IP Security Web Security. A. Qayyum M. A. Jinnah University, Islamabad

Transcription

1 IP Security Web Security A. Qayyum M. A. Jinnah University, Islamabad

2 IP Sec Internet standard for network layer security Components: an authentication protocol (Authentication Header AH) a combined encryption and authentication protocol (Encapsulated Security Payload ESP) key management protocols (the default is ISAKMP/Oakley) Many RFCs IPSec mandatory for IPv6, optional for IPv4 2

3 An IP Security Scenario 3

4 IPSec Services AH ESP (encryption only) ESP (encryption and authentication) integrity x x data origin authentication x x replay detection x x x confidentiality x x limited traffic flow confidentiality x x 4

5 Security Associations (SA) A one-way relationship between a sender and a receiver system Used either for AH or for ESP but never for both Uniquely identified by three parameters Security Parameters Index (SPI) IP destination address Security protocol identifier 5

6 SA Parameters sequence number counter counts the packets sent using this SA sequence counter overflow flag indicates whether overflow of the sequence number counter should prevent further transmission using this SA anti-replay window used to determine whether an inbound AH or ESP packet is a replay AH / ESP information algorithm, key, and related parameters lifetime a time interval or byte count after which this SA must be terminated protocol mode tunnel or transport mode path MTU any observed maximum transmission unit 6

7 SA Selectors Security Policy Database (SPD) Each entry defines a subset of IP traffic and points to the SAs to be applied to that traffic Subset of IP traffic is defined in terms of selectors Outbound processing Compare the selector fields of the packet to the values in the SPD Determine which SAs should be used for the packet and their SPIs Do the required IPSec processing 7

8 Modes of operation Transport mode Provides protection primarily for upper layer protocols Protection is applied to the payload of the IP packet Usually used between end-systems Tunnel mode Provides protection to the entire IP packet Entire IP packet is considered as payload and encapsulated in another IP packet (with potentially different source and destination addresses) Usually used between security gateways (routers, firewalls) 8

9 IPSec Authentication Header 9

10 Authentication Header AH Next header type of header immediately following this header (e.g., TCP, IP, etc.) Payload length length of AH (in 32 bit words) minus 2 e.g., 4 if Authentication data is 3x32 bits long Security Parameters Index identifies the SA used to generate this header Sequence number sequence number of the packet Authentication data a (truncated) MAC (default length is 3x32 bits) 10

11 Anti-Replay Service A replay attack is one in which an attacker obtains a copy of an authenticated packet and later transmits it to the intended destination The receipt of duplicate, authenticated IP packets may disrupt service in some way or may have some other undesired consequence The Sequence Number field is designed to thwart such attacks 11

12 Replay Detection replay: the attacker obtains an authenticated packet and later transmits (replays) it to the intended destination receiver has an anti-replay window of default size W = 64 12

13 Outbound Processing Outbound Processing Security Association Lookup Sequence Number Generation Integrity Check Value Calculation Fragmentation 13

14 MAC Implementations must support HMAC-MD5-96 HMAC-SHA1-96 MAC is calculated over IP header fields that do not change in transit AH header fields except Authentication data field entire upper layer protocol data Fields not covered by MAC are set to 0 for calculation TTL Header checksum IP AH MAC Authentication data payload 14

15 AH Inbound processing If there is more than one IPsec header / extension present, the processing for each one ignores (does not zero, does not use) any IPsec headers applied subsequent to the header being processed Reassembly Security Association Lookup Sequence Number Verification Integrity Check Value Verification 15

16 End to End versus End to Intermediate Authentication 16

17 Scope of AH Authentication 17

18 Scope of AH Authentication 18

19 Encapsulating Security Payload ESP Security Parameters Index identifies the SA used to generate this encrypted packet Sequence number Payload transport level segment (transport mode) or encapsulated IP packet (tunnel mode) Padding variable length padding Pad length Next header identifies the type of data contained in the header Authentication data a (truncated) MAC computed over the ESP packet (SPI... Next Header) 19

20 IPSec ESP Format 20

21 Encryption and MAC algorithms Encryption Applied to the payload, padding, pad length, and next header fields Implementations must support DES-CBC Other suggested algorithms: 3DES, RC5, IDEA, 3IDEA, CAST, Blowfish MAC Computed over SPI, sequence number, encrypted payload, padding, pad length, and next header fields Unlike in AH, here the MAC does not cover the preceding IP header Implementations must support HMAC- MD5-96 and HMAC-SHA

22 Outbound Packet Processing In transport mode, sender encapsulates the upper layer protocol information in ESP header/trailer, and retains the specified IP header If there is more than one IPsec header/extension required by security policy, the order of application of security headers must be defined by security policy Processing involves Security Association Lookup Packet Encryption Sequence Number Generation Integrity Check Value Calculation Fragmentation 22

23 Inbound Packet Processing Involves Reassembly Security Association Lookup Sequence Number Verification Integrity Check Value Verification Packet Decryption 23

