1、IP Security and Key Establishment,CS 395T,Plan for the Next Few Lectures,Today: “systems” lecture on IP Security and design of key exchange protocols for IPSec Defending against denial of service “Real-world” considerations for protocol design No formal methods (yet) But see Cathy Meadows paper on t
2、he website Monday: no class (Labor Day) Next Wednesday: process algebras Homework assigned (using Mur) Then bring all together use process algebra and rational reconstruction to understand JFK protocol,IP Security Issues,Eavesdropping Modification of packets in transit Identity spoofing (forged sour
3、ce IP addresses) Denial of serviceMany solutions are application-specific TLS for Web, S/MIME for email, SSH for remote login IPSec aims to provide a framework of open standards for secure communications over IP Protect every protocol running on top of IPv4 and IPv6,IPSec = AH + ESP + IPcomp + IKE,I
4、PSec: Network Layer Security,Protection for IP traffic AH provides integrity andorigin authentication ESP also confidentiality,Compression,Sets up keys and algorithms for AH and ESP,AH and ESP rely on existing security association Roughly, peers must share a set of secret keys and agree on each othe
5、rs IP addresses and crypto schemes Internet Key Exchange (IKE) Goal: establish security association for AH and ESP If IKE is broken, AH and ESP provide no protection!,Transport mode secures packet payload and leaves IP header unchanged Typically, client-gateway (e.g., PC to remote host)Tunnel mode e
6、ncapsulates both IP header and payload into IPSec packets Typically, gateway-gateway (e.g., router to firewall),Transport Mode vs. Tunnel Mode,IP header (end-to-end),IPSec header,TCP/UDP header + data,IP header (end-to-end),IPSec header,TCP/UDP header + data,IP header (tunnel),Provides integrity and
7、 origin authentication Authenticates portions of the IP header Anti-replay service (to counter denial of service) No confidentiality,AH: Authentication Header,Next header,Payload length,Reserved,Security parameters index (SPI),Sequence number,Authentication data (MAC of IP header, AH data, TCP paylo
8、ad),Identifies security association (shared keys and algorithms),Anti-replay,Authenticates source, verifies integrity of payload,New IP header,Confidentiality and integrity for packet payload Symmetric cipher negotiated as part of security assoc Optionally provides authentication (similar to AH) Can
9、 work in transportor tunnel mode,ESP: Encapsulated Secure Payload,Original IP header,ESP header,TCP/UDP segment,ESP trailer,ESP auth,encrypted,authenticated,Original IP header,ESP header,TCP/UDP segment,ESP trailer,ESP auth,Key Management,Out of band Can set up some keys this way (Kerberos) Public-k
10、ey infrastructure (PKI) Leverage small number of public signing keys by using certificate chains Protocols for establishing short-lived session keys Avoid extended use of permanent secrets Forward secrecy Compromise of one session key does not help the attacker to compromise subsequent session keys,
11、Cryptography reduces many problems to key management,Key Distribution in Kerberos,Client,Key Center,Server,share symmetric key Kc (offline),share symmetric key Ks (offline),Kcs, KcsKsKc,KcsKs, msgKcs,Key Center generates session key Kcs and distributes it using shared long-term keys,Public-Key Infra
12、structure (PKI),Client,Certificate Authority,Server,Everyone knows CAs public signature verification key Ka,certificate sigKa(S,Ks) (offline),sigKa(S,Ks), sigKs(msg),Server certificate can be verified by any client that has CAs public key Ka Certificate authority is “offline”,Ks,Properties of Key Ex
13、change Protocols,Goal: generate and agree on session key using some shared initial information What other properties are needed? Authentication (know identity of other party) Secrecy (generated key not known to any others) Prevent replay of old key material Forward secrecy Prevent denial of service
14、Protect identities (avoid disclosure to others) Other properties you can think of?,Diffie-Hellman Key Exchange,Assume finite group G = S, Choose generator g so every xS is x = gn for some n Example: integers modulo prime p Protocol,ga mod p gb mod p,A,B,Alice, Bob share gab mod p not known to anyone
15、 else,Diffie-Hellman Key Exchange,Authentication? Secrecy? Replay attack? Forward secrecy? Denial of service? Identity protection?,ga mod p gb mod p,A,B,No,Only against passive attacker,Vulnerable,Yes,Yes,IKE Genealogy,Diffie-Hellman,1976,Station-to-Station,Diffie, van Oorschot, Wiener 1992,+ authen
