andreas steffen, 29.06.2015, siemens-2.pptx 1 strongswan workshop for siemens block 2 internet key...
TRANSCRIPT
Andreas Steffen, 29.06.2015, Siemens-2.pptx 1
strongSwan Workshop for Siemens
Block 2Internet Key Exchange
Prof. Dr. Andreas Steffen
Andreas Steffen, 29.06.2015, Siemens-2.pptx 2
Internet Key Exchange – IKEv1 Main Mode
IKEHeader
IKEHeader
DH KeyExchange
DH KeyExchange Nr
Nr4
3IKEHeader
IKEHeader
DH KeyExchange
DH KeyExchange Ni
Ni
IKEHeader
IKEHeader
ISAKMP SAProposal
ISAKMP SAProposal 1
IKEHeader
IKEHeader
ISAKMP SAResponse
ISAKMP SAResponse2
5IKEHeader
IKEHeader
encrypted
IDiIDi Certi
Certi SigiSigi encrypte
dIKE
Header
IKEHeader6 IDr
IDr CertrCertr Sigr
Sigr
• IKEv1 Quick Mode – another three messages to negotiate traffic selectors
ResponderInitiator UDP/500
Andreas Steffen, 29.06.2015, Siemens-2.pptx 3
IKEv2 – Authentication and first Child SA
• IKE_SA_INIT exchange pair
• IKE_AUTH exchange pair
IKEHeader
IKEHeader
1SA1iSA1i KEi
KEi NiNi
2 IKEHeader
IKEHeader SA1r
SA1r KErKEr Nr
Nr
3IKEHeader
IKEHeader
encrypted
IDiIDi Certi
Certi
AuthiAuthi
IDrIDr
SA2iSA2i TSi
TSi TSrTSr
4
encrypted
IKEHeader
IKEHeader IDr
IDr CertrCertr Authr
Authr
SA2rSA2r TSi
TSi TSrTSr
ResponderInitiator UDP/500
Andreas Steffen, 29.06.2015, Siemens-2.pptx 4
Cookie Mechanism against DoS Attacks
IKEHeader
IKEHeader
1SA1iSA1i KEi
KEi NiNi
2 IKEHeader
IKEHeader N(COOKIE)N(COOKIE)
ResponderInitiator UDP/500
4 IKEHeader
IKEHeader SA1r
SA1r KErKEr Nr
Nr
IKEHeader
IKEHeader 3N(COOKIE)N(COOKIE)
SA1iSA1i KEi
KEi NiNi
# strongswan.conf
charon { dos_protection = yes cookie_threshold = 10 block_threshold = 5 }
Andreas Steffen, 29.06.2015, Siemens-2.pptx 5
IKEv2 – Additional Child SAs
• CREATE_CHILD_SA exchange pair
• Rekeying IKE_SA: { SAi, Ni, KEi }• Rekeying CHILD_SA: { N(REKEY_SA), SAi, Ni, [KEi], TSi,
TSr }• Reauthentication: Start with IKE_SA from scratch
1IKEHeader
IKEHeader
encrypted
NN SAiSAi Ni
Ni
KEiKEi TSi
TSi TSrTSr
2 IKEHeader
IKEHeader
encrypted
SArSAr Nr
Nr
KErKEr TSi
TSi TSrTSr
ResponderInitiator UDP/500
Andreas Steffen, 29.06.2015, Siemens-2.pptx 6
strongSwan Workshop for Siemens
Security Aspects
Andreas Steffen, 29.06.2015, Siemens-2.pptx 7
The Snowden Documents – Fall 2013
Bruce Schneier
Glenn Greenwald
Laura Poitras
Edward Snowden
Andreas Steffen, 29.06.2015, Siemens-2.pptx 8
Principle of Comparative Security Strength*
Symmetric Key RSA / DH ECDSA / ECDH Hash
80 1024 160 160
112 2048 224 224
128 3072 256 256
192 7680 384 384
256 15360 512 512
• NIST SP 800-57 Recommendation for Key Management:Part 1 General (Revision 3, 2012)
*cryptographic strength given in bits
Andreas Steffen, 29.06.2015, Siemens-2.pptx 9
Getting rid of SHA-1
• SHA-1 has a hash size of 160 bits which was supposed to givea strength of 280 against collision attacks. Unfortunately SHA-1 is much weaker with the best known attack having a complexity of 261 only.
• The NSA might already have found a SHA-1 collision, using ite.g. to generate fake X.509 certificates.
• IKEv2 uses SHA-1 as a hardwired algorithm togenerate RSA digital signature AUTH payloads.
• RFC 7427 "Signature Authentication in IKEv2“published in January 2015 allows to negotiateSHA-2 hash algorithms and is used per defaultby strongSwan 5.3.0:
Hash
160
224
256
384
512moon charon: 15[IKE] authentication of 'sun.strongswan.org' with RSA_EMSA_PKCS1_SHA256 successful
Andreas Steffen, 29.06.2015, Siemens-2.pptx 10
Can the NSA break RSA and DH faster?
