andreas steffen, 29.06.2015, siemens-2.pptx 1 strongswan workshop for siemens block 2 internet key...

Andreas Steffen, 29.06.2015, Siemens-2.pptx 1

strongSwan Workshop for Siemens

Block 2Internet Key Exchange

Prof. Dr. Andreas Steffen

[email protected]


Internet Key Exchange – IKEv1 Main Mode

IKEHeader

IKEHeader

DH KeyExchange

DH KeyExchange Nr

Nr4

3IKEHeader

IKEHeader

DH KeyExchange

DH KeyExchange Ni

Ni

IKEHeader

IKEHeader

ISAKMP SAProposal

ISAKMP SAProposal 1

IKEHeader

IKEHeader

ISAKMP SAResponse

ISAKMP SAResponse2

5IKEHeader

IKEHeader

encrypted

IDiIDi Certi

Certi SigiSigi encrypte

dIKE

Header

IKEHeader6 IDr

IDr CertrCertr Sigr

Sigr

• IKEv1 Quick Mode – another three messages to negotiate traffic selectors

ResponderInitiator UDP/500


IKEv2 – Authentication and first Child SA

• IKE_SA_INIT exchange pair

• IKE_AUTH exchange pair

IKEHeader

IKEHeader

1SA1iSA1i KEi

KEi NiNi

2 IKEHeader

IKEHeader SA1r

SA1r KErKEr Nr

Nr

3IKEHeader

IKEHeader

encrypted

IDiIDi Certi

Certi

AuthiAuthi

IDrIDr

SA2iSA2i TSi

TSi TSrTSr

4

encrypted

IKEHeader

IKEHeader IDr

IDr CertrCertr Authr

Authr

SA2rSA2r TSi

TSi TSrTSr



Cookie Mechanism against DoS Attacks

IKEHeader

IKEHeader

1SA1iSA1i KEi

KEi NiNi

2 IKEHeader

IKEHeader N(COOKIE)N(COOKIE)


4 IKEHeader

IKEHeader SA1r

SA1r KErKEr Nr

Nr

IKEHeader

IKEHeader 3N(COOKIE)N(COOKIE)

SA1iSA1i KEi

KEi NiNi

# strongswan.conf

charon { dos_protection = yes cookie_threshold = 10 block_threshold = 5 }


IKEv2 – Additional Child SAs

• CREATE_CHILD_SA exchange pair

• Rekeying IKE_SA: { SAi, Ni, KEi }• Rekeying CHILD_SA: { N(REKEY_SA), SAi, Ni, [KEi], TSi,

TSr }• Reauthentication: Start with IKE_SA from scratch

1IKEHeader

IKEHeader

encrypted

NN SAiSAi Ni

Ni

KEiKEi TSi

TSi TSrTSr

2 IKEHeader

IKEHeader

encrypted

SArSAr Nr

Nr

KErKEr TSi

TSi TSrTSr




Security Aspects


The Snowden Documents – Fall 2013

Bruce Schneier

Glenn Greenwald

Laura Poitras

Edward Snowden


Principle of Comparative Security Strength*

Symmetric Key RSA / DH ECDSA / ECDH Hash

80 1024 160 160

112 2048 224 224

128 3072 256 256

192 7680 384 384

256 15360 512 512

• NIST SP 800-57 Recommendation for Key Management:Part 1 General (Revision 3, 2012)

*cryptographic strength given in bits


Getting rid of SHA-1

• SHA-1 has a hash size of 160 bits which was supposed to givea strength of 280 against collision attacks. Unfortunately SHA-1 is much weaker with the best known attack having a complexity of 261 only.

• The NSA might already have found a SHA-1 collision, using ite.g. to generate fake X.509 certificates.

• IKEv2 uses SHA-1 as a hardwired algorithm togenerate RSA digital signature AUTH payloads.

• RFC 7427 "Signature Authentication in IKEv2“published in January 2015 allows to negotiateSHA-2 hash algorithms and is used per defaultby strongSwan 5.3.0:

Hash

160

224

256

384

512moon charon: 15[IKE] authentication of 'sun.strongswan.org' with RSA_EMSA_PKCS1_SHA256 successful


Can the NSA break RSA and DH faster?