16、tication,identity protection,Photuris,Karn, Simpson 1994-99,+ defense againstdenial of service,ISAKMP,NSA 1998,“generic” protocol for establishing security associations + defense against replay,Oakley,Orman 1998,+ compatibility with ISAKMP,IKE,Cisco 1998,IKEv2,IETF draft August 13, 2004,JFK,Aiello e
17、t al. 2002, signB(m1,m2)signA(m1,m2),Basic Idea,A, (ga mod p)B, (gb mod p),Result: A and B share session key gab mod pSignatures provide authentication, as long as signature verification keys are known,A,B,(Simplified) Photuris,I,R,Karn and Simpson,Random number (identifies connection),Hash(source &
18、 dest IP addrs, CookieI, ports, local secret),Preventing Denial of Service,Resource-clogging attacks are a serious issue If responder opens a state for each connection attempt, attacker can initiate thousands of connections from bogus or forged IP addresses Cookies ensure that the responder is state
19、less until initiator produced at least 2 messages Responders state (IP addresses and ports of the con-nection) is stored in a cookie and sent to initiator After initiator responds, cookie is regenerated and compared with the cookie returned by the initiator The cost is 2 extra messages in each execu
20、tion!,Cookies in Photuris and ISAKMP,Photuris cookies are derived from local secret, IP addresses and ports, counter, crypto schemes Same (frequently updated) secret for all connections ISAKMP requires unique cookie for each connect Add timestamp to each cookie for uniqueness Now responder needs to
21、keep state (“cookie crumb”) Vulnerable to DoS (see Simpsons rant on the course website) Inherent conflict: to prevent replay, need to keep state (remember values that youve seen before), but keeping state allows denial of service JFK design gets it right (well talk about JFK later),IKE Overview,Goal
22、: create security association between 2 hosts Shared encryption and authentication keys, agreement on crypto algorithms (a-la carte, not like SSL suites) Two phases: 1st phase establishes security association (IKE-SA) for the 2nd phase Always by authenticated Diffie-Hellman (expensive) 2nd phase use
23、s IKE-SA to create actual security association (child-SA) to be used by AH and ESP Use keys derived in the 1st phase to avoid DH exchange Can be executed cheaply in “quick” mode,Why Two-Phase Design?,Expensive 1st phase creates “main” SA Cheap 2nd phase allows to create multiple child SAs (based on
24、“main” SA) between same 2 hosts Avoid multiplexing several conversations over same SA For example, if encryption is used without integrity protection (bad idea!), it may be possible to splice the conversations Different conversations may need different protection Some traffic only needs integrity pr
25、otection or short-key crypto Too expensive to always use strongest available protection Different SAs for different classes of service JFK is a single-phase protocol (talk about it later),IKEv1 Was a Mess,Two modes for 1st phase: “main” and “aggressive” Fewer messages in “aggressive” mode, but no id
26、entity protection and no defense against denial of service Main mode vulnerable to DoS due to bad cookie design Many field sizes not verified; poor error handling Four authentication options for each mode Shared keys; signatures; public keys in 2 different ways Special “group” mode for group key est
27、ablishment Grand total of 13 different variants Difficult to implement, impossible to analyze Security problems stem directly from complexity,Instead of running 2nd phase, “piggyback” establishment of child-SA on initial exchange,IKEv2: Phase One,I,R,Initiator reveals identity first Prevents “pollin
28、g” attacks where attacker initiates IKE connections to find out who lives at an IP addr,switch to K=f(Ni,Nr,crypto,gab mod p),IP address range, ports, protocol id,Optional re-key,Crypto suites, protocol (AH, ESP or IPcomp),IKEv2: Phase Two (Create Child-SA),I,R,Can run this several times to create m
29、ultiple SAs,After Phase One, I and R share key K,Other Aspects of IKE,We did not talk about Interaction with other network protocols How to run IPSec through NAT (Network Address Translation) gateways? Error handling Very important! Bleichenbacher attacked SSL by cryptanalyzing error messages from an SSL server Protocol management Dead peer detection, rekeying, etc. Legacy authentication What if one of the parties does not have a public key?,