• According to Lenstra’s updated formula on www.keylength.coma 1024 bit RSA key or DH factor could be cracked in 2006with an effort of 40’000’000 dollardays.
• Due to Moore’s law (factor 26 = 64 in 6 x 1.5 = 9 years)the effort in 2015 has fallen to 625’000 dollardays.
• Many cryptanalysts expect a major breakthroughin prime number factoring (RSA) and thecomputation of the discrete logarithm (DH) withinthe next few years.
• The NSA might already have much more efficientalgorithms.
• As a precaution better use 4096 bit RSA moduliand 4096 bit DH groups.
RSA / DH
1024
2048
3072
7680
15360
Andreas Steffen, 29.06.2015, Siemens-2.pptx 11
Can we trust the NIST Elliptic Curves?
ECDH
160
224
256
384
512
• The NIST Elliptic Curves are based on pseudo-Mersenne primes
The NIST curve parameter selection process is not documented!
• Use the European (BSI) Brainpool Elliptic Curves instead
RFC 6932 Brainpool Elliptic Curves for IKE, 2013.
• Drawback: Brainpool ECDH performance is 5xslower than with NIST curves since the selectedprimes are random.
• Use Dan Bernstein’s popular Curve25519?
• ECC NUMS (Nothing Up My Sleeve) Curves, 2014tools.ietf.org/html/draft-black-numscurves
ike=aes128-sha256-ecp256bp,aes192-sha384-ecp384bp!
ike=aes128-sha256-ecp256,aes192-sha384-ecp384!
Andreas Steffen, 29.06.2015, Siemens-2.pptx 12
Does the NSA have a Quantum Computer?
ECDH
160
224
256
384
512
• If a quantum computer with enough qbits becomes available, Elliptic Curve Cryptography (ECC) is going to fall first!
• As an alternative to the ECDH key exchange strongSwan can use NTRU encryption based on the shortest-vector problem in a high-dimensional lattice which is known to be resistant to quantum computer attacks.
• NTRU encryption has been standardized byIEEE Std 1363.1-2008. The fast algorithm isowned by Security Innovations but is availableunder a GPLv2 open source license.
• NTRU encryption has been implemented by thestrongSwan ntru plugin:ike=aes128-sha256-ntru256,aes192-sha384-ntru384!
Andreas Steffen, 29.06.2015, Siemens-2.pptx 13
Post-Quantum Digital Signatures?
ECDSA
160
224
256
384
512
• NTRU signature has been shown to leak the private key over time so that the key can be determined after a few thousand signatures.
• The most promising candidate is BLISS (Bimodal Lattice Signature Scheme, 2013) in its enhanced BLISS-B form ("Accelerating Bliss: the geometry of ternary polynomials” by Léo Ducas, 2014).
• BLISS-B signatures have been implemented by thestrongSwan 5.3.0 bliss plugin:moon charon: 14[IKE] authentication of '[email protected]'
with BLISS_WITH_SHA256 successful
Scheme
Strength Signature Size
BLISS-I 128 bits 5800 bits
BLISS-III 160 bits 6200 bits
BLISS-IV 192 bits 6800 bits
Andreas Steffen, 29.06.2015, Siemens-2.pptx 14
strongSwan Workshop for Siemens
Revocation Mechanisms
Andreas Steffen, 29.06.2015, Siemens-2.pptx 15
HTTP or LDAP based CRL Fetching
13[CFG] checking certificate status of "C=CH, O=Linux strongSwan, OU=Research, [email protected]" 13[CFG] fetching crl from 'http://crl.strongswan.org/strongswan.crl' ... 13[CFG] using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" 13[CFG] crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" 13[CFG] crl is valid: until Nov 15 22:42:42 2009 13[CFG] certificate status is good13[LIB] written crl file '/etc/ipsec.d/crls/5da7...4def.crl' (942 bytes)
crlDistributionPoints = URI:http://crl.strongswan.org/strongswan.crl
crlDistributionPoints extension in user certificate
# ipsec.conf
config setupstrictcrlpolicy=yescachecrls=yes
ca strongswancacert=strongswanCert.pemcrluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA,
o=Linux strongSwan, c=CH?certificateRevocationList"auto=add
Andreas Steffen, 29.06.2015, Siemens-2.pptx 16
Antje Bodo
Kool CA
Kool CA
#0
Online Certificate Status Protocol (OCSP)with self-signed OCSP certificate
OCSP Server
OCSP Reply:Kool CA #2 good