24 What is a Tunnel? A tunnel identifies packets in a data stream Identify by encapsulation (new header possibly new trailer) Identify by labeling Entry into a tunnel gives the data stream different characteristics E.g., Privacy, authentication, different routing characteristics Security is not always the goal of the tunnel 24

25 Tunnel Protocols for all Levels Layer Q VLANs labels ethernet frames for traffic separation Proprietary link encryption Layer 3 IPSec IPv6 in IPv4 Carry IPv6 traffic over IPv4 networks Generic Routing Encapsulation (GRE) Multiprotocol Label Switching (MPLS) uses labels to implement circuit switching at layer 3 Layer 4 SSL/TLS Layer 7 SMIME DNSSec 25

26 Transport Level Security vs Tunnel Mode Security 26

27 Transport Level Security vs Tunnel Mode Security 27

28 ESP in Transport and Tunnel Mode original IPv4 packet original IP header TCP/UDP header data ESP in transport mode original IP header ESP header TCP/UDP header data ESP trailer ESP MAC encrypted authenticated ESP in tunnel mode new IP header ESP header original IP header TCP/UDP header data ESP trailer ESP MAC encrypted authenticated 28

29 Combining Security Associations Basic ESP-AH combination 1. apply ESP in transport mode without authentication 2. apply AH in transport mode original IP header AH ESP header TCP/UDP header data ESP trailer authenticated except for mutable fields in the IP header Basic AH-ESP combination 1. apply AH in transport mode 2. apply ESP in tunnel mode without authentication new IP header ESP header original IP header AH TCP/UDP header data ESP trailer authenticated except for mutable fields in the inner IP header 29

30 Combining SAs Host-host Security 30

31 Combining SAs Gateway-gateway Security 31

32 Combining SAs Host-gateway Security 32

33 Combining SAs Host-gateway Security 33

34 Scaling IPSec Challenges Numerous SAs eat up too much memory for small routers Configurations in a hub and spoke network grow n^2 in the number of spokes Dynamic Multipoint VPN (DMVPN) Performance Even symmetric encryption can be too much for high bandwidth environments Symmetry Both sides must have a means to prove identity to each other Implies the need for a PKI or other broad identity proof mechanism 34

35 Key Management Two types must be supported by implementations manual system admin configures system with necessary keys automated on-demand creation of keys for SAs Default automated method is ISAKMP / Oakley Oakley key determination protocol a key exchange protocol based on Diffie-Hellman provides added security (e.g., authentication) ISAKMP Internet Security Association and Key Management Protocol provides a framework for key exchange defines message formats that can carry the messages of various key exchange protocols 35

36 NAT Transparent IPSec Initially IPSec could not handle address translation in the middle RFC 3715 describes the problems AH includes the addresses in the outer IP header in its authentication calculation Changes to the IP addresses affect the TCP/UDP checksums, which are encrypted in ESP Addresses and ports encrypted or authenticated For remote users this was a big use case Introduced NAT-traversal extensions RFC 3947 Detect NAT during IKE Move from standard IKE port on 500 to negotiate on port 4500 Encapsulate the IPSec traffic using UDP to preserve the original headers from NAT 36

37 Scope for ESP Encryption and Authentication 37

38 Scope for ESP Encryption and Authentication 38

39 Web Security

40 Web Security Web now widely used by business, government, individuals But Internet & Web are vulnerable Have a variety of threats integrity confidentiality denial of service authentication Need added security mechanisms 40

41 Relative Location of Security Facilities in TCP/IP Stack 41

42 What are SSL and TLS? SSL Secure Socket Layer TLS Transport Layer Security Both provide a secure transport connection between applications e.g., a web server and a browser SSL was developed by Netscape SSL v3.0 was specified in an Internet Draft Evolved into TLS specified in RFC 2246 TLS can be viewed as SSL v3.1 42

43 SSL Architecture SSL Handshake Protocol SSL Change Cipher Spec Protocol SSL Alert Protocol applications (e.g., HTTP) SSL Record Protocol TCP IP 43

44 Encryption- Supported Algorithms Block ciphers (in CBC mode) RC2_40 DES_40 DES_56 3DES_168 IDEA_128 FORTEZZA_80 Stream ciphers RC4_40 RC4_128 44

45 SSL Components SSL Record Protocol fragmentation compression message authentication and integrity protection Encryption The SSL Record Layer receives uninterrupted data from higher layers in non-empty blocks of arbitrary size 45

46 SSL Components SSL Handshake Protocol negotiation of security algorithms and parameters key exchange server authentication and optionally client authentication SSL Alert Protocol error messages (fatal alerts and warnings) SSL Change Cipher Spec Protocol a single message that indicates the end of the SSL handshake 46

47 SSL Sessions An association between a client and a server Sessions are stateful; the session state includes security algorithms and parameters Session may include multiple secure connections between the same client and server 47

48 SSL Connections Connections of the same session share the session state Sessions are used to avoid expensive negotiation of new security parameters for each connection There may be multiple simultaneous sessions between the same two parties, but this feature is not used in practice 48

49 Session and Connection States - Session State Session identifier arbitrary byte sequence chosen by the server Peer certificate X.509 certificate of the peer (may be null) Compression method Cipher spec Data encryption algo (null, 3DES, ), MAC algo (MD5, SHA-1), cryptographic attributes (hash size) Master secret Shared between the client and the server Is resumeable a flag indicating whether the session can be used to initiate new connections 49

50 Connection States Server and client random random byte sequences chosen by server and the client Server write MAC secret secret key used in MAC operations on data sent by server Client write MAC secret secret key used in MAC operations on data sent by client Server write key secret encryption key for data encrypted by the server Client write key secret encryption key for data encrypted by the client Initialization vectors IV is maintained for each encryption key (for CBC mode) Sending and receiving sequence numbers reset to zero after each Change Cipher Spec message 50

51 State Changes Operating state currently used state Pending state state to be used built using the current state Operating state Pending state at the transmission and reception of a Change Cipher Spec message party A (client or server) party B (server or client) the sending part of the pending state is copied into the sending part of the operating state Change Cipher Spec the receiving part of the pending state is copied into the receiving part of the operating state 51

52 SSL Record Protocol Processing Overview application data SSLPlaintext fragmentation SSLCompressed compression type SSLCiphertext version length msg authentication and encryption (with padding if necessary) MAC padding 52

53 Header Type higher level protocol used to process the enclosed fragment possible types: Version change_cipher_spec alert handshake application_data SSL version, currently 3.0 Length length of the enclosed fragment or compressed fragment max value is

54 SSL Record Format 54

55 SSL Record Protocol Payload 55

56 SSL Alert Protocol Each alert message consists of 2 fields (bytes) First field (byte): warning or fatal Second field (byte): fatal unexpected_message bad_record_mac decompression_failure handshake_failure illegal_parameter 56

57 SSL Alert Protocol Warning close_notify no_certificate bad_certificate unsupported_certificate certificate_revoked certificate_expired certificate_unknown In case of a fatal alert connection is terminated session ID is invalidated no new connection can be established within this session 57

58 SSL Handshake Protocol overview client server client_hello server_hello certificate server_key_exchange certificate_request server_hello_done Phase 1: Negotiation of the session ID, key exchange algorithm, MAC algorithm, encryption algorithm, and exchange of initial random numbers Phase 2: Server may send its certificate and key exchange message, and it may request the client to send a certificate. Server signals end of hello phase. certificate client_key_exchange certificate_verify Phase 3: Client sends certificate if requested and may send an explicit certificate verification message. Client always sends its key exchange message. change_cipher_spec finished change_cipher_spec Phase 4: Change cipher spec and finish handshake finished 58

59 59

60 client_hello client_version Hello Messages- Client the highest version supported by the client client_random current time (4 bytes) + pseudo random bytes (28 bytes) session_id empty if the client wants to create a new session, or the session ID of an old session within which the client wants to create the new connection 60

61 Client Messages cipher_suites list of cryptographic options supported by the client ordered by preference a cipher suite contains the specification of the key exchange method, the encryption and the MAC algorithm the algorithms implicitly specify the hash_size, IV_size, and key_material parameters (part of the Cipher Spec of the session state) exmaple: SSL_RSA_with_3DES_EDE_CBC_SHA compression_methods list of compression methods supported by the client 61

62 server_hello server_version Hello Messages Server min( highest version supported by client, highest version supported by server ) server_random current time + random bytes random bytes must be independent of the client random 62

63 Server Messages session_id session ID chosen by the server if the client wanted to resume an old session: server checks if the session is resumable if so, it responds with the session ID and the parties proceed to the finished messages if the client wanted a new session server generates a new session ID cipher_suite single cipher suite selected by the server from the list given by the client compression_method single compression method selected by the server 63

64 Certificate request and server hello done msgs certificate_request sent if the client needs to authenticate itself specifies which type of certificate is requested (rsa_sign, dss_sign, rsa_fixed_dh, dss_fixed_dh, ) 64

65 server_hello_done Sent to indicate that the server is finished its part of the key exchange After sending this message the server waits for client response The client should verify that the server provided a valid certificate and the server parameters are acceptable 65

66 Finished messages finished sent immediately after the change_cipher_spec message first message that uses the newly negotiated algorithms, keys, IVs, etc. used to verify that the key exchange and authentication was successful 66

67 TLS vs. SSL Version number for TLS the current version number is 3.1 MAC TLS uses HMAC the MAC covers the version field of the record header too More alert codes Cipher suites TLS doesn t support Fortezza key exchange and Fortezza encryption 67

68 TLS vs. SSL certificate_verify message the hash is computed only over the handshake messages in SSL the hash contained the master_secret and pads Padding before block cipher encryption variable length padding is allowed (max 255 padding bytes) 68

69 Thank You Questions...