Cisco Network Security • Chapter 7 775 RSA RSA shares many similarities with the DH algorithm in that RSA is also based on multiplying and factoring large integers. However, RSA is significantly faster than DH, leading to a split in the asymmetric cryptography field that refers to DH and similar algorithms as Public Key Distribution Systems (PKDS) and RSA and similar algorithms as PKE. PKDS systems are used as session-key exchange mechanisms, while PKE systems are generally considered fast enough to encrypt reasonably small messages. However, PKE systems like RSA are not considered fast enough to encrypt large amounts of data such as entire file systems or high-speed communica- tions lines. RSA, DH, and other asymmetric algorithms use much larger keys than their symmetric counterparts. Common key sizes include 1024 bits and 2048 bits; the keys need to be this large because factoring, while still a difficult operation, is much easier to perform than the exhaustive key search approach used with symmetric algorithms. The RSA algorithm has been in the public domain since RSA Security placed it there two weeks before the patent expired in September 2000. It is now freely available for use by anyone, for any purpose. It commonly used in applications such as PGP and SSH. In fact, you can down- load a freeware version of PGP from www.pgpi.org/products/pgp/versions/freeware if you want to experiment and learn more about PKE. Skeme and Oakley Protocols The Oakley protocol describes a series of key exchanges, called modes, and details the services provided by each (for example, perfect forward secrecy for keys, identity protection, and authenti- cation).The Skeme protocol describes a versatile key exchange technique that provides anonymity, reputability, and quick key refreshment.Their relationship to Internet Security Association and Key Management Protocol (ISAKMP) is fairly straightforward: where Oakley defines modes of exchange, ISAKMP defines phases of when each is applied. IPsec Concepts The security architecture for IP (IPsec) is a suite of security services for traffic at the IP layer. It is an open standard, defined in RFC 2401 and several following RFCs. IPsec was developed by the IETF as part of IPv6 and can be implemented in IPv4. IPsec is a framework of open standards that operates at Layer 3 of the OSI model, which means that it can protect communications from the network layer (IP) and up. IPsec protocols can supply access control, authentication, data integrity, and confidentiality for each IP packet between two participating network nodes. IPsec can be used between two hosts (including clients), a gateway and a host, or two gateways. IPsec establishes a secure tunnel between endpoints, and provides authentication and encryption services to protect transported data. IPsec provides two security protocols used for transferring data: Encapsulating Security Payload (ESP) and Authentication Header (AH). AH provides connectionless integrity, data origin authentication, and anti-replay service for the IP packet. AH does not encrypt the data, but any modification of the data would be detected. ESP provides confidentiality through the encryption www.syngress.com 253_BDCisco_07.qxd 10/15/03 11:37 AM Page 775 776 Chapter 7 • Cisco Network Security of the payload. Access control is provided through the use and management of keys to control participation in traffic flows. The only required encryption algorithm in an IPsec implementation is DES, which is defined in RFC 1829. DES is considered inadequate protection and is being phased out in favor of stronger encryption such as 3DES, AES, and Blowfish.To provide authentication features, IPsec uses the two algorithms HMAC-SHA-1 and HMAC-MD5. A security association (SA) is the agreement between two systems participating in an IPsec connection. A SA represents a simplex connection to provide a security service using a selected policy and keys, between two nodes. A Security Parameter Index (SPI), an IP destination address, and a protocol identifier are used to identify a particular SA. The SPI is an arbitrary, 32-bit value selected by the destination system that uniquely identifies a particular SA among several associations that may exist on a specific node.The protocol identi- fier can indicate either AH or ESP, but not both. Separate SAs are created for each protocol, and for each direction between systems. If two systems were using AH and ESP in both directions, then they would form four SAs. VPN Terminology The follow technologies and mechanisms are integral to IPsec