tunnel Mode

• Entire original IP packet authenticated– AH inserted before original IP header and after

new “outer” IP header– Allows placing original routing info within the

authentication envelope, but more importantly– Allows a new set of IP addresses to be used as a

wrapper for the original packet

• As we shall see, this forms the basis for IPSec-based virtual private networks.


ECE579S/6 #99

Encapsulating Security Payload (ESP)

• Provides confidentiality services– Optionally, can also provide authenticity

• Fields– SPI

– Sequence number

– Payload data

– Padding

– Pad length

– Next header


ECE579S/6 #100

ESP

SPI

Sequence number

Payload data (variable length)

Padding (0-255 bytes)

Pad length Next header

Authentication data (variable)

AuthenticationCoverage

ConfidentialityCoverage


ECE579S/6 #101

Encryption Algorithms

• Confidentiality services provided by symmetric cryptography

• Algorithms supported:– DES (CBC) – TDEA (three key)– IDEA – Three key triple IDEA– CAST – Blowfish– AES – RC5

• MAC same as AH (96-bit HMAC)


ECE579S/6 #102

Padding?

• Extends the plaintext to a multiple of some number of bytes to accommodate those encryption algorithms that require fixed block sizes (e.g. DES, AES)

• Ensures that the end of the Next Header field is right-aligned with the 32-bit word

• Can be used to provide partial traffic flow security, by concealing payload length


ECE579S/6 #103

Transport mode ESP Service

• Encrypts data carried by IP– Optionally, also authenticates the data



ESPheader

Standard

Transport mode ESPtrlr

ESPauth

Encrypted

Authenticated


ECE579S/6 #104

Transport Mode

• Provides end-to-end confidentiality

• Is transparent to applications

• Is efficient, adds little extra to IP overhead

• Does not provide traffic flow security– Possible to analyze source - destination traffic

flows and volumes– Useful for drawing conclusions about

associations, workload, etc.


ECE579S/6 #105

Tunneling Mode ESP

• Encrypts the entire IP packet– Including the original source, destination


NewIP header

Tunnelingmode

ESPheader

ESPtrlr

ESPauth

OriginalIP header TCP Payload (data)Standard

Encrypted

Authenticated


ECE579S/6 #106

Tunneling Mode

• Encrypts entire original IP packet, including source and destination addresses– Can help to counter traffic analysis

• Allows construction of secure virtual private networks (VPNs) over unsecured networks

• Useful when firewalls in the path -- security can be done only at the network edge


ECE579S/6 #107

VPN Example

Edge routers need info about the other end of the network

IPSec starts/ends here


ECE579S/6 #108

SA Limits• An individual SA can implement either AH or

ESP, but not both

• But, sometimes both services are needed– This requires multiple SA’s in the same traffic

flow– Just as with Feistel encryption/decryption key

scheduling, we must “unwrap” the SA’s in inverse order to their application

– Referred to as SA bundle


ECE579S/6 #109

Key Management

• IPSec has many good features. Performing key distribution manually is not one of them

• Protocol has been developed to provide for session key distribution– Internet Key Exchange (IKE) [RFC 4306]

– IKE incorporates• ISAKMP [RFC 2408]

• Oakley

• A few other things

– Current version referenced above (Dec 2005) is v2


ECE579S/6 #110

Diffie-Hellman Revisited• Advantages

– Generates keys only when required– Requires no preexisting infrastructure

• Disadvantages– No authentication of communicating parties– Vulnerable to man-in-the-middle attack– Computationally intensive

• Slow

• Vulnerable to denial of service attack


ECE579S/6 #111

Oakley Key Determination

• Based on D-H, but improved (RFC 2412)

• Advantages over Diffie-Hellman– Uses cookies to avoid denial of service attacks– Enables prior negotiation of global parameters– Uses nonces to guard against replay– Allows exchange of D-H public key values– Authenticates D-H exchange (defeats man-in-

the-middle attacks)


ECE579S/6 #112

Nonce

• nonce (nns) noun– The present or particular occasion: “Her tendency

to discover a touch of sadness had for the nonce disappeared” (Theodore Dreiser).

– [From Middle English for the nones, for the occasion]

• The American Heritage® Dictionary of the English Language, Third Edition, 1992, Houghton Mifflin Company

• Say what?• In cryptography, a nonce is a pseudorandom

number bearing a timestamp


ECE579S/6 #113

Oakley Authentication

• Three types available– Digital Signature– Asymmetric-key cryptography– Symmetric-key cryptography

• This guards against man-in-the-middle attacks


ECE579S/6 #114

We Like IKE

• IKE is an IPSec protocol that defines the procedures and formats needed to establish, negotiate, modify, or delete Security Associations within IPSec

• Built on the ISAKMP protocol, which is sometimes viewed as IKE v0.1

• ISAKMP notation still in wide use, but officially, it is now IKE


ECE579S/6 #115

IPSec Summary• IPSec is a complex security protocol, originally

developed for roll-out with IP v6

• Provides authentication, integrity, and confidentiality services to IP transmission

• IKE improves on basic protocols like D-H

• Many implementations available for IP v4, so it it usable today

• Authentication and encapsulation services provide a basis for VPNs


ECE579S/6 #116

Homework

• Read Chapters 6 & 32 in the text

• Examine the structure of the IPSec protocol and how it is applied. Write a critique of the benefits and possible pitfalls of using this protocol to secure a network. How does IPSec relate to HAIPE (High Assurance IP Encryption)?

ece579s/6 #1 spring 2011 © 2000-2011, richard a. stanley ece579s computer security 6: access...

Documents

stanley access

stanley summary of access

stanley discretionary

access rights

mandatory access control

security policy

stanley bell lapadula

formal computer security