SeoulTech UCS Lab 2014-1 st IP Security 2014. 03. 24 오대명, 오현석 Email: ohs4401@naver.com, wdm1517@gmail.com Copyright c 2014 by USC Lab All Rights Reserved. 1
Course Introduction 1. IP Security Overview 2. IP Security Policy 3. Encapsulating Security Payload 4. Combining Security Associations 5. Internet Key Exchange 6. Cryptographic Suites 2
1. IP Security Overview 3
What is IPSec? IPSec Framework Choices: IPSec Protocol ESP ESP ESP +AH AH Encryption DES DES 3 DES AES Authentication MD5 MD5 SHA Diffie-Hellman DH1 DH1 DH2 4
IPSec Security Services Confidentiality Data integrity Origin authentication Anti-replay 5
Applications of IPsec Main site IP HDR IP Payload IP HDR IP Sec HDR IP Payload LAN Branch or Business partner with router IPSec Internet IP HDR IP Sec HDR IP Payload Security gateway Server Cluster SOHO router Mobile laptop computer 6
IPsec Documents RFC IPsec Documents RFC Content 2411 IP Security Document Roadmap 2401 IPsec Architecture 2402 AH(Authentication Header)Protocol 2403 The Use of HMAC-MD5-96 within ESP and AH 2404 The Use of HMAC-SHA-1-96 within ESP and AH 2405 The ESP DES-CBC Cipher Algorithm 2406 ESP(Encapsulating Security Payload)Protocol 2407 IPSec DOI 2408 ISAKMP Protcol 2409 IKE(Internet Key Exchange)Protocol 7
2. IP Security Policy 8
SA(Security Association) IPsec SA is a one-way logical connection between a sender and a receiver that provide security services to the traffic flow on it. If a peer relationship is needed for two-way secure exchange, then two SA are required. Security Parameters Index (SPI) IP Destination Address Security Protocol Identifier 9
SAD(Security Association Database) SAD defines the parameters associated with each SA. A SA is defined by the following parameters in an SAD entry. Security Parameters Index (SPI) Sequence Number Counter Sequence Counter Overflow Anti-Replay Window AH Information ESP Information Lifetime IPsec Protocol Mode Path MTU 10
SPD(Security Policy Database) SPD means by which IP traffic is related to specific SA is the nominal SPD. Remote IP Address Local IP Address Next Layer Protocol Name Local and Remote Ports 11
Example SPD Remote office LAN:192.168.1.0/24 Corporate Office Server:192.168.2.1/24 HOST_A HOST_B Router_A IPsec tunnel Internet Router_B HTTP Server Router_A SPD Protocol Local IP S_Port Remote IP D_Port Action Comment TCP 192.168.1.0/24 * 192.168.2.1/32 80 PROTECT Encrypt to server ICMP 192.168.1.0 * * * BAYPASS Router_B SPD Protocol Local IP S_Port Remote IP D_Port Action Comment TCP 192.168.2.1/3 2 80 192.168.1.0/24 * PROTECT To Remote office 12
IP Traffic Processing(1/2) Outbound IP packet Discard packet No match found DISCARD Search Security policy database BYPASS Determine policy Match found Match found PROTECT Search security association database No match found Processing Model for Outbound Packets Process (AH/ESP) Internet Ke y Exchange Forward packet via IP 13
IP Traffic Processing(2/2) Processing Model for Inbound Packets Deliver packet to higher layer Process AH/ESP BYPASS Search security policy database Not BYPASS Discard packet No match found Match found Search security association database IP Packet type IPsec Inbound IP packet 14
Summary IKE Key exchange IKE IPsec IKE SA IPsec SA Pair IPsec IPsec ESP protects data 15
3. Encapsulating Security Payload 16
ESP(Encapsulating Security Payload) ESP protocol number is 50 in ip header. Encryption algorithm support DES,3DES,AES. Authencation algorithm support HMAC-MD5,HMAC-SHA-1. Provide confidentiality Ensures data integrity Provide origin authentication Provide anti-replay protection Router A Data payload is encrypted Router B 17
