ece579s/6 #1 spring 2011 © 2000-2011, richard a. stanley ece579s computer security 6: access...
Post on 22-Dec-2015
216 views
TRANSCRIPT
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #1
ECE579SComputer Security
6: Access Control Revisited, IPSec
Profssor Richard A. Stanley, P.E.
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #2
Summary of Access Control
• It’s all about protection
• Identification ties a physical entity to an abstract identity
• Authentication verifies the identity of both entities: the user and the computer
• Policy and audit trails are critical
• No shortage of folks trying to break in
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #3
Perspective
• Computer security field is relatively new – Most of the key contributors to the theory are still
practicing professionals• LaPadula at MITRE in MA• Bell consulting in VA• Lipner at Microsoft in Redmond, WA• Ken Biba is co-founder of Novarum in CA• …etc.
– This field is still developing, and all of us can have a major part in that.
• What other area today can make that claim?
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #4
Access Control
• The basic method of providing any kind of security
• Much easier to describe than to implement• Must operate within bounds
– Theoretical– Legal– Sociologically acceptable– …etc.
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #5
Discretionary and MandatoryAccess Control
• Who decides the access rights?• Discretionary access control (DAC): the
owner of a resource decides• Mandatory access control (MAC): the
administration decides (based on the policy in use)
• Most widely-used operating systems have discretionary access control
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #6
Other Problems
• Disclosure– Some would argue that in a military setting, this
is a non-problem, where it might be significant issue in a commercial system. What say you?
• Aggregation– Obtaining sensitive information by collecting
lots of “unsensitive” information– How can this be a problem?
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #7
Different Types of Access Control
• Originator-controlled
• Role-based
• Issues:– Who should access data vs. who will access it?– Implementation of MAC and DAC
• Detailed analysis left for student based on readings
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #8
Bell & LaPadula: What’s the Big Fuss?
• The BLP model was the first formal computer security model, and led the way for developments by others
• The BLP model captures many of the critical issues that must be instantiated in a security policy if it is to be meaningful
• This model is fairly easily transformed into actual security policies aimed at people
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #9
Computer Security Models
• Deal with computers (doh!)– Which have no memory unless we give it to
them– Which have no social organization that makes
them vulnerable to risks that plague humans
• Don’t necessarily capture or map well to human behavior
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #10
Lipner’s Security Requirements
• Users will not write their own programs• Program development will not be done on
production systems• Special process required to install program from
development to production system• The above special process must be both controlled
and audited• Managers and auditors must have access to both
system state and system logs
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #11
Principles of Operation
• These follow from Lipner’s Rules• Separation of duties
– Critical functions broken into steps, where no single individual can perform all needed steps
• Separation of functions– Development and production systems separated to prevent info
leakage from one to the other
• Audit– Analyze what actually was done, compare to policies, identify
inappropriate actions (if any)– Done by still another group of individuals from above
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #12
Lipner Again
• Merged Bell-LaPadula and Biba models to obtain an integrity matrix model
• Focused on Lipner’s impression of commercial needs
• Requires implementation of a lattice of security and integrity labels
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #13
Lattice Models
• Labels consist of both security label and some other label(s), the second one typically called a compartment or category
• Managing a lattice security model can be a challenge, especially as the number of entries in the lattice grows
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #14
What’s a Lattice?
• A lattice is a mathematical structure whose elements:– Are under a relational operator. – Are ordered under a partial ordering
• For all a,b,c L, if a b, b c, then a c (transitive)
• For all a,b L, if a b, b a, then a b (antisymmetric)
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #15
Lattice Example
confidential, {a}
These are NOT the same point in the lattice!