operations. ■ Transform-Set Defines IPsec protocols to use for authentication and/or encryption. ■ Crypto Map Binds transform set, the peer, and the data to be encrypted. ■ Dynamic Crypto Map A crypto map before information is provided by the peer. ■ ISAKMP The framework for policy negotiations and key management. ■ Internet Key Exchange (IKE) Authenticates IPsec peers negotiates IKE and IPsec SAs. Also, it establishes keys for encryption algorithms used by IPsec. ■ MD5 The algorithm used to hash keys and pass the hash instead of passing the key or password. Hash algorithm used to authenticate packet data. ■ SHA-1 The algorithm used to hash keys and pass the hash instead of passing the key or password.The hash algorithm used to authenticate packet data. ■ AH Data authentication and integrity for IP packets passed between two different sys- tems, but not data confidentiality. Applies a keyed one-way hash function to the packet to create a message digest. ■ ESP Data confidentiality, data origin authentication, integrity, and optional anti-replay. Encrypts the packet payload and/or authentication packets. ■ DES Employs a 56-bit key to encrypt and decrypt packet data. ■ 3DES A variant of the 56-bit DES. Data is broken into 64-bit blocks and processed three times with three unique 56-bit keys. ■ DH Public key cryptography protocol that allows two parties to establish a shared secret key used by encryption algorithms over some type of insecure channel. www.syngress.com 253_BDCisco_07.qxd 10/15/03 11:37 AM Page 776 Cisco Network Security • Chapter 7 777 ■ RSA Signatures Public key cryptographic system used for authentication. ■ Certificate Authorities (CA) Digital identification card to each querying device. IPsec IPsec’s main design goals are to provide the follow functionality: ■ Data Confidentiality Encrypt packets before transmitting them across a network so only the communicating peers can read it. ■ Data Integrity Authenticate packets sent by the IPsec sender to ensure the data has not been altered during transmission. Each peer can determine if a received packet was changed during transit. ■ Data Origin Authentication Authenticate the source of the IPsec packets sent.The receiver can check the identity of a packet’s sender. ■ Antireplay The receiver can detect and reject replayed packets, protecting it from spoofing and MITM attacks. IPsec Core Layer 3 Protocols: ESP and AH ESP and AH are the main IPsec protocols used to protect data. Applying AH or ESP to an IP packet modifies its contents to varying degrees, from the header to the payload. An extra header is inserted between the IP header and the packet contents. See Figures 7.31 and 7.32 for illustra- tions of how these transformations are performed.AH provides no confidentiality because no encryption is used. N OTE AH is always broken by NAT. www.syngress.com Figure 7.31 AH Encapsulation Before Applying IPSec After Applying AH Authenticated Original IP Header TCP Header Data AH Original IP Header Data TCP Header 253_BDCisco_07.qxd 10/15/03 11:37 AM Page 777 778 Chapter 7 • Cisco Network Security AH The AH (RFC2402) provides packet authentication and anti-replay services. AH can be deployed in either transport or tunnel mode. In transport mode, the AH is inserted after the IP header and before an upper-layer protocol (such as TCP, UDP, and ICMP), or before any other previ- ously inserted IPsec headers. The AH (IP protocol 51) ensures: ■ Data Integrity Calculates a hash of the entire IP packet, including the original IP header (not including variable fields such as the TTL), the data part of the packet, and the AH (excluding the field that will contain the calculated hash value) [either Message Authentication Code (MAC) or a digital signature]. MD5 or SHA-1 uses an extra value to calculate the hash (known only to the participating parties).The receiver performs calculations and compares to the sender’s results: if they match, the packet is declared authentic. ■ Data Origin Authentication The AH provides source IP authentication. Since the source IP is included in the data, its integrity is guaranteed. ■ Replay Protection The AH uses an IPsec sequence number to protect against replay attacks. In order to use Network Address Translation (NAT), you need to configure static NAT trans- lations.This is due to AH being incompatible with NAT because NAT changes the source IP address.This, in turn, will break the AH header and cause the packets to be rejected by the IPsec peer or peers. ESP ESP (RFC2406) provides data encryption, data authentication, and optional