smucse 5349/49 ip sec. smucse 5349/7349 basics network-level: all ip datagrams covered mandatory for...
TRANSCRIPT
SMU CSE 5349/49
IP Sec
SMU CSE 5349/7349
Basics
• Network-level: all IP datagrams covered• Mandatory for next-generation IP (v6),
optional for current-generation (v4)• Authentication-only or confidentiality
too
SMU CSE 5349/7349
Architecture & Concepts
• Host or gateway implementation• Tunnel vs. Transport mode• Security association (SA)
– Security parameter index (SPI)– Security policy database (SPD)– SA database (SAD)
• Encapsulating security payload (ESP)• Authentication header (AH)
SMU CSE 5349/7349
IPSec Placement
• Host implementation– OS integrated, modify the IP code
• Bump-in-the-stack– Layer between data link and IP
• Bump-in-the-wire– IPSec outside host, in a router/firewall– Least intrusive
SMU CSE 5349/7349
A B
Encrypted Tunnel
Gateway Gateway
New IP Header
AH or ESP Header
TCP DataOrig IP Header
Encrypted
Unencrypted Unencrypted
Tunnel vs. Transport Mode
SMU CSE 5349/7349
Transport Mode Security
• ESP protects higher layer payload only• AH can protect IP headers as well as
higher layer payload
IPheader
IPoptions
IPSecheader
Higherlayer protocol
ESP
AH
Real IPdestination
SMU CSE 5349/7349
Tunnel Mode Security
• ESP applies only to the tunneled packet• AH can be applied to portions of the
outer header
Outer IPheader
Inner IPheader
IPSecheader
Higherlayer protocol
ESP
AH
Real IP destinationDestinationIPSecentity
SMU CSE 5349/7349
Security Association - SA
• One way relationship (uni-directional)• Determine IPSec processing for senders• Determine IPSec decoding for
destination• SAs are not fixed! Generated and
customized per traffic flows (manual as well as dynamic)– If manual, no lifetime; dynamic has lifetime
SMU CSE 5349/7349
Security Parameters Index - SPI
• Can be up to 32 bits large• The SPI allows the destination to select
the correct SA under which the received packet will be processed (according to the agreement with the sender)– The SPI is sent with the packet by the
sender
• SPI + Dest IP address + IPSec Protocol (AH or ESP) uniquely identifies a SA
SMU CSE 5349/7349
SA Database - SAD
• Holds parameters for each SA– Lifetime of this SA– AH and ESP information– Tunnel or transport mode
• Every host or gateway participating in IPSec has their own SA database
SMU CSE 5349/7349
SA Bundle
• More than 1 SA can apply to a packet• Example: ESP does not authenticate
new IP header. How to authenticate?– Use SA to apply ESP w/out authentication to
original packet– Use 2nd SA to apply AH
SMU CSE 5349/7349
Security Policy Database - SPD
• What traffic to protect?• Has incoming traffic been properly
secured?• Policy entries define which SA or SA
bundles to be used on IP traffic• Each host or gateway has their own SPD• Index into SPD by Selector fields
– Dest IP, Source IP, Transport Protocol, IPSec Protocol, Source & Dest Ports, etc.
SMU CSE 5349/7349
SPD Entry Actions
• Discard– Do not let in or out
• Bypass– Outbound: do not apply IPSec– Inbound: do not expect IPSec
• Protect – will point to an SA or SA bundle– Outbound: apply security– Inbound: check that security has been applied
SMU CSE 5349/7349
SPD Protect Action
• If the SA does not exist– Outbound processing: use IKE to generate
SA dynamically– Inbound processing: drop packet
SMU CSE 5349/7349
Is it for IPSec?If so, which policyentry to select?
…
SPD(Policy)
…
SA Database
IP Packet
Outbound packet (on A)
A B
SPI & IPSec Packet
Send to B
Determine the SA and its SPI
IPSec processing
Outbound Processing
SMU CSE 5349/7349
Use SPI to index the SAD
…
SA Database
Original IP Packet
SPI & Packet
Inbound packet (on B) A B
From A
Inbound Processing
…
SPD(Policy)
Was packet properly secured?