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #16
Comparability
• Not every pair in the lattice needs to be comparable
• Largest element: <Top Level; all compartments>• Smallest element: <Unclassified; no
compartments>
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #17
Combining Different Models
• Combinations of models can be useful, but they must be made carefully
• For example when combining BLP and Biba there is a decision: use the same security labels for both model rules or not?– If yes, then special care has to be paid to avoid
a system where access is allowed only to same level objects (unless you really know that that is what you want)
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #18
The Objectives
• Secure computing systems– Software– Hardware
• Security policies that can be tracked to the underlying, proven security model
• This is not easy to do• Important not to let the model become the
objective; it is a tool to get you there
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #19
Operating System Security
Hardware
OS Kernel
Operating System
Services
Applications
We have been here
If the goal is to do security at the lowest level,
what are we doing here?
It falls to the O/S to implement many, if not most, of the tasksneeded to implement computer security.
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #20
YASM: Yet Another Security Model
Accounts
Users Privileges
OS Security
ID & Auth.
Permissions
Configuration Audit Log
Authorization
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #21
Operating Systems of Interest
• Unix– Many versions, discussion is generic– Basis for Mac OS X
• Windows NT– Also many versions, much in common– Security model for Win 2K, XP, Vista, etc.
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #22
Unix Security Architecture
• Utilizes hardware security levels
• Users and passwords
• Groups and passwords
• Superuser--kernel executes in Level 0
• Controlled invocation
• Permissions attached to files -- ACL
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #23
Unix Permissions• Only three:
– r: read– w: write– x: execute
• Others– s: SUID program (in user permissions)– s: SGID program (in group permissions)
• Permissions are called modes
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #24
Unix Users
• All users have a user ID
• UID is a 16-bit number
• Linked to passwords in /etc/passwd
• Unix does not distinguish among users who have the same UID; there is a many to one correlation of actual users to UID
• UID 0 is the superuser
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #25
Unix Groups
• All Unix users belong to a group• Association of users to groups is found in
/etc/group, which looks like group name:group password:GID:users
• All members of the group enjoy the group permissions
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #26
Unix File Structure
• Directory entry is pointer to the inode• Inode listing looks like:
-rw-r--r-- 2 rstanley ece 153 Feb 28 04:55 sample
• Permissions are checked from left to right
• Unix files all look like text files
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #27
Files and Other Things
• Unix regards everything as a file, and a text file at that
• Devices look like files, so they are accessed by the path specified
• Placing a “ringer” in the path can lead to security compromises
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #28
Sequence is Everything
• The order in which things are checked is critical to security
• You must know in intimate detail how things are checked to know if your security measures are adequate
• If privileges are checked in the order user>group>others, will you get a different result than checking others>group>users?
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #29
Unix Passwords
• Often 8 characters long
• Encrypted using modified DES algorithm
• Stored in etc/passwd • Format user name: encrypted password: user ID:
group ID: ID string: home directory: login shell
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #30
Password File Example
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #31
Password Crackers • Crack
– Original Unix password cracker
• John the Ripper– Command-line tool, dictionary-based
• Star Cracker– Command-line, brute force– Runs on DOS
• Cracker Jack– Cracks Unix passwords, runs on DOS
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #32
Password Shadowing
• Actual encrypted passwords kept in shadow password file
• etc/passwd entries for passwords are *
• etc/passwd is world readable, but shadow file is not
• Makes getting the password file harder, but not impossible
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #33
SET Mischief• Must find a way to allow users to execute
certain OS functions w/o being superuser• Solution: SUID and SGID
– Run with permissions of the owner– Provide temporary access not normally
available
• Root often owns SUID and SGID• Is there a problem here?
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #34
Changing Permissions
• Modes can be changed by file owner or SU
• In absolute mode, permissions are granted by octal number codes
• Real people prefer literal mode: chmod u+wx, g-rwx, o-rwx sample
• If mode is changed improperly, problems!
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #35
Changing Owners
• Since the file owner gets to decide about permissions, can the owner be changed?
• Yes! And so can the group.
• chown and chgrp permit exactly those changes to be accomplished, normally only by the superuser (UID 0)
• Lots of opportunity for mischief here
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #36
Stacks of Trouble
• Stack/buffer overflow: what does this mean?
