Improved IKE Key Exchange Protocol Combined with Computer Security USB Key Device



Similar documents
IPsec VPN Application Guide REV:

IPsec Details 1 / 43. IPsec Details

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

T Cryptography and Data Security

IP Security. Ola Flygt Växjö University, Sweden

A method to Implement the Kerberos User. Authentication and the secured Internet Service

Introduction to Security and PIX Firewall

Internet Protocol Security IPSec

Protecting Internet Key Exchange (IKE) Implementations from Distributed Denial of Service Attacks

Security Considerations for Intrinsic Monitoring within IPv6 Networks: Work in Progress

Securing IP Networks with Implementation of IPv6

The VPNaaS Plugin for Fuel Documentation

Quick Note 051. Common Passwords/ID errors in IPsec VPN negotiation for TransPort routers. DRAFT July 2015

Report to WIPO SCIT Plenary Trilateral Secure Virtual Private Network Primer. February 3, 1999

Network Security. Lecture 3

Configuring IKEv2 Load Balancer

Case Study for Layer 3 Authentication and Encryption

Protocol Security Where?

Internetwork Security

This paper is a follow-on to an earlier paper 1 and. An architecture for the Internet Key Exchange Protocol. by P.-C. Cheng

CS 4803 Computer and Network Security

Chapter 3. Network Domain Security

T Cryptography and Data Security

Chapter 4 Virtual Private Networking

I. What is VPN? II. Types of VPN connection. There are two types of VPN connection:

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Laboratory Exercises V: IP Security Protocol (IPSec)

VPN with Windows 7 and Linux strongswan using IKEv2

Configuring TheGreenBow VPN Client with a TP-LINK VPN Router

How To Understand And Understand The Security Of A Key Infrastructure

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

MPLS VPN in Cellular Mobile IPv6 Architectures(04##017)

This is a guide on how to create an IPsec VPN tunnel from a local client running Shrew Soft VPN Client to an Opengear device.

Configuration Guide. How to establish IPsec VPN Tunnel between D-Link DSR Router and iphone ios. Overview

Public Key Infrastructure for a Higher Education Environment

CSCI 454/554 Computer and Network Security. Topic 8.1 IPsec

IPSec Pass through via Gateway to Gateway VPN Connection

Service "NCPCLCFG" is not running In this case, increase the WaitForConfigService setting until the problem is circumvented

Chapter 8 Virtual Private Networking

Understanding Digital Certificates and Secure Sockets Layer (SSL)

Cryptography and network security CNET4523

Chapter 5: Network Layer Security

How To Establish IPSec VPN connection between Cyberoam and Mikrotik router

Dr. Arjan Durresi. Baton Rouge, LA These slides are available at:

[MS-SSTP]: Secure Socket Tunneling Protocol (SSTP) Intellectual Property Rights Notice for Open Specifications Documentation

21.4 Network Address Translation (NAT) NAT concept

Implementing Cisco IOS Network Security

VPN Technologies: Definitions and Requirements

Using IKEv2 on Juniper Networks Junos Pulse Secure Access Appliance

Release Notes. NCP Secure Client Juniper Edition. 1. New Features and Enhancements. 2. Problems Resolved

Public Key Infrastructure (PKI)

IBM i Version 7.3. Security Digital Certificate Manager IBM

Secure Socket Layer. Introduction Overview of SSL What SSL is Useful For

Understanding Digital Certificates and Wireless Transport Layer Security (WTLS)

Introduction to Network Security Key Management and Distribution

Security Engineering Part III Network Security. Security Protocols (II): IPsec

Real-Time Communication Security: SSL/TLS. Guevara Noubir CSU610

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku

How To Establish IPSec VPN between Cyberoam and Microsoft Azure

Application Notes. How to Configure UTM with Apple OSX and ios Devices for IPsec VPN

Outline. Transport Layer Security (TLS) Security Protocols (bmevihim132)

SSL A discussion of the Secure Socket Layer

CSCI 454/554 Computer and Network Security. Final Exam Review

IPsec VPN Security between Aruba Remote Access Points and Mobility Controllers

Virtual Private Networks: IPSec vs. SSL


How To Fix A Username Enumeration On A Vpn On A Pc Or Ipv (Vpn) On A Password Protected Ipv 2 (Vvv) On An Ipv 3 (Vp) On Pc Or Password Protected (V

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

Creating a Gateway to Client VPN between Sidewinder G2 and a Mac OS X Client

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

The BANDIT Products in Virtual Private Networks

SSL/TLS. What Layer? History. SSL vs. IPsec. SSL Architecture. SSL Architecture. IT443 Network Security Administration Instructor: Bo Sheng

Grid Computing - X.509

Encryption. Administrator Guide

Authentication Applications

VPN SECURITY. February The Government of the Hong Kong Special Administrative Region

DRAFT Standard Statement Encryption

Troubleshooting for Yamaha router

CS 494/594 Computer and Network Security

Electronic Service Agent TM. Network and Transmission Security And Information Privacy

Configuring a Site-to-Site VPN Tunnel Between Cisco RV320 Gigabit Dual WAN VPN Router and Cisco (1900/2900/3900) Series Integrated Services Router

7. Configuring IPSec VPNs

Network Security Protocols

LinkProof And VPN Load Balancing

Securing End-to-End Internet communications using DANE protocol

Accellion Secure File Transfer Cryptographic Module Security Policy Document Version 1.0. Accellion, Inc.

