Advanced Computer Networks SS2004 IPSec (IP Security) Florian Limberger
Outline Introduction Internet Key Exchange IPSec Protocols and Modes Management Control
motivation Where to put security? application security really secure (end-to-end) applications must be modified ssh,sftp,https network (IP)-layer security (IPSec) general security applications remain unchanged applications must rely on lower security
IPSec overview designed by IETF RFCs 2401, 2402, 2406, 2408, 2409 rather framework then single protocol high granularity (different modes for each flow) Different Security Services optional for IPv4, mandatory for IPv6
security services Access Control Integrity Authentication Anti-Replay service Confidentiality
main parts 1st part ( connection setup ) peer authentication negotiation of cryptographic parameters agreement on shared secret keys IKE (Internet Key Exchange), SA (Security Association) 2nd part ( bulk data transfer ) application of security services AH (Authentication Header), ESP (Encapsulating Security Payload)
SA security association kind of connection uniquely identified by 3 parameters: Security Parameters Index (SPI) local significance only, identifies SA IP Destination Address address of destination endpoint of the SA Security Protocol Identifier AH or ESP
SA parameters Lifetime of this SA AH/ESP Information authentication/encryption algorithm, keys, liftetime IPSec Protocol Mode tunnel, transport anti-replay window sequence number counter...
IKE - internet key exchange connection setup peer authentication key exchange SA creation and negotiation on-demand creation of keys udp, port 500, ISAKMP (Internet Security Association and Key Management Protocol) uses Diffie-Hellman key exchange algorithm
IKE Phase1 plaintext messages peer authentication through pre-shared keys (PSK) RSA keys X.509 certificates creation of ISAKMP - SA
IKE Phase2 encrypted messages (with key from Phase1) second set of shared secret keys Phase1-SA is used to setup IPSec SAs usually (at least)two unidirectional IPSec SAs Phase2 repeated to change keys, Phase1-SA remains
Data Encryption and Authentication 2 Attributes: Protocol controls whether the data packet is protected by confidentiality or message authentication (or both) Mode controls in what way and how much of the data packet is protected
AH Authentication header IP protocol 51 24 bytes provides data integrity and authentication integrity: undetected modification not possible authentication: authenticate sender spoofing attacks not possible (src and dst fields are protected)
AH
Integrity Check Value (ICV) contained within authentication data field hashed message authentication code (HMAC) hash over: secret key payload immutable parts of the IP header using first 96bits HMAC-MD5-96, HMAC-SHA-1-96
anti-replay service use of sequence number retransmission of packet -> different number receiver has anti-replay window duplicated packets are discarded if exhausted (2^32) -> create new SA
ESP Encapsulating Security Payload IP protocol 50 provides message contents confidentiality limited traffic flow confidentiality optional: authentication services
ESP
encryption symmetric cipher (performance) 3DES,RC5,IDEA,CAST,Blowfish padding: necessary for block ciphers usefull for partial traffic flow confidentiality
IPSec protocol modes Transport mode protection for upper-layer protocols end-to-end, between two hosts encryption of payload only authenticaton of payload + header (only AH) Tunnel mode protection of entire IP packet old packet is packed into new one tunnel: security gateway <-> security gateway security gateway <-> host used for Virtual Private Networks
IPSec modes
AH modes transport tunnel
ESP modes transport tunnel
AH vs. ESP originally: AH only integrity, ESP only confidentiality AH not possible with NAT AH prevents spoofing ESP: HMAC after trailer -> faster
Management Control IPSec protection based on policy choices defined in the SPD established and maintained by a user Security Policy Database (SPD) defines subset of IP traffic ip-address (src,dst), ports, transport layer protocol, etc. points to SA
inbound traffic IPSec "layer" receives a packet from the network Headers of the packet are analysed If IPSEC was used to transmit Determine SA details (over SPI) Consult the SA Database to validate/decipher the packet Once validated/deciphered the appropriate action for the packet is determined and it is forwarded according to the rules in the SPD
outbound traffic IPSec "layer" receives data to be sent It consults SPD to determine what should be done If IPSEC is to be used IPSEC engine recovers the SA and checks the SAD If no entry exists, one will be created (IKE, etc.) Rules for the flow are considered If not, the packet is processed normally
References Computer Networks Larry Peterson & Bruce S. Davie Cryptography and Network Security William Stallings