• What is the stack or buffer, anyway?
• If you know how the OS allocates memory, can you think of a way to exploit this?
• Is it difficult to find out how Unix allocates memory?
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #37
Exploiting OS Syntax
• In Unix commands, - precedes a flag• -f is the “force” flag• So...
– What if we create lots of copies of a file named -foobar.doc?
– How do we delete it?• rm -foobar.doc: what does this do?
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #38
Caveats
• Common security tools are usually indicative of where the worst problems can be found
• We have not addressed network security problems; those come next semester
• Be careful of tools and utilities– You don’t know where they have been!– Here there may be Trojan Horses
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #39
Unix Security Summary• Reasonable security features in the OS• Superuser can do anything, so anyone who
can become superuser can subvert security• There are a lot of ways to use “holes” in the
system to compromise security• As anywhere else, achieving good security
takes effort and time -- two things that are usually in short supply
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #40
Windows Taxonomy
• The security features of Windows NT, 2000, and XP have their basis in NT– We’ll refer to all of them as “NT” in the course,
but bear in mind that they are quite different• NT began it all by integrating network and computer
operating systems, introducing real security features
• 2000 is essentially NT v5.0
• XP is a re-write; although much functional equivalence, implementing code is very different
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #41
Windows NT Security Architecture• Users and kernel in separate rings (3 & 0)• Object locking• Data in proprietary formats• Object oriented--access can vary by object• Security subsystem
– Security Reference Monitor (SRM, in kernel)– Local Security Authority (creates SAT in user mode)– Security Account Manager (user mode)– Login Process (authenticates user)
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #42
Registry
• Central configuration database
• Hives contain keys– HKEY_LOCAL_MACHINE– HKEY_CLASSES_ROOT– HKEY_CURRENT_USER– HKEY_USERS
• Stored in proprietary format
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #43
Not Only Massachusetts Has Registry Problems
• Default settings allow nearly everyone to change nearly everything
• If a key doesn’t exist, if it is checked, no exception is raised
• Proprietary format is no barrier to modification of the registry
• Registry is the key to the system operation
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #44
Login
• Users login to a user account on a domain– Domain is set of machines sharing common
user database and security policy– Login begins with secure attention sequence– User name and password matched by LSA with
database– LSA creates a System Access Token containing
the SID, attached to access control process
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #45
NT Password System
• Passwords stored in encrypted form, à la Unix
• Password filtering can be activated by registry key (>5 char., mixed mode, etc.)
• Encrypted passwords stored in SAM database, which is part of the registry
• There is a backup copy of the password file
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #46
Windows NT Password
• Hashed using a one-way function– Same approach as Unix, different algorithms
• Stored in SAM database• SAM database is proprietary format, but
tools exist to permit reading it• Encrypted passwords can be obtained from
the database by subterfuge
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #47
NT Password Crackers • L0phtcrack
– GUI, fast
• John the Ripper– Command-line tool, dictionary-based– Unix, but cracks LanMan hashes
• Crack 5 with NT extensions– Many permutations used to crack– Not easy to use, but powerful
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #48
Anti-Cracking Countermeasures• Choose good NT passwords
– Above discussion on length pertains– Include non-printable ASCII characters for key
accounts (like Admin)• ALT-255 = NUM LOCK
– Protect the SAM• Physical security for the server• Keep track of the Admin group
– Implement SYSKEY (NT SP2)
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #49
SAM’s the Man -- And the Target!
• SAM=Security Accounts Manager• NT equivalent to Unix /etc/password• Once you have Admin privileges, this is where the
user names and PWs are found– Backwards compatibility hinders crypto
– LanManager crypto has been broken
– Relatively easy to crack PWs with tools (L0phtcrack can crack all alphanumeric PWs in <24 hrs with a Pentium II @ 450 mHz
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #50
Getting the SAM
• Boot to another OS and copy the file
• Get the backup SAM from the repair directory
• Extract PW hashes from the SAM (e.g. with pwdump or pwdump2)– Newer version bypasses SYSKEY
• Network eavesdropping
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #51
Exploiting Trust • Good account administration
– User accounts don’t have Admin privileges– Local Admin, Domain Admin not mirrored
• Exploit data in Local Security Authority – passwords, hashes, dialup info, etc.