Encrypted ICV coverage ESP Format(1/2) 0 8 16 24 Security parameters index (SPI) Sequence number Payload data (variable) Padding (0-255 bytes) Pad length Next header Integrity check value - ICV (variable) 18
ESP Format(2/2) Security Parameters Index (32 bits) Sequence Number (32 bits) Payload Data (variable) Padding (0 255 bytes) Pad Length(8 bits) Next Header (8 bits) Integrity Check Value (variable) initialization value (IV) Optional traffic flow confidentiality (TFC) Optional 19
Encryption and Authentication Algorithms The Payload Data, Padding, Pad Length, and Next Header fields are encrypted by the ESP service. The ICV field is optional.it is present only if the integrity service is selected.the ICV is computed after the encryption is performed. This order of processing reducing the impact of denial of service (DoS)attacks. 20
Padding Padding field is used to expand the plaintext to the required length. The ESP format requires that the Pad Length and Next Header fields be right aligned within a 32-bit word. Additional padding may be added to provide partial traffic-flow confidentiality by concealing the actual length of the payload. 21
Anti-Replay Service Replay attack is copy of an authenticated packet and later transmits it to the destination. The Sequence Number field is designed to thwart such attacks. Fixed window size W Advance window if valid packet to the right is received N N-W Marked if valid Unmarked if valid N+1 packet received packet not yet received 22
AH(Authentication Header) Does not provide confidentiality (no encryption) Ensures data integrity Provides origin authentication Uses HMAC-MD5,HMAC-SHA1 mechanism Provides anti-replay protection Router A All data in plaintext Router B 23
AH Format 1 8 16 24 Version Header Length Type of Service Total Length Identification Flags(3bit) Fragment offset Time To Live Protocol Header Checksum Source IP Address Destination IP Address IP Header 0 8 16 24 Next Header Payload Length Reserved Security parameters index (SPI) Sequence number Integrity check value - ICV (variable) AH Header 24
Transport and Tunnel modes Both AH and ESP support two modes of use: transport and tunnel mode. Transport mode provides protection primarily for upperlayer protocols. For example, ESP transport mode protection extends to the payload of an IP packet. Transport mode is used for end-to-end communication between two hosts. Tunnel mode provides protection to the entire IP packet. After the AH or ESP fields are added to the IP packet, and in the entire packet plus new outer IP header. Tunnel mode has been deployed widely to implement Virtual Private Networks (VPNs). 25
ESP Transport Mode Protocol Operation for ESP Original IP Packet Orig IP HDR Data Data ESP Trailer Encryption secret key DES 3DES AES Encryption Ciphertext ESP HDR Ciphertext Authencation secret key HMAC-MD5 HMAC-SHA-1 AUTH Orig IP HDR ESP HDR Ciphertext ESP AUTH 26
ESP Tunnel Mode Protocol Operation for ESP Original IP Packet Orig IP HDR Data Orig IP HDR Data ESP Trailer Encryption secret key DES 3DES AES Encryption Ciphertext ESP HDR Ciphertext Authencation secret key HMAC-MD5 HMAC-SHA-1 AUTH NEW IP HDR ESP HDR Ciphertext ESP AUTH 27
AH Transport Mode Protocol Operation for AH Original IP Packet Orig IP HDR Data Orig IP HDR AH HDR Data Authencation secret key HMAC-MD5 HMAC-SHA-1 Hash Authentication Data Orig IP HDR AH HDR Data 28