signed by OCSP Server
OCSP
Kool CA
Bodo
OCSP Request:status of Kool CA #2 ?optionally signed by Bodo
Bodo
Kool CA
#3
frequent status updates e.g. via CRL
AntjeAntje
Kool CA
#2
Authentication
OCSP
OCSP
#0
locally stored
Andreas Steffen, 29.06.2015, Siemens-2.pptx 17
OCSP with self-signed OCSP Certificate
# /etc/ipsec.conf
ca strongswancacert=strongswanCert.pemocspuri=http://ocsp.strongswan.org:8880auto=add
13[CFG] checking certificate status of "C=CH, O=Linux strongSwan, OU=Research, [email protected]" 13[CFG] requesting ocsp status from 'http://ocsp.strongswan.org:8880' ... 13[CFG] using trusted certificate "C=CH, O=Linux strongSwan, OU=OCSP Self-Signed Authority, CN=ocsp.strongswan.org" 13[CFG] ocsp response correctly signed by "C=CH, O=Linux strongSwan, OU=OCSP Self-Signed Authority, CN=ocsp.strongswan.org" 13[CFG] ocsp response is valid: until Oct 17 02:11:09 2009 13[CFG] certificate status is good
ipsec listcainfos authname: "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" authkey: 5d:a7:dd:70:06:51:32:7e:e7:b6:6d:b3:b5:e5:e0:60:ea:2e:4d:ef keyid: ae:09:6b:87:b4:48:86:d3:b8:20:97:86:23:da:bd:0e:ae:22:eb:bc ocspuris: 'http://ocsp.strongswan.org:8880'
moon
Andreas Steffen, 29.06.2015, Siemens-2.pptx 18
carol moon
Kool CA
Kool CA
#0
Online Certificate Status Protocol (OCSP)with delegated trust
OCSP Server
OCSP
Kool CA
moon
OCSP Request:status of Kool CA #2 ?
optionally signed by moon
moon
Kool CA
#3
frequent status updates e.g. via CRL
carolcarol
Kool CA
#2
Authentication
OCSP Reply:Kool CA #2 good
signed by OCSP Server
OCSP
Kool CA
#1isOCSP
Andreas Steffen, 29.06.2015, Siemens-2.pptx 19
OCSP with Delegated Trust
11[CFG] checking certificate status of "C=CH, O=Linux strongSwan, OU=OCSP, [email protected]" 11[CFG] requesting ocsp status from 'http://ocsp.strongswan.org:8880' ... 11[CFG] using certificate "C=CH, O=Linux strongSwan, OU=OCSP Signing Authority, CN=ocsp.strongswan.org" 11[CFG] using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" 11[CFG] ocsp response correctly signed by "C=CH, O=Linux strongSwan, OU=OCSP Signing Authority, CN=ocsp.strongswan.org" 11[CFG] ocsp response is valid: until Oct 17 02:13:21 2009 11[CFG] certificate status is good
moon
authorityInfoAccess = OCSP;URI:http://ocsp.strongswan.org:8880
carol: authorityInfoAccess extension in user certificate
extendedKeyUsage = OCSPSigning
extendedKeyUsage flag in OCSP-signer certificate
Andreas Steffen, 29.06.2015, Siemens-2.pptx 20
X.509 Certificate and Key Hashes
signatureAlgorithm*
Hash Function*Hash Function*
Encryption withIssuer Private Key
Encryption withIssuer Private Keysignature
tbsCertificate version (usually v3) serialNumber signature* issuer validity subject subjectPublicKeyInfo algorithm subjectPublicKey extensions subjectKeyIdentifier
SHA-1SHA-1
IKEv2 Hash-and-URL
IKEv2 CERTREQ
SHA-1SHA-1
SHA-1SHA-1
Andreas Steffen, 29.06.2015, Siemens-2.pptx 21
The strongSwan PKI function
ipsec pki --gen --type ecdsa --size 521 > strongswanKey.deripsec pki --self --in strongswanKey.der –type ecdsa --lifetime 3650 --dn "C=CH, O=strongSwan, CN=strongSwan EC CA" --ca --digest sha512 > strongswanCert.der
ipsec pki --gen --type ecdsa --size 384 > moonKey.deripsec pki --req --in moonKey.der --type ecdsa --digest sha384 --dn "C=CH, O=strongSwan, CN=moon.strongswan.org" --san moon.strongswan.org > moonReq.der
ipsec pki --gen --type ecdsa --size 256 > carolKey.deripsec pki --req --in carolKey.der --type ecdsa --digest sha256 --dn "C=CH, O=strongSwan, [email protected]" --san [email protected] > carolReq.der
cat pki.opt--type pkcs10 --lifetime 1825 --crl http://crl.strongswan.org/ecdsa.crl--cacert strongswanCert.der --cakey strongswanKey.der --digest sha512 ipsec pki --issue -–options pki.opt --in moonReq.der --flag serverAuth --serial 01 > moonCert.deripsec pki --issue -–options pki.opt --in carolReq.der --serial 02 > carolCert.der