• According to Lenstra’s updated formula on www.keylength.coma 1024 bit RSA key or DH factor could be cracked in 2006with an effort of 40’000’000 dollardays.

• Due to Moore’s law (factor 26 = 64 in 6 x 1.5 = 9 years)the effort in 2015 has fallen to 625’000 dollardays.

• Many cryptanalysts expect a major breakthroughin prime number factoring (RSA) and thecomputation of the discrete logarithm (DH) withinthe next few years.

• The NSA might already have much more efficientalgorithms.

• As a precaution better use 4096 bit RSA moduliand 4096 bit DH groups.

RSA / DH

1024

2048

3072

7680

15360


Can we trust the NIST Elliptic Curves?

ECDH

160

224

256

384

512

• The NIST Elliptic Curves are based on pseudo-Mersenne primes

The NIST curve parameter selection process is not documented!

• Use the European (BSI) Brainpool Elliptic Curves instead

RFC 6932 Brainpool Elliptic Curves for IKE, 2013.

• Drawback: Brainpool ECDH performance is 5xslower than with NIST curves since the selectedprimes are random.

• Use Dan Bernstein’s popular Curve25519?

• ECC NUMS (Nothing Up My Sleeve) Curves, 2014tools.ietf.org/html/draft-black-numscurves

ike=aes128-sha256-ecp256bp,aes192-sha384-ecp384bp!

ike=aes128-sha256-ecp256,aes192-sha384-ecp384!


Does the NSA have a Quantum Computer?

ECDH

160

224

256

384

512

• If a quantum computer with enough qbits becomes available, Elliptic Curve Cryptography (ECC) is going to fall first!

• As an alternative to the ECDH key exchange strongSwan can use NTRU encryption based on the shortest-vector problem in a high-dimensional lattice which is known to be resistant to quantum computer attacks.

• NTRU encryption has been standardized byIEEE Std 1363.1-2008. The fast algorithm isowned by Security Innovations but is availableunder a GPLv2 open source license.

• NTRU encryption has been implemented by thestrongSwan ntru plugin:ike=aes128-sha256-ntru256,aes192-sha384-ntru384!


Post-Quantum Digital Signatures?

ECDSA

160

224

256

384

512

• NTRU signature has been shown to leak the private key over time so that the key can be determined after a few thousand signatures.

• The most promising candidate is BLISS (Bimodal Lattice Signature Scheme, 2013) in its enhanced BLISS-B form ("Accelerating Bliss: the geometry of ternary polynomials” by Léo Ducas, 2014).

• BLISS-B signatures have been implemented by thestrongSwan 5.3.0 bliss plugin:moon charon: 14[IKE] authentication of '[email protected]'

with BLISS_WITH_SHA256 successful

Scheme

Strength Signature Size

BLISS-I 128 bits 5800 bits

BLISS-III 160 bits 6200 bits

BLISS-IV 192 bits 6800 bits



Revocation Mechanisms


HTTP or LDAP based CRL Fetching

13[CFG] checking certificate status of "C=CH, O=Linux strongSwan, OU=Research, [email protected]" 13[CFG] fetching crl from 'http://crl.strongswan.org/strongswan.crl' ... 13[CFG] using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" 13[CFG] crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" 13[CFG] crl is valid: until Nov 15 22:42:42 2009 13[CFG] certificate status is good13[LIB] written crl file '/etc/ipsec.d/crls/5da7...4def.crl' (942 bytes)

crlDistributionPoints = URI:http://crl.strongswan.org/strongswan.crl

crlDistributionPoints extension in user certificate

# ipsec.conf

config setupstrictcrlpolicy=yescachecrls=yes

ca strongswancacert=strongswanCert.pemcrluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA,

o=Linux strongSwan, c=CH?certificateRevocationList"auto=add


Antje Bodo

Kool CA

Kool CA

#0

Online Certificate Status Protocol (OCSP)with self-signed OCSP certificate

OCSP Server

OCSP Reply:Kool CA #2 good

signed by OCSP Server

OCSP

Kool CA

Bodo

OCSP Request:status of Kool CA #2 ?optionally signed by Bodo

Bodo

Kool CA

#3

frequent status updates e.g. via CRL

AntjeAntje

Kool CA

#2

Authentication

OCSP

OCSP

#0

locally stored


OCSP with self-signed OCSP Certificate

# /etc/ipsec.conf

ca strongswancacert=strongswanCert.pemocspuri=http://ocsp.strongswan.org:8880auto=add