anti-replay services. ESP can be used on its own or with AH packet authentication. ESP encapsulates the data and can be deployed in either transport or tunnel mode. In transport mode, ESP is placed after the IP www.syngress.com Figure 7.32 ESP Encapsulation Before Applying IPSec After Applying ESP (transport mode) Original IP Header TCP Header Data ESP Header Original IP Header Data TCP Header ESP Trailer ESP Auth Encrypted Authenticated 253_BDCisco_07.qxd 10/15/03 11:37 AM Page 778 Cisco Network Security • Chapter 7 779 header (and any options that it contains), and before the upper layer protocol.This makes ESP and AH compatible with non-IPsec-compliant routers. Tunnel mode ESP may be employed in either hosts or security gateways. In tunnel mode, ESP protects the entire inner IP packet, including the entire inner IP header.The position of ESP in tunnel mode relative to the outer IP header is the same as for ESP in transport mode. ESP (IP protocol 50) features: ■ Pads a packet to prevent traffic analysis, and encrypts the result with ciphers such as DES, 3DES, AES, or Blowfish. ■ Optional authentication using the same algorithms as the AH protocol. Header informa- tion is not included in the authenticated data, which allows ESP-protected packets to pass through NAT. Authentication data is calculated after encryption. ■ Optional antireplay features. ESP can perform most of AH’s functions. ESP works on encapsulation principles: all data is encrypted and then placed between a header and a trailer.This differentiates it from AH, where only a header is created. IPsec Communication Modes:Tunnel and Transport IPsec has a transport mode and a tunnel mode.Transport mode only affects the data payload and does not modify the original IP header. In transport mode, the AH or ESP header is inserted after the IP header, but before any upper-layer protocol headers. Tunnel mode encapsulates the entire original packet as the data portion of a new packet with its own IP header. (AH and/or ESP headers are created in both modes.) Transport mode is used when both the receiver and the sender are endpoints of the communication (for example, two hosts communicating directly to each other).Tunnel mode is more convenient for site-to site VPNs because it allows tunneling of traffic through the channel established between two gateways. Transport Mode Transport will place an AH or ESP header right after the original IP header and before upper- layer data (TCP header and application data). If ESP is applied to the packet, only this upper- layer data is encrypted. If optional ESP authentication is used, only upper-layer data, not the IP header, is authenticated. If AH is applied to the packet, both the original IP header and the upper-layer data are authenticated. Figure 7.33 shows what happens to the packet when IPsec is applied in transport mode. www.syngress.com 253_BDCisco_07.qxd 10/15/03 11:37 AM Page 779 780 Chapter 7 • Cisco Network Security AH authenticates the original IP header, but does not protect the fields that are modified in the course of routing IP packets. ESP only protects what comes after the ESP header. If the secu- rity policy between two nodes requires a combination of security services, the AH header appears first after the IP header, followed by the ESP header.This combination of SAs is called an SA bundle. Tunnel Mode Tunnel mode, the most common mode of operation, allows the establishment of an encrypted and authenticated IP tunnel between two sites.The original packet is encrypted and/or authenti- cated and encapsulated as the data payload of a new IP packet.The new IP header is added to it with the destination address of the receiving gateway.The ESP and/or AH header is inserted between this new header and the data portion.The receiving gateway performs decryption and authentication of the packet, extracts the original IP packet (including the original source/desti- nation IPs), and forwards it to the destination network. Figure 7.34 demonstrates the encapsula- tion performed in tunnel mode. www.syngress.com Figure 7.33 Packet Structure in Transport Mode Before Applying IPSec After Applying AH Authenticated (except for mutable fields After Applying ESP Original IP Header TCP Header Data AH Original IP Header Data TCP Header ESP Header Original IP Header Data TCP Header ESP Trailer ESP Auth Encrypted Authenticated 253_BDCisco_07.qxd 10/15/03 11:37 AM Page 780 Cisco Network Security • Chapter 7 781 If the AH is used, both the original IP header and the new IP header are protected (authenti- cated), but if ESP