• Autologon• Keystroke logging
– Many loggers around, often as spyware
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #52
TOCTTOU
• It’s not a tropical bird
• Time Of Check To Time Of Use
• Critical security parameter in many instances
• Important in Windows NT vis-à-vis the login cache
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #53
User Account Entries• User name (login name)• Full name (real name)• Password (up to 14 characters)• Login hours and workstations• Profile path and login script• Home directory• Account type (global or local)• Expiration date (default is never--is this good?)
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #54
Windows NT Permissions
• Read: R
• Write: W
• Execute: X
• Delete: D
• Change Access Permissions: P
• Take Ownership: O
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #55
File Access Permissions
• No Access
• Read (RX)
• Change (RWXD)
• Full Control (all)
• Special Access (any combination)
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #56
Directory Access Permissions
• Directories have a different permission set from files
• New files inherit permissions from the directory, if it has a permissions set
• Otherwise, everyone has full control for newly created files!
• Another opportunity for mischief
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #57
Object Access
• Discretionary access based on object type
• Security descriptor stored with object– Security ID– Access Control List
• AccessDenied
• AccessAllowed
• SystemAudit
– System Access Control List
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #58
Access Control
• Local and global groups• User rights• Built-in groups• Trust relationships
– Set up by system administrator– Trust is NOT transitive– Trust is NOT reflexive
• Mandatory profiles
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #59
Audit Log
• Windows NT keeps an audit log– Events generated by SRM
• Maximum log size is settable
• Options when full– Overwrite, beginning with oldest entries– Overwrite events older than specified interval– Halt (i.e., do not overwrite)
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #60
DLL’s• Dynamic Link Libraries are software
modules linked to executing programs at run time
• DLL’s run with rights of the host program• DLL’s are found by searching the path• Can be spoofed by putting Trojan Horse
earlier in the search sequence, for example, or by replacing with bogus DLL
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #61
Windows NT Security Summary• Comprehensive set of security tools,
arguably better than Unix• Complexity is also an opportunity to
subvert• Windows NT not markedly more secure
than Unix
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #62
Machine Logon Security
• This is beneath the OS
• BIOS-level user identity check– What happens if you forget your ID?– Is this a foolproof approach?
• Consider the machine as an assemblage of parts rather than a unified and inseparable whole
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #63
O/S Summary
• We depend on the OS to implement low-level security features
• OS security varies widely with the OS• Security features are valuable, but not bulletproof• The OS is an adjunct level for security
implementation, but not the root level
• Security measures must be designed into an OS; they cannot be bolted on later.
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #64
ISO Protocol Model (again)
IP
Ethernet, token ring
Electrical standards
Protocols
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #65
Protocol Layering & Internetworking
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #66
Consider DECNET
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #67
DECNET
• Supports many Layer 2 protocols
• Address is of form 10.1, where10 = Area number
1 = node number
• Addresses NOT associated with physical networks to which nodes are connected
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #68
Compare Appletalk
Source: http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/applet.htm
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #69
Appletalk
• Like DECNET, supports several Layer 2 protocols
• Network addressing schema:
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #70
How Could We Connect These Two?
• Addressing completely different
• Routing structure different
• Electrical standards different
• …etc.
• In fact, not much similar except that they are both digital networks
• This is why IP came in, and why it remains!