FortiOS Handbook IPsec VPN for FortiOS 5.0

Configuring L2TP over IPsec

Virtual Private Networks

Release Notes. NCP Secure Entry Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3. Known Issues

Authentication Applications

Research Report about IPsec VPN

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Instructions on TLS/SSL Certificates on Yealink Phones

Authentication applications Kerberos X.509 Authentication services E mail security IP security Web security

Chapter 5 Virtual Private Networking Using IPsec

Transcription:

Improved IKE Key Exchange Protocol Combined with Computer Security USB Key Device Pak Myong-Suk, Jo Hyon-Chol, Jang Chung-Hyok Kim Il Sung University, Pyongyang, DPR of Korea Abstract: In this paper we suggest improved IKE key exchange protocol combined with the Computer Security USB Key device to solve the problems in using IKE and IKE v2 protocol. Keywords: IPsec, IKE, IKEv2, SA, Computer Security USB key device 1. Introduction The network layer virtual private network programs such as strongswan and Openswan support both of the IKE and the IKEv2, but many networks still use IKE. Unlike IKEv2, DoS(Denial of service) attack may happen in IKE protocol.(dos attack for the DH calculation that happens when a lot of aggressive mode IKE requests having forged source IP addresses are received)[1] In IKE/IKEv2, Man-in-the-middle attacks to SA payload and KE payload may happen, when user uses the electronic certificate distributed as the file format (eg. *p12), the authentication function of the user s certification can be dropped because of the electronic certificate keeping problem, so that the reliability of network communication can be decreased.[2,3] 1

2. Composition of the Computer Security USB Key device To solve the problems in IKE/IKEv2, Computer Security USB Key device is used. The Computer Security USB Key device is composed of CPU, NAND memory, power unit, USB connector. NAND memory is divided into manager region where user can not read and write, virtual CD region where only reading is possible and the user s region where reading and writing are possible. Manager s region is divided into private key storing region, encrypt algorithm region and electronic certificate storing region. In private key storing region of the manager s region the keys(or data that can create key) that can be used in security program or encrypt algorithm can be stored and device serial number for device uniqueness exists. 3. Improved IKE key exchange protocol combined with the Computer Security USB Key device and its Implementation IKE 1 st phase security negotiation process in aggressive mode is used as an example for suggested method. Initiator(i) responder(r) HDR, SA, KE, Ni, IDii, *UMi HDR, SA, KE, Nr, IDir, * UMr, CERT, SIG_R HDR, *CERT, SIG_I In negotiation process, * means that next payloads are encrypted and UMi and UMr are payloads suggested newly in this paper. Improved IKE 1 st phase security negotiation process is as follows. 1 Before the payload SA, KE, Ni and IDii are transmitted, the initiator should get the device 2

serial number from the Computer Security USB Key device, makes UMi payload with device serial number and then encrypts it by using encryption key key1 inside the device (key1 is same for all Computer Security USB Key device) to transmit to the responder. If initiator can t get serial number, IKE 1 st phase security negotiation process is stopped. 2 The responder recognizes the initiator as the legal user which didn t do DoS attack if encrypted UMi payload is decrypted successfully using encryption key key1 of its Computer Security USB Key device and continues next stage. In this stage too, the responder who doesn t have the Computer Security USB Key device can t take part in negotiation, so that the function of principal's identity authentication is raised to protect DoS attack from above two stages. 3 The responder works as the initiator to make UMr payload, generates signature using electronic certification kept in the Computer Security USB Key device of responder and encrypts CERT and SIG_R payload reflected electronic certification and signature as an encryption key(serial number of its Computer Security USB Key device) respectively to send to initiator. (In fact, CERT and SIG_R payload is transmitted as the plain text in aggressive mode. It is important to make these payload encrypt in order to raise the identity authentication function.) 4 After the initiator makes sure the responder s identity by decrypting encrypted UMr, CERT, SIG_R payloads, he makes signature by using electronic certification kept on initiator s Computer Security USB Key device and encrypts CERT and SIG_R with electronic certification and signature as an encryption key(serial number of its Computer Security USB Key device)respectively to send to responder. 5 The responder makes sure the initiator s identity by decrypting encrypted CERT, SIG_I payloads respectively. Encrypt algorithm used in improved IKE 1 st phase security negotiation process can be done by 3

using encrypt algorithm kept on the Computer Security USB Key device. The type of payload(umi, UMr) including the information of Computer Security USB Key device in IPsec(ex, ipsec-tools-0.6.5-9.el5.src.rpm)security program can be defined as follows. #define ISAKMP_NPTYPE_DEV 55 /*device information */ And the structure of this payload can be defined as follows. typedef struct _devinfo_t_ { unsigned char dev_serial[7]; /* the serial number of USB key device */ } devinfo_t; paper. Result analysis and Conclusion The table 1 shows comparison between previous IKE protocol and proposed method in this Table 1. Comparison of security performance Protocol name SA, KE payload protection CERT, SIG payload protection DoS attack prevention extensibility Certificate storage IKE (IKE 1 st phase file aggressive mode) Improved IKE (IKE 1 st phase aggressive mode) IKEv2 Computer Security USB Key Device Where, indicates no support, indicates support. Improved IKE key exchange protocol uses default SA and default KE payload, but encryption algorithm and key used in IKE 1 st phase security negotiation process are encryption algorithm and key kept in computer security USB key device, so that man-in-the-middle attacks 4

to SA payload and KE payload are prevented. And DOS attack is prevented by using UMi, UMr payload with device information of user, electronic certificate and signature payload are encrypted in computer security USB key device and exported, so that reliability for identify authentication is raised. The suggested method can be also applied in IKE v2 protocol. References [1] Chris McNab, Network Security Assessment, O Reilly, 2008, pp.307~329 [2] B. Korver. The Internet IP Security PKI Profile of IKE/ISAKMP, IKEv2, and PKIX. RFC4945, August 2007, pp.1~43. [3] C. Kaufman, et.al, Intenet Key Exchange Protocol Version 2(IKEv2), RFC5996, September 2010, pp. 30~33. 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information