CSC474: Network Security

Transcription

1 CSC474: Network Security Lecture 18 Prof. William Enck Fall 2016 (Derived from slides by Micah Sherr and Peng Ning)

2 Virtual Private Networks

3 Problem: 3

4 Problem? 17 UNC System Campuses (

5 Virtual Private Networks (VPNs) Provides secure access to private network over public links Often, goal is to provide access to corporate network (intranet) from outside (Internet) Or, logically join physically separated networks Achieves some combination of: Confidentiality Integrity Mutual authentication 5

6 Telecommuter VPNs: Client-to-Gateway Enterprise Network Enterprise Servers 6

7 Gateway-to-Gateway VPNs Branch Branch Branch Branch 7

8 How do we build VPNs? 8

9 We can t rebuild the Internet 9

10 VPN Tunneling Enterprise Network Enterprise Servers 10

11 IPsec (not IPSec!) Host level protection service IP-layer security (below TCP/UDP) De-facto standard for host level security Developed by the IETF (over many years) Available in most operating systems/devices E.g., Windows, OS X, Linux, BSD*, Not a single protocol; IPsec is a protocol suite Implements a wide range of protocols and cryptographic algorithms Selectively provides. Confidentiality, integrity, authenticity, replay protection, DoS protection 11

12 IPsec Protocol Suite Policy/ Configuration Management Key Management Packet Processing (SPS) Security Policy System Manual (ESP) Encapsulating Security Payload (IKE) Internet Key Exchange (AH) Authentication Header 12

13 IPsec Architecture IPsec module 1 IPsec module 2 SPD SPD IKE IKE SAD IPsec SA IPsec SAD SPD: Security Policy Database; IKE: Internet Key Exchange; SA: Security Association; SAD: Security Association Database. 13

14 Internet Key Exchange (IKE) Two phase protocol used to establish parameters and keys for session Phase 1: authenticate peers, establish secure channel via Diffie- Hellman key exchange Phase 2: negotiate parameters, establish a security association (SA) The SA defines algorithms, keys, and policy used to secure the session for a unidirectional traffic flow Pairing requires two SAs -- one for each direction SAs stored in host s Security Association Database (SAD) Each gateway may define policies for each SA Policies stored in the SAD 14

15 IPsec: Packet Handling Application Presentation Session Transport SPD/SAD IPsec Network (IP) Data Link Physical 15

16 Transport Mode A Encrypted/Authenticated B Orig IP Header AH or ESP Header TCP Data 16

17 Tunnel Mode Encrypted Tunnel Gateway Gateway A Unencrypted Encrypted Unencrypted B New IP Header AH or ESP Header Orig IP Header TCP Data 17

18 Key Management Two options: Manual: use pre-shared secrets; or Internet Key Exchange (IKE) 18

19 Internet Key Exchange Harkins and Carrel, RFC2409, Nov Phase 1: Key Exchange (Simplified) 1. Initiator sends list of supported crypto algos to responder 2. Responder chooses crypto algo from sender s list 3. Initiator sends first half of DH exchange and a noncei to responder 4. Responder sends second half of DH exchange, and a noncer to initiator 5. Initiator sends its id, its cert, and a sig, all encrypted using key derived from previously exchanged messages 6. Responder sends its id, its cert, and a sig, all encrypted using key derived from previously exchanged messages 19

20 Internet Key Exchange Phase II: Security Associations Using secure channel, establish at least 2 security associations: inbound outbound 20

21 IPsec and the IP protocol stack IPsec puts the two main protocols in between IP and the other protocols HTTP FTP SMTP AH: Authentication Header TCP UDP AH ESP ESP: Encapsulating Security Payload IP Other functions provided by external protocols and architectures 21

22 Security Association (SA) An association between a sender and a receiver Consists of a set of security related parameters E.g., sequence number, encryption key One way relationship Determine IPsec processing for senders Determine IPsec decoding for destination SAs are not fixed! Generated and customized per traffic flows 22

23 Security Parameters Index (SPI) A bit string assigned to an SA. Carried in AH and ESP headers to enable the receiving system to select the SA under which the packet will be processed. 32 bits SPI + Dest IP address + IPsec Protocol Uniquely identifies each SA in SA Database (SAD) 23

24 SA Database (SAD) Holds parameters for each SA Sequence number counter Lifetime of this SA AH and ESP information Tunnel or transport mode Every host or gateway participating in IPsec has their own SA database 24

25 SA Bundle More than 1 SA can apply to a packet Example: ESP does not authenticate new IP header. How to authenticate? Use SA to apply ESP w/out authentication to original packet Use 2 nd SA to apply AH 25

26 Security Policy Database (SPD) Decide What traffic to protect? Has incoming traffic been properly secured? Policy entries define which SA or SA Bundles to use on IP traffic Each host or gateway has their own SPD Index into SPD by Selector fields Selectors: IP and upper-layer protocol field values. Examples: Dest IP, Source IP, Transport Protocol, IPSec Protocol, Source & Dest Ports, 26

27 SPD Entry Actions Discard Do not let in or out Bypass Outbound: do not apply IPSec Inbound: do not expect IPSec Protect will point to an SA or SA bundle Outbound: apply security Inbound: security must have been applied 27

28 SPD Protect Action If the SA does not exist Outbound processing Trigger key management protocols to generate SA dynamically, or Request manual specification, or Other methods Inbound processing Drop packet 28

29 Authentication Header (AH) Provides authenticity and integrity via HMAC over immutable IP headers and data Advantage: the authenticity of data and IP header information is protected Disadvantage: the set of immutable IP headers isn t necessarily fixed For example? Confidentiality of data is not preserved Replay protection via AH sequence numbers note that this replicates some features of TCP 29