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #71
IP Overview
• Layer 3 protocol
• Provides packet routing
• Does not ensure reliable delivery—that is left to higher-level protocols, like TCP & UDP
• Facilitates interconnection of dissimilar computers, which is why it is important
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #72
IP Versions
• Most commonly used version is IP v4, which is widely used worldwide
• Next version is IP v6 (there is no v5)– Adds address space
– Adds security, QoS
– Provides for additional routing capabilities
– Improves housekeeping
– Ability to add features in the future.
– Being implemented by US DoD
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #73
IP Version 4 Structure
Source: http://www.freesoft.org/CIE/Course/Section3/7.htm
4
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #74
IP Version 6 Structure
Source: http://courseptr.com/downloads/chapterpreview/MUDGameProgch1.pdf
6
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #75
IP in Short
• “Democracy is the worst form of government except for all those others that have been tried.” -Winston Churchill
• This kind of describes IP– Not the best protocol ever established– But one of the most ubiquitous– It isn’t going away—huge investment in it
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #76
The Future: One Version
• Every outlet, light, and appliance in a home or office will have its own IP address
• IP-enabled appliances are already available
• Security issues here?
LG GR-D267DTU Internet Refrigerator
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #77
IP Security
• Using the original IP standards, this is an oxymoron
• Needs– Protection from eavesdropping– Protection from spoofing– Provision for secure user-to-user traffic
• Problems– IP not designed for this
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #78
Enter IPSec• IPSec intended to meet the security needs of
IP networks, especially the Internet – Originally intended to come in as part of IP v6– IP v6 may never come for many folks, and most
of the IPSec functionality has become available in IP v4
– Widely available in products such as virtual private networks, etc.
– More info at http://unixwiz.net/techtips/iguide-ipsec.html
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #79
What Does IPSec Do?• Enables secure VPNs over public networks• Allows secure remote access over public
networks• Facilitates secure connectivity with business
partners, especially temporarily• Improves eCommerce security• It does all this using the cryptographic tools
we have studied. Now we’ll see how.
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #80
IPSec Features
• Can be applied at the perimeter– In-house traffic avoids security overhead that
may not actually be needed
• Lies below the transport layer, so is transparent to applications
• Can be made transparent to end users, which keeps training and support costs low
• Can support individual user security
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #81
Services
• Access control
• Datagram integrity
• Sender authenticity
• Replay protection
• Message body confidentiality
• Traffic flow security (very limited, though)
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #82
Security Association• IPSec concept that defines the relationship
between one party and another for security– ONE-WAY! (i.e., not reflexive)– If A & B have bilateral security needs, two security
associations are required
• Defined by– Security parameters index (SPI)– Destination IP address– Security protocol identifier
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #83
So...
• Security association (SA) is uniquely defined by – Destination address in the IP header, and– SPI in the enclosed extension header (AH or
ESP)
• What’s an extension header?
• What are AH and ESP?
• Stick around!
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #84
Security Parameters
• Encapsulating Security Payload (ESP)– Deals with packet encryption
• Authentication Header (AH)– Deals with packet authentication
• Encryption algorithm (several available)
• Authentication algorithm (ditto)
• Key management scheme
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #85
SA Parameters
• Sequence number counter• Sequence counter overflow flag• Anti-replay window• AH information• ESP information• SA lifetime• IPSec protocol mode (tunnel, transport, wildcard)• Path MTU
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #86
Policy
• Association of traffic with SAs is done by the Security Policy Database (SPD)
• Each SPD entry is defined by a selector– Selectors filter outbound traffic
• Compare packet selector fields with SPD to find matching SPD entry; points to zero or more SAs
• Determine SA for this packet and its SPI (Security Parameters Index)
• Perform the required processing (AH or ESP)
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #87
Authentication Header (AH)
• Supports data integrity and authentication– Assures data modification will be detected– Also guards against replay
• Based on Message Authentication Code (MAC) – Requires shared secret key
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #88
AH Fields
• Next header– Identifies type of header that follows
• Payload length
• Reserved for future use
• SPI (defines an SA)
• Sequence number
• Authentication data
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #89
AH Overview
0 8 16 31
Next header PayloadLength (reserved)
SPI
Sequence number
Authentication data (variable length)
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #90
Overview of Headers(IP v4)
OriginalIP header TCP Payload (data)
OriginalIP header TCP Payload (data)AH
Standard
Transport mode
OriginalIP header TCP Payload (data)AHNew
IP headerTunneling
mode
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #91
Integrity Check Value (ICV)• Included in the Authentication Data field
– Based on HMAC (keyed hash)• HMAC MD5• HMAC SHA-1
– 96 MSB of HMAC result used for ICV– HMAC calculated over
• Immutable or predictable IP header fields• The AH header except the Authentication Data field• The entire upper-level protocol data
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #92
Anti-Replay Service
• Replay: retransmission of an already-authenticated packet at a later time– A favorite way to break into or disrupt services
• IPSec implements anti-replay using the Sequence Number field (32 bits), so the maximum Sequence Number is 232
• If the Sequence Number would wrap around, a new SA, with new key, is needed
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #93
Anti-Replay in Action
• Sender initializes sequence counter to 0, increments counter by 1 for every packet sent
• Counter value is placed in SN field• Receiver has a problem:
– IP is connectionless, so packets can arrive in any order
– IP doesn’t guarantee delivery (that is done by TCP), so packets can -- and do -- go missing
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #94
Anti-Replay at the Receiver
• Receiver maintains a sliding window over received packets, default width = 64 = W
• Right edge of window holds highest SN packet so far received that is valid
• All slots from (N-W+1) to N that have been authenticated are marked
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #95
Window Management
• If new packet is within the window and is new, the corresponding slot is marked
• If new packet is outside window to the right, and is authenticated, window is moved to the right and slot is marked
• If new packet is outside the window to the left, or if not authenticated, packet discarded and audit event raised
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #96
The Window in Action
Window
N-W
N
Space for valid packetnot yet received
Received, valid, marked
The window makes replay attacks much more difficult, as they would have to occur within the width of the window: possible, but unlikely (most of the time)
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #97
IPSec Authentication: Transport Mode
• Transport Mode uses the Authentication Header (AH)– IP v4: AH inserted after original IP header, but
before the IP payload– IP v6: AH is an end-to-end payload, not
examined by intermediate routers. So, AH comes after the other IP v6 header routing fields (base, hop-to-hop, etc.)
• Clearly, AH does not provide data confidentiality
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #98
IPSec Authentication: Tunnel Mode
• Entire original IP packet authenticated– AH inserted before original IP header and after
new “outer” IP header– Allows placing original routing info within the
authentication envelope, but more importantly– Allows a new set of IP addresses to be used as a
wrapper for the original packet
• As we shall see, this forms the basis for IPSec-based virtual private networks.
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #99
Encapsulating Security Payload (ESP)
• Provides confidentiality services– Optionally, can also provide authenticity
• Fields– SPI
– Sequence number
– Payload data
– Padding
– Pad length
– Next header
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #100
ESP
SPI
Sequence number
Payload data (variable length)
Padding (0-255 bytes)
Pad length Next header
Authentication data (variable)
AuthenticationCoverage
ConfidentialityCoverage
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #101
Encryption Algorithms
• Confidentiality services provided by symmetric cryptography
• Algorithms supported:– DES (CBC) – TDEA (three key)– IDEA – Three key triple IDEA– CAST – Blowfish– AES – RC5
• MAC same as AH (96-bit HMAC)
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #102
Padding?
• Extends the plaintext to a multiple of some number of bytes to accommodate those encryption algorithms that require fixed block sizes (e.g. DES, AES)
• Ensures that the end of the Next Header field is right-aligned with the 32-bit word
• Can be used to provide partial traffic flow security, by concealing payload length
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #103
Transport mode ESP Service
• Encrypts data carried by IP– Optionally, also authenticates the data
OriginalIP header TCP Payload (data)
OriginalIP header TCP Payload (data)
ESPheader
Standard
Transport mode ESPtrlr
ESPauth
Encrypted
Authenticated
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #104
Transport Mode
• Provides end-to-end confidentiality
• Is transparent to applications
• Is efficient, adds little extra to IP overhead
• Does not provide traffic flow security– Possible to analyze source - destination traffic
flows and volumes– Useful for drawing conclusions about
associations, workload, etc.
