Thông tin tài liệu
Network Security Lecture Secure Protocols – IPSec Objectives of Lecture CINS/F1-01 • Revisit the ‘secure channel’ concept from Lecture • Understand the pros and cons of providing security at different network layers • Investigate how IPSec provides security at the Internet layer • Study major applications of IPSec in Virtual Private Networking and secure remote access Contents 5.1 The ‘secure channel’ concept 5.2 Security and network layers 5.3 IPSec 5.1 The ‘Secure Channel’ Concept • We need to guarantee the confidentiality, authenticity and integrity of data travelling over insecure networks • Not just the Internet: LANs to WANs too • Applications: – – – – – – Branch office connectivity Connecting to business partners at remote site Remote access for employees Protecting credit card numbers in e-commerce transactions Electronic voting, tax returns, … … The ‘Secure Channel’ Concept • We achieve this by building a “secure channel” between two end points on an insecure network • Typically offering: – Data origin authentication (but of what: OS? Application? User?) – Data integrity – Confidentiality • But usually not: – Non-repudiation – Any services once data received The ‘Secure Channel’ Concept • Secure channel built usually built as follows: • An authenticated key establishment protocol – During which one or both parties is authenticated – And a fresh, shared secret is established • A key derivation phase – MAC & bulk encryption keys are derived from shared secret • Then further traffic protected using derived keys – MAC gives data integrity mechanism and data origin authentication – Encryption gives confidentiality • Optional: session re-use, fast re-keying, … Typical Cryptographic Primitives Used • Symmetric encryption algorithms – For speed • MAC algorithms – Usually built from hash functions, also fast • Asymmetric encryption and signature algorithms, DiffieHellman – For entity authentication and key exchange (as in Lecture 4) • (Keyed) pseudo-random functions – For key derivation Typical Primitives Used • MAC-protected sequence numbers widely used to prevent replay attacks • Nonces and timestamps often used for freshness in entity authentication exchanges 5.2 Security and Network Layers • But where shall we put security? • Security can be applied at any of the network layers except layer (Physical layer) – Even this is sometimes possible, e.g spread spectrum techniques for limited privacy • What are the pros and cons of applying security at each of these layers? Security and Network Layers • Data Link (Network Interface) layer: covers all traffic on that link, independent of protocols above – e.g link level encryptor (Lecture 2) protection only for one ‘hop’ • Network (Internet) layer: covers all traffic, end-to-end transparent to applications little application control – application has no visibility of Internet layer unnatural, since network layer is stateless and unreliable – order of data in secure channel may be crucial – difficult to maintain if IP datagrams are dropped, re-ordered,… 10 Combining SAs • Often, we want security services provided by both ESP and AH, and may want to provide them at different points in network – ESP only allows MAC after encryption; may desire reverse – May desire AH in transport host-to-host tunnelled inside ESP gateway-to-gateway for Virtual Private Network (VPN) • SAs can be combined using either: – Transport adjacency: more than one SA applied to same IP datagram without tunnelling • Essentially AH + ESP – Iterated tunnelling: multiple levels of nesting of IPSec tunnels; each level with its own SA • Each tunnel can begin/end at different IPSec site along route 31 Required SA Combinations End-to-end application of IPSec between IPSec-aware hosts: – One or more SAs, one of the following combinations: • • • • AH in transport ESP in transport AH followed by ESP, both transport Any of the above, tunnelled inside AH or ESP One or more SAs Local network Internet Local network 32 Required SA Combinations Gateway-to-gateway only: – No IPSec at hosts – Simple Virtual Private Network (VPN) – Single tunnel SA supporting any of AH, ESP (conf only) or ESP (conf+auth) Tunnel SA Local network Internet Local network 33 Required SA Combinations A combination of and above: – Gateway-to-gateway tunnel as in carrying host-to-host traffic as in – Gives additional, flexible security on local networks (between gateways and hosts) – E.g., ESP in tunnel mode carrying AH in transport mode Local network Tunnel SA One or more SAs Internet Local network 34 Required SA Combinations Remote host support: – Single gateway (typically firewall) – Remote host uses Internet to reach firewall, then gain access to server behind firewall – Traffic protected in inner tunnel to server as in case above – Outer tunnel protects inner traffic over Internet Tunnel SA Internet One or more SAs Security Gateway Local network 35 IPSec Key Management • IPSec is a heavy consumer of symmetric keys: – One key for each SA – Different SAs for: {ESP,AH} x {tunnel,transport} x {sender, receiver} • Where these SAs and keys come from? • Two sources: – Manual keying • Fine for small number of nodes but hopeless for reasonably sized networks of IPSec-aware hosts; requires manual re-keying – IKE: Internet Key Exchange, RFC 2409 • RFC documentation hard to follow • IKE is a specific adaptation of more general protocols (“Oakley” and “ISAKMP”) • Protocols have many options and parameters 