AH Tunnel Mode Protocol Operation for AH Original IP Packet Orig IP HDR Data NEW IP HDR AH HDR Orig IP HDR Data Authencation secret key HMAC-MD5 HMAC-SHA-1 Hash Authentication Data NEW IP HDR AH HDR Orig IP HDR Data 29
Summary Tunnel Mode and Transport Mode Functionality AH ESP Transport Mode SA Authenticates IP payload and selected portions of IP header. Encrypts IP payload(transpo rt level segment) and ESP trailer. Authenticates ESP header, IP payload(transport-level segment) and ESP trailer. Tunnel Mode SA Authenticates inner IP packet plus selected portions of outer IP header. Encrypts inner IP packet and ESP trailer. Authenticates ESP inner IP packet and ESP trailer. 30
4. Combining Security Associations 31
Security Association Bundle A sequence of SAs through which traffic must be processed to provide a desired set of IPsec services. Transport Adjacency. Refers to applying more than one security protocol to the same IP packet without invoking tunneling. Iterated Tunneling Refers to the application of multiple layers of security protocols effected through IP tunneling. 32
Authentication Plus Confidentiality ESP with authentication option The user first applies ESP to the data to be protected and then appends the authentication data field. Transport mode ESP : IP header is not protected. Tunnel mode ESP : The entire inner IP packet is protected by the privacy mechanism for delivery to the inner IP destination. 33
Protocol Operation for ESP(1/2) 34
Protocol Operation for ESP(2/2) 35
Authentication Plus Confidentiality Transport Adjacency( 중첩전송 ) Another way to apply authentication after encryption is to use two bundled transport SAs, with the inner being an ESP SA and the outer being an AH SA. The advantage is include the source and destination IP addresses. The disadvantage is the overhead of two SAs versus one SA. Transport-Tunnel Bundle( 전송 - 터널묶음 ) The use of authentication prior to encryption The authentication data are protected by encryption It may be desirable to store the authentication information with the message at the destination for later reference. 36
IPsec Architecture(1/4) Case 1. All security is provided between end systems that implement IPsec. For any two end systems to communicate via an SA, they must share the appropriate secret keys 37
IPsec Architecture(2/4) Case 2. Security is provided only between gateways (routers, firewalls, etc.)and no hosts implement IPsec. 38
IPsec Architecture(3/4) Case 3. This builds on case 2 by adding end-to-end security. 39
IPsec Architecture(4/4) Case 4. This provides support for a remote host that uses the Internet to reach an organization s firewall and then to gain access to some server or workstation behind the firewall. 40
5. Internet Key Exchange 41
The Key management portion of IPsec The key management portion of IPsec involves the determination and distribution of secret keys. A typical requirement is four keys for communication between two applications Transmit and receive pairs for both integrity and confidentiality. 42
Internet Key Exchange The IPsec Architecture document mandates support for two types of key management Manual( 수동 ) A system administrator manually configures each system with its own keys and with the keys of other communicating systems. This is practical for small, relatively static environments. Automated( 자동 ) An automated system enables the on-demand creation of keys for SAs. Facilitates the use of keys in a large distributed system with an evolving configuration. 43
Internet Key Exchange Protocol The default automated key management protocol for IPsec is referred to as : Oakley/ISAKMP Oakley Key Determination Protocol(Oakley 키결정프로토콜 ) Oakley is a key exchange protocol based on the Diffie-Hellman algorithm but providing added security. ISAKMP: Internet Security Association and Key Management Protocol( 인터넷보안연계와키관리프로토콜 ) ISAKMP provides a framework for Internet key management and provides the specific protocol support ISAKMP is including formats, for negotiation of security attributes 44
Key Determination Protocol IKE key determination is a refinement of the Diffie- Hellman key exchange algorithm. The Diffie-Hellman algorithm has two attractive features 비밀키는필요할때만생성 키교환은전역매개변수에대한동의외에사전기반구조불필요 The Diffie-Hellman algorithm has three disadvantages 상대방의신분에관한어떤정보도제공하지않음 Man-in-the-middle Attack 계산량이매우많음. 공격자의매우많은개수의키를요구하는방해공격 (clogging attack) 에매우취약 45
Features of IKE Key Determination The IKE key determination algorithm is characterized by five important features It employs a mechanism known as cookies to thwart clogging attacks. 상대의존적인쿠키생성과승인및쿠키의빠른생성과확인방안 It enables the two parties to negotiate a group 키교환전역매개변수정의와알고리즘식별지원 It uses nonces to ensure against replay attacks. 자체적으로생성된난수를응답메시지에포함하고암호화하여교환 46
Features of IKE Key Determination It enables the exchange of Diffie-Hellman public key values. It authenticates the Diffie-Hellman exchange to thwart man-inthe-middle attacks. 3 가지인증방식 : 디지털서명, 공개키암호화, 대칭키암호화 47
Cookie exchange 방해공격방지를위해쿠키 (cookie) 교환기법사용 양쪽의초기메시지에의사난수인쿠키를넣어서전송하고, 상대방의수신확인응답이필요 수신확인응답 (acknowledgement) 은 Diffie-Hellman 키교환의첫메시지에서반복 쿠키생성을위한기본요구사항 쿠키는특정상대에게의존적이어야함 발행개체가아닌다른개체에의해받아들여질쿠키를생성할수없어야함 발행개체가쿠키의생성과후속검증작업에서내부비밀정보를사용 프로세서자원을파괴하려는공격자를방지하기위해쿠키의생성과검증방법은신속해야함 쿠키생성을위한권장방법 IP 발신지와목적지주소, UDP 의발신포트와목적지포트, 그리고로컬에서생성된비밀값에대해빠른해쉬 ( 예 : MD5) 를실행 48
IKEv2 Exchanges(1/2) Initial exchange( 초기교환 ) 첫번째교환 두피어 (peer-to-peer) 는암호알고리즘과비표, Diffie-Hellman(DH) 값들과함께사용할다른보안매개변수에관한정보들을교환 교환후 IKE SA 라불리는특별한 SA 를설정 두피어 (peer) 간에보안채널을위한매개변수들을정의 두번째교환 두당사자들은상호인증 피어들간에일반 (non-ike) 통신을보호하기위해사용되는첫번째 IPsec SA 를설정 CREATE_CHILD_SA_exchange : 트래픽보호를위한추가 SA 를설정하기위해사용 Information exchange( 정보교환 ) : 관리정보, IKEv2 오류메시지등을교환하기위해사용 49
IKEv2 Exchanges(2/2) 50
Header and Payload Formats IKE Header Format 보안연계를만들고, 협상, 수정, 삭제하기위한절차와패킷형식을정의함 Payload Header 페이로드형식은특정한키교환프로토콜과, 암호알고리즘, 그리고인증메커니즘과는독립적이며, 일관된프레임워크를제공 51
IKE Header(1/2) 52
IKE Header(1/2) Initiator SPI (64 bits): A value chosen by the initiator to identify a unique IKE security association (SA). Responder SPI (64 bits): A value chosen by the responder to identify a unique IKE SA. Next Payload (8 bits): Indicates the type of the first payload in the message. Major Version (4 bits): Indicates major version of IKE in use. Minor Version (4 bits): Indicates minor version in use. 53
IKE Header(2/2) Exchange Type (8 bits): Indicates the type of exchange Flags (8 bits): Indicates specific options set for this IKE Message ID (32 bits): Used to control retransmission of lost packets and matching of requests and responses. Length (32 bits): Length of total message (header plus all payloads) in octets. 54
Generic Payload Header(1/2) 55
Generic Payload Header(2/2) 56
6. Cryptographic Suites 57
Cryptographic Suites 다양한유형의암호알고리즘을필요로함 상호운용성을촉진하기위해두가지 RFC 가권장하는암호도구를정의 RFC 4308 은가설사설망을위한두가지암호도구를정의 VPN-A 는일반적으로기업 VPN 보안으로사용. 3DES 와 HMAC 을필요로함 VPN-B 는더강한보안을제공하며, IPsecv3 와 IKEv2 로구현되는새로운 VPN 에권장. AES 를필요로함 RFC 4869 는미국국가안보국 (NSA: National Security Agency) 의 suite B 명세와호환되는 4 가지선택적암호 suites 를정의 ESP 와 IKE 에대한선택을제공 AES-GCM, AES-CBC, HMAC-SHA, ECP, ECDSA 58
Cryptographic Suites for IPsec 59
Cryptographic Suites 60
Reference William Stallings, 네트워크보안에센셜 서상원, 인터넷보안, IPSec 61
Q & A 62
Thank You! 63