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #105
Tunneling Mode ESP
• Encrypts the entire IP packet– Including the original source, destination
OriginalIP header TCP Payload (data)
NewIP header
Tunnelingmode
ESPheader
ESPtrlr
ESPauth
OriginalIP header TCP Payload (data)Standard
Encrypted
Authenticated
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #106
Tunneling Mode
• Encrypts entire original IP packet, including source and destination addresses– Can help to counter traffic analysis
• Allows construction of secure virtual private networks (VPNs) over unsecured networks
• Useful when firewalls in the path -- security can be done only at the network edge
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #107
VPN Example
Edge routers need info about the other end of the network
IPSec starts/ends here
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #108
SA Limits• An individual SA can implement either AH or
ESP, but not both
• But, sometimes both services are needed– This requires multiple SA’s in the same traffic
flow– Just as with Feistel encryption/decryption key
scheduling, we must “unwrap” the SA’s in inverse order to their application
– Referred to as SA bundle
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #109
Key Management
• IPSec has many good features. Performing key distribution manually is not one of them
• Protocol has been developed to provide for session key distribution– Internet Key Exchange (IKE) [RFC 4306]
– IKE incorporates• ISAKMP [RFC 2408]
• Oakley
• A few other things
– Current version referenced above (Dec 2005) is v2
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #110
Diffie-Hellman Revisited• Advantages
– Generates keys only when required– Requires no preexisting infrastructure
• Disadvantages– No authentication of communicating parties– Vulnerable to man-in-the-middle attack– Computationally intensive
• Slow
• Vulnerable to denial of service attack
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #111
Oakley Key Determination
• Based on D-H, but improved (RFC 2412)
• Advantages over Diffie-Hellman– Uses cookies to avoid denial of service attacks– Enables prior negotiation of global parameters– Uses nonces to guard against replay– Allows exchange of D-H public key values– Authenticates D-H exchange (defeats man-in-
the-middle attacks)
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #112
Nonce
• nonce (nns) noun– The present or particular occasion: “Her tendency
to discover a touch of sadness had for the nonce disappeared” (Theodore Dreiser).
– [From Middle English for the nones, for the occasion]
• The American Heritage® Dictionary of the English Language, Third Edition, 1992, Houghton Mifflin Company
• Say what?• In cryptography, a nonce is a pseudorandom
number bearing a timestamp
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #113
Oakley Authentication
• Three types available– Digital Signature– Asymmetric-key cryptography– Symmetric-key cryptography
• This guards against man-in-the-middle attacks
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #114
We Like IKE
• IKE is an IPSec protocol that defines the procedures and formats needed to establish, negotiate, modify, or delete Security Associations within IPSec
• Built on the ISAKMP protocol, which is sometimes viewed as IKE v0.1
• ISAKMP notation still in wide use, but officially, it is now IKE
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #115
IPSec Summary• IPSec is a complex security protocol, originally
developed for roll-out with IP v6
• Provides authentication, integrity, and confidentiality services to IP transmission
• IKE improves on basic protocols like D-H
• Many implementations available for IP v4, so it it usable today
• Authentication and encapsulation services provide a basis for VPNs
Spring 2011© 2000-2011, Richard A. Stanley
ECE579S/6 #116
Homework
• Read Chapters 6 & 32 in the text
• Examine the structure of the IPSec protocol and how it is applied. Write a critique of the benefits and possible pitfalls of using this protocol to secure a network. How does IPSec relate to HAIPE (High Assurance IP Encryption)?