30 Mutable fields 30

31 IPsec AH Packet Format IPv4 AH Packet Format IPv4 Header Authentication Header Higher Level Protocol Data AH Header Format Next Header Length Reserved Security Parameter Index Authentication Data (variable number of 32-bit words) 31

32 IPsec Authentication SPI: (spy) identifies the SA for this packet Type of crypto checksum, how large it is, and how it is computed Really, the policy for the packet Authentication data Hash of packet contents include IP header as specified by SPI Treat mutable fields (TTL, header checksum) as zero Keyed MD5 Hash is default 32

33 Encapsulating Security Payload (ESP) Confidentiality, authenticity, and integrity via encryption and HMAC over IP payload (data) Advantage: encapsulated packet is fully secured Use null encryption to get authenticity/integrity only Note that the TCP/UDP ports are hidden when encrypted good: better security, less is known about traffic bad: impossible for FW to filter/traffic based on port Cost: can require many more resources than AH 33

34 Outbound Packet Processing Sequence number generation Increment then use With anti-replay enabled, check for rollover and send only if no rollover With anti-replay disabled, still needs to increment and use but no rollover checking ICV calculation ICV includes whole ESP packet except for authentication data field. Implicit padding of 0 s between next header and authentication data is used to satisfy block size requirement for ICV algorithm Not include the IP header. 34

35 32 bits Security parameters index (SPI) Sequence number Encrypted ICV coverage Payload data (variable) Padding (0-255 bytes) Pad length Next header ESP Integrity check value - ICV (variable) (a) Top-level format of an ESP Packet Packet Security parameters index (SPI) Sequence number Format Encrypted ICV coverage Initializtion value - IV (optional) Rest of payload data (variable) TFC padding (optional, variable) Padding (0-255 bytes) Payload Pad length Next header Integrity check value - ICV (variable) (b) Substructure of payload data (from Stallings, Crypto and Net Security)

36 Inbound Packet Processing Sequence number checking Anti-replay is used only if authentication is selected Sequence number should be the first ESP check on a packet upon looking up an SA Duplicates are rejected! 0 reject Check bitmap, verify if new Sliding Window size >= 32 verify 36

37 Modes of Operation Transport: the payload is (optionally) encrypted and the non-mutable fields are integrity verified (via MAC) Tunnel: each packet is completely encapsulated (and optionally encrypted) in an outer IP packet Hides not only data, but some routing information 37

38 Modes of Operation AH Transport Mode AH Tunnel Mode ESP Transport Mode ESP Tunnel Mode

39 Transport Example (ipsec-howto.org) #!/usr/sbin/setkey -f # Configuration for # Flush the SAD and SPD flush; spdflush; # Attention: Use this keys only for testing purposes! # Generate your own keys! # AH SAs using 128 bit long keys add ah 0x200 -A hmac-md5 0xc0291ff014dccdd03874d9e8e4cdf3e6; add ah 0x300 -A hmac-md5 0x96358c90783bbfa3d7b196ceabe0536b; # ESP SAs using 192 bit long keys ( parity) add esp 0x201 -E 3des-cbc 0x7aeaca3f87d060a12f4a4487d5a5c fae69a96c831; add esp 0x301 -E 3des-cbc 0xf6ddb555acfd9d77b03ea3843f afe8eb df; # Security policies spdadd any -P in ipsec esp/transport//require ah/transport//require; spdadd any -P out ipsec esp/transport//require ah/transport//require; Only thing that changes between and

40 Tunnel Example (ipsec-howto.org) #!/usr/sbin/setkey -f # Flush the SAD and SPD flush; spdflush; # ESP SAs doing encryption using 192 bit long keys ( parity) # and authentication using 128 bit long keys add esp 0x201 -m tunnel -E 3des-cbc 0x7aeaca3f87d060a12f4a4487d5a5c fae69a96c831 -A hmac-md5 0xc0291ff014dccdd03874d9e8e4cdf3e6; add esp 0x301 -m tunnel -E 3des-cbc 0xf6ddb555acfd9d77b03ea3843f afe8eb df -A hmac-md5 0x96358c90783bbfa3d7b196ceabe0536b; # Security policies spdadd / /24 any -P out ipsec esp/tunnel/ /require; spdadd / /24 any -P in ipsec esp/tunnel/ /require; 40

41 Practical Issues and Limitations IPsec implementations Large footprint resource poor devices are in trouble New standards to simplify (e.g, JFK, IKE2) Slow to adopt new technologies Configuration is extremely complicated/ obscure 41

42 Practical Issues and Limitations Issues IPsec tries to be everything for everybody at all times Massive, complicated, and unwieldy Large-scale management tools are limited (e.g., CISCO) Often not used securely (common pre-shared keys) In theory, IPsec support required in IPv6 42

43 Alternatives to IPsec SSH Tunneling: Tunnel packets over SSH connection OpenVPN: Tunnel traffic via SSL/TLS connections Point-to-Point Tunneling Protocol (PPTP): Tunnel using Control (TCP) and Data (GRE) channels; mostly a Microsoft thing 43

44 SSH Tunneling Alice has an account on myhost.csc.ncsu.edu Alice wants to access page at page is only available to NCSU IPs... and Alice lives off campus ssh -L9999: -NfCx myhost.csc.ncsu.edu forward local port 9999 to port 80 via ssh tunnel to seva firefox & Q: Where does think the connection comes from? ssh -Dlocalhost:9999 -NfCx myhost.csc.ncsu.edu run SOCKS server locally on port 9999, forwarding all traffic to myhost.csc.ncsu.edu 44