is used, even with the authentication option, only the original IP address, not the sending gateway’s IP address, is protected.This behavior makes it difficult to spoof an IPsec packet without knowing many technical parameters.The exclusion of the new IP header from authenticated data also allows tunnels to pass through devices that perform NAT. When the new header is created, most of the options from the original IP header are mapped onto the new one—for example, the ToS field. In tunnel mode, the original IP header and payload are encapsulated by the IPsec protocols. A new IP header that specifies the IPsec tunnel destination is prepended to the packet.The original IP header and its payload are protected by the AH or ESP headers. In Figure 7.34, you can see that, as in transport mode, AH offers some protection for the entire packet, but does not protect the fields that are modified in the course of routing IP packets between the IPsec tunnel end- points. It does, however, completely protect the original IP header. IPsec Architecture In simplified terms, IPsec provides three main functions: ■ Authentication only, provided through the AH protocol ■ Authentication and confidentiality (encryption), provided through the ESP protocol ■ Key exchange, provided either manually or through the IKE protocol www.syngress.com Figure 7.34 Packet Structure in Tunnel Mode Before Applying IPsec AH Tunnel mode Authenticated ESP Tunnel mode Original IP Header TCP Header Data AH Encrypted Authenticated New IP Header Original IP Header TCP Header Data New IP Header Original IP Header TCP Header Data ESP Trailer ESP Auth ESP header 253_BDCisco_07.qxd 10/15/03 11:37 AM Page 781 782 Chapter 7 • Cisco Network Security IPsec provides secure communications between two endpoints (IPsec peers).These communi- cations are essentially sets of SAs and define which protocols should be applied to sensitive packets, as well as the keying between the two peers. Multiple IPsec tunnels can exist between two peers, securing different data streams, with each communication having a separate set of SAs. IKE IKE is a key management protocol used in IPsec to create an authenticated, secure communica- tion channel between two entities and then negotiate the SAs for IPsec. IKE offers several advan- tages over manually defined keys (manual keying): ■ Eliminates manual configuration of keys ■ Allows you to specify a lifetime for IPsec SA ■ Allows encryption keys to change during IPsec sessions ■ Supports the use of public key-based authentication and CAs ■ Allows dynamic authentication of peers ISAKMP and IKE ISAKMP (RFC 2408) describes authenticated key exchange methods.This is a generic protocol and is not tied to IPsec or any other key-using protocol. It can be implemented directly over IP or any transport layer protocol. When partially combined with Oakley (RFC 2412) and Secure Key Exchange Mechanism (SKEME) key exchange protocols, the result is the IKE (RFC 2409). Although not strictly correct, the terms IKE and ISAKMP are often used interchangeably, even in Cisco where IKE is configured with the isakmp command. IKE negotiates in two phases, both of which use UDP port 500. 1. Phase 1 Peers negotiate and set up a secure, authenticated, bi-directional ISAKMP SA to handle Phase 2 negotiations. One such SA between a pair of peers can handle negoti- ations for multiple IPsec SAs.The peers agree on the encryption algorithm, hash algo- rithm, authentication method, and DH group to exchange keys and information. Peers mutually authenticate, agree on encryption and authentication algorithms to protect subsequent IKE traffic, exchange keys via DH, and lastly, establish an IKE SA (SA). IKE SAs are bi-directional; each IKE connection between peers has only one IKE SA associated with it. 2. Phase 2 Peers negotiate IPsec (ESP and/or AH) as required. IPsec SAs are unidirec- tional (a different key is used in each direction) and are always negotiated in pairs to handle two-way traffic.There may be more than one pair defined between two peers. They agree on the IPsec protocol, hash algorithm, and encryption algorithm. Multiple SAs will result from Phase 2 negotiations. An SA is created for the inbound and out- bound of each protocol used. IKE Phase 2 negotiates one or more IPsec SAs to be used for the IPsec tunnel between these peers. It uses key material from IKE Phase 1 to derive IPsec keys.The initiating peer identifies www.syngress.com 253_BDCisco_07.qxd 10/15/03 11:37 AM Page 782 Cisco Network Security • Chapter 7 783 what traffic it wants to protect and what encryption/authentication algorithms it supports.The receiving peer then agrees on a single protection set for this traffic and establishes keys needed for this protection set. NOTE Do not confuse IPsec SAs with IKE SAs. IKE SAs create the tunnel used by IPsec SAs. There is only one IKE SA between two devices, but there can be multiple IPsec SAs for the same IKE SA. While having different phases adds some overhead in processing, there are advantages to this approach: ■ Trust between peers is established in IKE Phase 1 and IKE Phase 2. ■ Key material established in the first phase can be used in the second phase. ■ Renegotiations of the first phase can be assisted by the second-phase data. IKE Phase 1 has two modes: main mode and aggressive mode. Main mode uses three exchanges between peers; each exchange consists of two messages, a request, and a reply for a total of six packets exchanged. ■ First Exchange Negotiates the parameters for protection of the IKE connection. Initiator sends a proposition that includes one encryption algorithm (DES, 3DES, and so on) and one authentication algorithms (pre-shared secret, RSA PKE with DH exchange group 1 and 2, or public key RSA signature (certificates).The receiver selects a pair that it can support; otherwise, no agreement means that the IKE tunnel cannot be estab- lished. ■ Second Exchange DH key establishment between peers with exchange of nonces (hashes that only the other peer can interpret) , which confirm the message was sent by the same host of the previous exchange. ■ Third Exchange Authentication of the peers using the agreed-on methods: public keys signatures, PKE, or a pre-shared secret. Protected by an encryption method selected in the first exchange. At the end of the first phase, each host has an IKE SA, which specifies all parameters for this IKE tunnel: the authentication method, the encryption and hashing algorithm, the DH group used, the lifetime for this IKE SA, and the key values. Aggressive mode exchanges only three packets.The first two packets in this exchange include almost everything in one message; each host sends a proposed protection set, DH values and authentication values.The third packet is for confirmation after the IKE SA is already established. Everything travels on the wire in cleartext and can be eavesdropped on or spoofed, though the only effective attack is an DOS to one of the peers. www.syngress.com 253_BDCisco_07.qxd 10/15/03 11:37 AM Page 783 784 Chapter 7 • Cisco Network Security Phase 2 quick mode is repeated several times using the same IKE SA established in Phase 1. Each exchange results in the establishment of two IPsec SAs by each peer. One is used for inbound protection, and the other for outbound protection. During the exchange, peers agree on the IPsec SA parameters and send each other a new nonce deriving DH keys from the ones established in Phase 1. When the IPsec SA lifetime expires, a new SA is negotiated in the same manner. Figure 7.35 summarizes the flow of the IKE protocol. Phase 2 Quick Mode can use Perfect Forward Secrecy (PFS) that uses encryption keys not derived from previous ones. PFS is achieved by performing a new DH key establishment in each quick mode. Another mode in Phase 2 is new group mode, which is not related to the setup of IPsec parameters and is used to change the parameters of the DH group used in IKE Phase 1. SAs IPsec SAs define how two or more IPsec peers will use security protocols (AH or ESP) to com- municate securely on behalf of a particular flow. SAs contain the shared secret keys used to pro- tect data in a particular flow, as well as their lifetimes. SAs are unidirectional connections and are unique per security protocol (AH or ESP).This means that if both AH and ESP services are required, two or more SAs have to be created. In a two-way communication, each party has at least two IPsec SAs: the sender and receiver each have one outgoing SA and one incoming SA, as shown in Figure 7.36. www.syngress.com Figure 7.35 IKE Phases and Modes Main Mode Agressive Mode Quick Mode with PFS Quick Mode without PFS YES NO PFS? Main or Agressive? IPsec Tunnel Established New IPsec Tunnel or Key Renewal. Phase 1 IKE SA Negotiation Phase 2 IPsec SA Negotiation (2) 253_BDCisco_07.qxd 10/15/03 11:37 AM Page 784 [...]