36 IKE Security Goals • Entity authentication of participating parties • Establishment of a fresh, shared secret – Shared secret used to derive further keys – For confidentiality and authentication of IKE management channel – For SAs for general use • Resistance to Denial-of-Service attacks – Using cookie mechanism • Secure negotiation of all algorithms – Authentication method, key exchange method, group, algorithms for encryption and MAC, hash algorithms • Options for Perfect Forward Secrecy, Deniable Authentication and Identity Protection 37 IKE Phases • IKE operates in two phases – Phase 1: Set up an SA and secure channel to carry further SA negotiation, as well as error and management traffic • Bi-directional • Heavy-duty entity authentication and key exchange • Establishes ISAKMP channel (IPSec key management protocol) – a secure channel for use in Phase – Phase 2: SAs for general use are negotiated • Fast negotiation takes place over Phase secure channel • Many Phase runs allowed for each run of Phase • Multiple SAs can be negotiated per run 38 IKE Phase • Phase is the heavyweight exchange to establish a secure key management channel; two variants: – “Main mode”: slow (6 messages), more cautious, hides details of credentials used and allows perfect forward secrecy -independence of short-term keys – “Aggressive mode”: less negotiation, only messages, more information disclosed • Each of main and aggressive mode allows different authentication mechanisms: – Signature, public-key encryption, revised public-key encryption, pre-shared key (symmetric) – Nonces for freshness – Certificates for authenticity of public keys • Chosen mechanism used to authenticate a Diffie-Hellman key exchange – In one of different fixed groups or using ‘new group mode.’ 39 IKE Phase Main Mode Example We illustrate Phase main mode using ‘authentication with signatures’ (simplified!) (I=Initiator, R=Responder, […]=optional) IR: HDRi, SA_i RI: HDRr, SA_r IR: HDRi, KE_i, N_i [,Cert_Req] RI: HDRr, KE_r, N_r [,Cert_Req] IR: HDRi*{IDii, [Cert_i,] Sig_i} RI: HDRr*{IDir, [Cert_r,] Sig_r} 40 Explanation • Messages and 2: – I and R exchange cookies CKY-I, CKY-R (in HDR fields) and ordered lists of preferred/accepted algorithms (in SA_i,SA_r) – Cookies provide limited anti-DoS measure • Messages and 4: – I and R exchange Diffie-Hellman values (KE_I= gx, KE_r=gy) and nonces (N_i, N_r), request certificates • Messages and 6: – I and R exchange identities, certificates, and signatures on hash of (DH values, nonces, SAs,…) – everything inside *{…} is encrypted using key SKEYID_e derived from DH values and nonces 41 Features of Main Mode • Identity protection – IDii, IDir and Certs only ever transported in encrypted form • Anti-Denial of Service via CKY-I and CKY-R – I and R not perform expensive computations until an exchange of cookies has taken place – Prevents rudimentary DoS based on address spoofing – Attacker spoofing I’s IP address will not receive cookie from R in message and cannot guess correct response in message • Secure negotiation of algorithms – SA_i and SA_r included in signatures 42 Deriving Keys From Phase • Phase agrees Diffie-Hellman key gxy • Further keys derived from this key: SKEYID = prf( N_i | N_r, gxy ) (for signature-based authentication) SKEYID_d = prf( SKEYID, gxy | CKY-I | CKY-R | “0” ) SKEYID_a = prf( SKEYID, SKEYID_d | gxy | CKY-I | CKY-R | “1” ) SKEYID_e = prf( SKEYID, SKEYID_d | gxy | CKY-I | CKY-R | “2” ) • Here, Ni and Nr are nonces in protocol, prf is a pseudorandom function, CKY-I and CKY-R are cookies • SKEYID_d: dual purpose key (used in Phases and 2) • SKEYID_a: key for MAC in ISAKMP channel • SKEYID_e: key for encryption in ISAKMP channel 43 IKE Phase • Only one form for Phase 2: “Quick Mode” • Use Phase ISAKMP secure channel to protect Phase SA exchanges – Can have many Phase exchanges over this secure channel – Spreads cost of heavy-weight Phase • Use fresh nonces and SKEYID_d to seed fresh keys and prevent replays • Can include ‘ephemeral’ DH values for higher security – provides perfect forward secrecy, but slower to execute • Can propose/accept multiple SAs in one Phase protocol run – For greater efficiency via fewer message exchanges 44 Final Notes on IPSec • IKE is carried over UDP; hence unreliable and blocked by some firewalls • IPSec and firewalls have problems working together – Authentication of source IP addresses in AH is the issue – Some firewalls change these addresses on out-bound datagrams • Managing IPSec policy and deployments is complex – Getting it wrong can mean losing connectivity, e.g by making exchanges of routing updates unreadable – Getting it wrong can mean loss of security – Many, many IPSec options, poor documentation • Microsoft have put IPSec into WinXP, replacing PPTP • IPSec now part of standard Linux distribution 45 ... freshness in entity authentication exchanges 5.2 Security and Network Layers • But where shall we put security? • Security can be applied at any of the network layers except layer (Physical layer)... cons of providing security at different network layers • Investigate how IPSec provides security at the Internet layer • Study major applications of IPSec in Virtual Private Networking and secure... for limited privacy • What are the pros and cons of applying security at each of these layers? Security and Network Layers • Data Link (Network Interface) layer: covers all traffic on that link,
Ngày đăng: 09/01/2018, 11:51
Xem thêm:
