IP Security. What s IP Security (IPsec)

Transcription

1 IP Security CSCI 454/554 What s IP Security (IPsec) w IETF standard for network layer security n Layer-3 security protocol for IP w Three related things n IPsec data protocols: 51 (AH) and 50 (ESP) n Key management protocol: IKE/ISAKMP n Configuration languages, GUIs and management software (still missing) 1

2 IPsec Does w Provide n Authentication n Confidentiality n Integrity n Key management w Applicable to use over LANs, across public & private WANs, & for the Internet Layer-3 Security w Network layer is choke-point in the network stack w Hourgalss figure w Putting security in the network layer allows both higher and lower-layer protocol to use it 2

3 Benefits of IPsec w Link encryption become almost obsolete w Any network node can be a security endpoint n end-to-end, end-to-edge, edge-to-edge (VPN) w Applications can be written without explicit support for communication security n Code economy (transparent to applications) n Decouple security policy management from application management IPsec Documents w specification is quite complex w defined in numerous RFC s n RFC 2401: overview of architecture n RFC 2402: packet authentication (AH) n RFC 2406: packet encryption (ESP) n RFC 2408: key management n many others, grouped by category 3

4 IPSec Services Security Associations w an one-way relationship between sender & receiver that affords security service for IP traffic w defined by 3 parameters: n Security Parameters Index (SPI) n IP Destination Address n Security Protocol Identifier w has a number of other parameters n seq no, AH & ESP info, lifetime etc w have a table (database) of Security Associations 4

5 Key exchange IKEv2 IKEv2 SPD IKE SA SPD Security policy database IPsecv3 IPsec SA Pair IPsecv3 Security policy database SAD Security association database ESP protects data Security association database SAD Figure 20.2 IPsec Architecture Security Association Database (SAD) w Defines the parameters associated with each SA w Using the following parameters in a SAD entry: n Security parameter index n Sequence number counter n Sequence counter overflow n Anti-replay window n AH information n ESP information n Lifetime of this security association 5

6 Security Policy Database (SPD) w The means by which IP traffic is related to specific SAs n Contains entries, each of which defines a subset of IP traffic and points to an SA for that traffic n Each SPD entry is defined by a set of IP and upper-layer protocol field values called selectors n These are used to filter outgoing traffic in order to map it into a particular SA Authentication Header (AH) w provides support for data integrity & authentication of IP packet header n n detect modification on packet s content prevents address spoofing attacks n counter reply attacks by tracking sequence numbers w based on the use of HMAC n HMAC-MD5-96 or HMAC-SHA-1-96 w parties must share a secret key 6

7 Encapsulating Security Payload (ESP) w provides message content confidentiality & limited traffic flow confidentiality w can optionally provide the authentication services as AH, but only cover IP payload w supports range of ciphers, modes, padding n DES, Triple-DES, RC5, etc n CBC most common n pad to meet block size, for traffic flow Transport & Tunnel Modes w Both AH and ESP support two modes of use n transport and tunnel mode w Transport mode n protection primarily for IP payload (upper-layer protocols) w Tunnel mode n protection covered the entire IP packet 7

8 Transport mode in AH Tunnel mode in AH 8

9 Authentication Header AH (bigger scope) 9

10 Transport & Tunnel Modes in Authentication Transport mode in ESP 10

11 Tunnel Mode in ESP ESP Format 11

12 ESP Format (bigger scope) Transport Mode Encryption 12

13 Tunnel Mode Encryption Transport vs Tunnel Mode ESP w transport mode is used to encrypt & optionally authenticate IP data n data protected but header left in clear n good for ESP host to host traffic (end-to-end) w tunnel mode encrypts entire IP packet n add new header for next hop n good for VPNs, gateway to gateway security (edge-to-edge) 13

14 Combining Security Associations w SA s can implement either AH or ESP but not both w to implement both need to combine SA s n form a security bundle w security association bundle n Transport adjacency (no tunnelling) n Iterated tunnelling (multi-level nesting) Combining SAs (Cont d) w Transport adjacent (two bundled transport SAs) n Inner ESP transport SA, while outer AH transport SA w Transport-Tunnel Bundle n Inner AH transport SA, while outer ESP tunnel SA 14

15 Combining Security Associations Key Management w handles key generation & distribution w typically need 2 pairs of session keys n 2 per direction for AH & ESP w automated key management n automated system for on demand creation of keys for SA s in large systems n ISAKMP and IKE (Oakley) 15

16 ISAKMP w Internet Security Association and Key Management Protocol w only provides framework for key management w defines procedures and packet formats to establish, negotiate, modify, & delete SAs w independent of key exchange protocol, encryption alg, & authentication method Internet Key Exchange (IKE) w Default key management protocol w Re-synchronize two ends of an IPsec SA n Authenticate endpoints n Choose cryptographic keys n Reset sequence numbers to zero w IKE are based on OAKLEY, and using ISAKMP syntax n IKE implements a subset of the OAKLEY protocol n borrows fast rekeying technique from SKEME 16

17 Oakley w a key exchange protocol before IKE w based on Diffie-Hellman key exchange w adds features to address weaknesses n Cookies n groups (global params of DH key exchange) n nonces n DH key exchange with authentication Conceptual IKE w Diffie-Hellman for perfect forward security w Signed D-H to avoid man-in-the-middle attack w Cookies for DoS protection 17

18 Perfect Forward Security w Two parties communicate use different session keys at different time periods w Image an adversary n records all communication between Alice and Bob n is able to break into Alice (or Bob) s computer and obtain all of her secrets at some point w PFS is achieved if he cannot decrypt message that occurred before the latest session change Diffie-Hellman 18

19 Man in the Middle Signed D-H Exchange 19

20 But if already have RSA IKE Phases w Two phases w Phase 1: expensive mutual authentication (based on public keys), establish ISAKMP SA (or IKE SA) n Aggressive mode (three messages in IKEv1) n Main mode (six messages in IKEv1) w Phase 2: leverage the phase 1 SA to create AH or ESP SAs. 20

21 Summary w have considered: n IPSec security framework n AH n ESP n key management (ISAKMP & IKE) 21