... from the client to the AP 2 The EAP-Request/Identity is sent from the AP to the client with a request for the client’s identity 3 The EAP-Response/Identity is sent from the client to the AP with the required information Authentication Phase for LEAP Authentication This phase depends on the mutual authentication method chosen for the client and the authentication server For LEAP, the process is: 1 The. .. www.syngress.com 253_BDCisco_07.qxd 10/15/03 11:37 AM Page 80 7 Cisco Network Security • Chapter 7 80 7 3 The AP encrypts the broadcast key and the session key to send the new encrypted key to the client .The client will then use the session key to decrypt it The client and the AP activate the WEP APs and clients will use the session and broadcast WEP keys for all communications that occur during the session Session... phases: the start phase, the authenticate phase, and the finish phase .The following sections show the process that the client and AP go through so that the client can also talk to the RADIUS server Start Phase for LEAP Authentication In the start phase, information (in packet form) is transferred between the client and APs: 1 The EAPOW-Start (called EAPOL-Start in 80 2.1x for wired networks) starts the authentication... does the IPsec SA debug crypto isakmp 20:26: 58: ISAKMP (8) : beginning Main Mode exchange 20:26: 58: ISAKMP (8) : processing SA payload message ID = 0 ISAKMP starts trying to match ISAKMP policy Once a policy match is made, the peers will begin the authentication phase, where they authenticate each other www.syngress.com 253_BDCisco_07.qxd 10/15/03 11:37 AM Page 80 3 Cisco Network Security • Chapter 7 80 3... dynamic; otherwise, it is difficult to fix security holes I It must have the ability to support PKI and certificate schemes www.syngress.com 253_BDCisco_07.qxd 80 8 10/15/03 11:37 AM Page 80 8 Chapter 7 • Cisco Network Security The Objectives of the 80 2.1x Standard The IEEE 80 2.1x Working Group provides a security framework for port-based access control that resides in the upper layers such as new authentication... functions with the following steps: 1 The station requests service by sending an authentication frame to its target AP 2 The AP replies to the authentication frame with its own, which contains 1 28 octets of challenge text 3 The station encrypts the challenge text with the shared encryption key and returns to the AP 4 The AP decrypts the encrypted challenge with the shared key and compares it with the original... these devices and prevent unauthorized access and use The IEEE 80 2.11 committee is working on 80 2.1x to provide a framework for 80 2-based networks authenticating from centralized servers Cisco introduced Light Extensible Authentication Protocol (LEAP) authentication to their wireless products, which adds several enhancements to the 80 2.11 authentication system, including the following: I Mutual authentication... features .The current IEEE 80 2.11 standard is severely limited because it is available only for the current open and shared key authentication scheme, which is non-extensible Some of these requirements for the future security include the following: I The creation of new 80 2.11 authentication methods I These authentication methods must be independent of the underlying 80 2.11 hardware I Authentication methods... 76716 284 5 20:26:59: ISAKMP (8) : Creating IPsec SAs 20:26:59: inbound SA from 192.1 68. 55.1 to 192.1 68. 55.2 (proxy 192.1 68. 55.1 to 192.1 68. 55.2) 20:26:59: has spi 45 488 6490 and conn_id 9 and flags 4 20:26:59: lifetime of 600 seconds www.syngress.com 253_BDCisco_07.qxd 80 4 10/15/03 11:37 AM Page 80 4 Chapter 7 • Cisco Network Security 20:26:59: lifetime of 46 080 00 kilobytes 20:26:59: outbound SA from 192.1 68. 55.2... port on an 80 2.1x switch and AP, the switch port can determine the authenticity of the devices Only Extensible Authentication Protocol Over LAN (EAPOL) (see the following list) frames can be sent and received on that port until the authentication is complete When the device is properly authenticated, the port switches traffic as though it were a regular port Following is some terminology for the 80 2.1x . SA. YES NO NO NO YES YES Traffic Bad Authentication Good Authentication and SA 253_BDCisco_07.qxd 10/15/03 11:37 AM Page 788 Cisco Network Security • Chapter 7 789 containing the other peer’s nonce, decrypted with the local. for packet. 253_BDCisco_07.qxd 10/15/03 11:37 AM Page 787 788 Chapter 7 • Cisco Network Security Authentication Methods IPsec peers must negotiate and authenticate each other using a common authentication. IP Header Data TCP Header ESP Trailer ESP Auth Encrypted Authenticated 253_BDCisco_07.qxd 10/15/03 11:37 AM Page 780 Cisco Network Security • Chapter 7 781 If the AH is used, both the original IP header and the new IP header are protected (authenti- cated),