SMU CSE 5349/49
Authenticated Header (AH)
SMU CSE 5349/7349
AH Security
• Connectionless integrity– Flow/error control left to transport layer – Data integrity
• Authentication– Can “trust” IP address source– Use MAC to authenticate
• Anti-replay feature• Integrity check value
SMU CSE 5349/7349
Integrity Check Value - ICV
• Message authentication code (MAC) calculated over– IP header field that do not change or are
predictable– IPSec protocol header minus where the ICV
value goes– Upper-level data
• Code may be truncated to first 96 bits
SMU CSE 5349/7349
AH Header Format
SPI
Sequence Number
ICV
Next Header (TCP/UDP)
Payload LengthReserved
SMU CSE 5349/7349
AH Modes
• Tunnel• Transport• Nested headers
– Multiple SAs applied to same message– Nested tunnels
SMU CSE 5349/7349
Processing Outbound Messages
• Insert Next Header and SPI field• Compute the sequence no. field
– If processing < 232 message• Increment• Place new value in AH and SAD
– Else, • Change keys at wrap around if replay protection
is enabled• Else set to 1
SMU CSE 5349/7349
Outbound Processing (cont’d)
• If transport mode, change preceding IP header’s Next Header field to AH
• If tunnel mode, add the tunnel header– Recompute header length, header
checksum etc.
• Compute authentication value
SMU CSE 5349/7349
Outbound Processing (cont’d)ICV
• Calculated on entire IP packet including AH header– Zero out all mutable fields including
authentication data field– Get the key from SA– HMAC-MD5-96 or HMAC-SHA-96– Insert the cryptographic hash code in the
AH header
SMU CSE 5349/7349
Outbound Processing (cont’d)Fragment the Message
• IPSec processing may result in large message which will be fragmented– Transport mode
• Source address initiator of the message• Total message authentication before
fragmentation
– Tunnel mode• Message may have been fragmented already• Authenticate the fragment and further fragment
SMU CSE 5349/7349
Input Processing
• Identify the inbound SA– If not found, drop the packet
• Replay protection check– Drops duplicates within the window– Drops late arrivals outside window– Advances with the receipt of authenticated
message
SMU CSE 5349/7349
Inbound Processing (cont’d)
• Verify authentication data– Authentication hash computed and checked– If no match, discard
• Strip off the AH header and continue IPSec processing for any remaining IPSec headers– Either an upper layer protocol header or a
tunnel header is encountered
SMU CSE 5349/7349
Replay Protection
• Sequence number checking– Anti-replay is used only if authentication is
selected– Sequence number should be the first check
on a packet upon looking up an SA– Duplicates are rejected!
0Sliding Windowsize >= 32
rejectCheck bitmap, verify if new
verify
SMU CSE 5349/7349
Anti-replay Feature
• Sequence number counter - 32 bit for outgoing IPSec packets
• Anti-replay window – 32-bit (or more)– Bit-map for detecting replayed packets– Window should not be advanced until the
packet has been authenticated– Without authentication, malicious packets
with large sequence numbers can advance window unnecessarily
• Valid packets may get dropped
SMU CSE 5349/49
Encapsulated Security Protocol (ESP)
SMU CSE 5349/7349
Encapsulated Security Protocol (ESP)
– Confidentiality for upper layer protocol– Traffic flow confidentiality– Data origin authentication and
connectionless integrity (optional)
SMU CSE 5349/7349
ESP Packet
Tunnel Mode
SMU CSE 5349/7349
Outbound Packet Processing
• Form ESP payload• Pad as necessary• Encrypt result [payload, padding, pad
length, next header]• Apply authentication
– Allow rapid detection of replayed/bogus packets
– Allow potential parallel processing - decryption & verifying authentication code
SMU CSE 5349/7349
Outbound Packet Processing (cont’d)
• Sequence number generation• ICV calculation
– ICV includes whole ESP packet minus authentication data field
– Implicit padding of ‘0’s between next header and authentication data is used to satisfy block size requirement for ICV algorithm
SMU CSE 5349/7349
SPI
Sequence Number
Original IP Header
Integrity Check Value
Au
then
tica
tio
n c
ove
rag
e
En
cryp
ted Payload (TCP Header and Data)
Variable Length
Pad Length
Padding (0-255 bytes)
Next Header
ESP T
ransp
ort
Exam
ple
SMU CSE 5349/7349
Inbound Packet Processing
• Packet decryption– Decrypt [ESP payload,padding,pad
length,next header] per SA specification– Processing (stripping) padding per
encryption algorithm– Reconstruct the original IP datagram
• Authentication verification (optional)
SMU CSE 5349/49
Internet Key Exchange (IKE)
SMU CSE 5349/7349
Key Management
• AH and ESP require encryption and authentication keys
• Process to negotiate and establish IPSec SA’s between two entities
SMU CSE 5349/7349
Manual Key Management
• Mandatory• Useful when IPSec developers are
debugging• Keys exchanged offline (phone, email,
etc.)• Set up SPI and negotiate parameters • Not scalable
SMU CSE 5349/7349
IKE
• Use the frame work of ISAKMP• Internet Security Assignment and Key
Management Protocol• Developed by NSA
• Implements parts of two key management protocols– Oakley and SKEME
SMU CSE 5349/7349
IKE - Phases
• Used when an outbound packet does not have an SA
• Tow phases:– Phase I: Establish an IKE SA (main mode,
aggressive mode)• Used to define encryption & authentication of
IKE traffic• Multiple IPSec SAs can be established with one
IKE SA• Bidirectional
– Phase II: Use IKE SA to negotiate IPSec Sas (quick mode)
SMU CSE 5349/7349
Phase I – Create IKE SA
• Negotiate protection suite• Use Diffie-Hellman to establish shared
secret– 3 groups of DH defined
• Authenticate the shared secret , IKE SA– Preshared keys (secret)– Digital signatures– Public-keys
SMU CSE 5349/7349
IKE Modes
• Phase I– Main Mode – flexible, 6 messages
• Checks cookies before DH work
– Aggressive mode – faster, 3 messages• Open to DoS, doesn’t check cookie before DH
work• Used mostly for remote access
• Phase II – Quick mode
SMU CSE 5349/7349
Oakley Key Exchange
• Designed to – Leverage advantages of DH
• Fresh keys• Secret never on the transit
– Counter DH weaknesses• No information on the Ids of the parties• Man-in-the-middle attack• Computationally intensive
SMU CSE 5349/7349
Oakley - Major Features
• Cookies to thwart DoS• Nonce to prevent replay• DH for key exchange• Authenticated key exchange• Specification of global parameters for
DH
SMU CSE 5349/7349
Cookies
• Requirements– Depend on specific parties– Only the issuing entity can generate
acceptable cookies – implies issuer using local secret
– Cookie generation and verification must be fast
• Suggested - Hash over IP Src/Dest; UDP Src/Dest; local secret
SMU CSE 5349/7349
SA, CKY-II R
Initiator Responder
SA, CKY-RNegotiate IKE SA parameters
NonceI, YI
NonceR, YR
IDI, HashI
IDR, HashR
Exchange items to generate secret
Send hash digest so peer can authenticate sender
Example: Main Mode Preshared
Generate SKEYID
SMU CSE 5349/7349
Main Mode Preshared
• PRF, Pseudo-Random Function• SKEYID root secret
=PRF(preshared-key,Ni|Nr)• SKEYID_d for IPSec SA
=PRF(SKEYID,K|CKY-I|CKY-R|0)K is the secret generated by DH
• SKEYID_a for IKE message data auth & integrity= PRF(SKEYID,SKEYID_d|K|CKY-I|CKY-R|1)
• SKEYID_e use to encrypt IKE messages= PRF(SKEYID,SKEYID_a|K|CKY-I|CKY-R|2)
SMU CSE 5349/7349
Main Mode Preshared Hashes
• To authenticate each other, each entity generates a hash digest that only the peer could know
Hash-I=PRF(SKEYID,YI|YR|CKY-I|CKY-R|SA Offer|ID-I)
Hash-R =PRF(SKEYID,YR|YI|CKY-R|CKY-I|SA Offer|ID-R)
SMU CSE 5349/7349
Phase II
• What traffic does SA cover ?• Initiator specifies which entries
(selectors) in SPD are for this IPSec SA, sends off to responder
• Keys and SA attributes communicated with the Phase I - IKE SA – Passes encrypted & authenticated
SMU CSE 5349/7349
HASH1, IPSec SA, NonceI, [New K]I R
Initiator Responder
HASH2, SA, NonceR, [New K]Negotiate IPSec SA Parameters, [PFS]
Example: Quick Mode
HASH3‘Liveness’ proof for Responder
SMU CSE 5349/7349
IKE Summary