13[CFG] checking certificate status of "C=CH, O=Linux strongSwan, OU=Research, [email protected]" 13[CFG] requesting ocsp status from 'http://ocsp.strongswan.org:8880' ... 13[CFG] using trusted certificate "C=CH, O=Linux strongSwan, OU=OCSP Self-Signed Authority, CN=ocsp.strongswan.org" 13[CFG] ocsp response correctly signed by "C=CH, O=Linux strongSwan, OU=OCSP Self-Signed Authority, CN=ocsp.strongswan.org" 13[CFG] ocsp response is valid: until Oct 17 02:11:09 2009 13[CFG] certificate status is good

ipsec listcainfos authname: "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" authkey: 5d:a7:dd:70:06:51:32:7e:e7:b6:6d:b3:b5:e5:e0:60:ea:2e:4d:ef keyid: ae:09:6b:87:b4:48:86:d3:b8:20:97:86:23:da:bd:0e:ae:22:eb:bc ocspuris: 'http://ocsp.strongswan.org:8880'

moon


carol moon

Kool CA

Kool CA

#0

Online Certificate Status Protocol (OCSP)with delegated trust

OCSP Server

OCSP

Kool CA

moon

OCSP Request:status of Kool CA #2 ?

optionally signed by moon

moon

Kool CA

#3

frequent status updates e.g. via CRL

carolcarol

Kool CA

#2

Authentication

OCSP Reply:Kool CA #2 good

signed by OCSP Server

OCSP

Kool CA

#1isOCSP


OCSP with Delegated Trust

11[CFG] checking certificate status of "C=CH, O=Linux strongSwan, OU=OCSP, [email protected]" 11[CFG] requesting ocsp status from 'http://ocsp.strongswan.org:8880' ... 11[CFG] using certificate "C=CH, O=Linux strongSwan, OU=OCSP Signing Authority, CN=ocsp.strongswan.org" 11[CFG] using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" 11[CFG] ocsp response correctly signed by "C=CH, O=Linux strongSwan, OU=OCSP Signing Authority, CN=ocsp.strongswan.org" 11[CFG] ocsp response is valid: until Oct 17 02:13:21 2009 11[CFG] certificate status is good

moon

authorityInfoAccess = OCSP;URI:http://ocsp.strongswan.org:8880

carol: authorityInfoAccess extension in user certificate

extendedKeyUsage = OCSPSigning

extendedKeyUsage flag in OCSP-signer certificate


X.509 Certificate and Key Hashes

signatureAlgorithm*

Hash Function*Hash Function*

Encryption withIssuer Private Key

Encryption withIssuer Private Keysignature

tbsCertificate version (usually v3) serialNumber signature* issuer validity subject subjectPublicKeyInfo algorithm subjectPublicKey extensions subjectKeyIdentifier

SHA-1SHA-1

IKEv2 Hash-and-URL

IKEv2 CERTREQ

SHA-1SHA-1

SHA-1SHA-1


The strongSwan PKI function

ipsec pki --gen --type ecdsa --size 521 > strongswanKey.deripsec pki --self --in strongswanKey.der –type ecdsa --lifetime 3650 --dn "C=CH, O=strongSwan, CN=strongSwan EC CA" --ca --digest sha512 > strongswanCert.der

ipsec pki --gen --type ecdsa --size 384 > moonKey.deripsec pki --req --in moonKey.der --type ecdsa --digest sha384 --dn "C=CH, O=strongSwan, CN=moon.strongswan.org" --san moon.strongswan.org > moonReq.der

ipsec pki --gen --type ecdsa --size 256 > carolKey.deripsec pki --req --in carolKey.der --type ecdsa --digest sha256 --dn "C=CH, O=strongSwan, [email protected]" --san [email protected] > carolReq.der

cat pki.opt--type pkcs10 --lifetime 1825 --crl http://crl.strongswan.org/ecdsa.crl--cacert strongswanCert.der --cakey strongswanKey.der --digest sha512 ipsec pki --issue -–options pki.opt --in moonReq.der --flag serverAuth --serial 01 > moonCert.deripsec pki --issue -–options pki.opt --in carolReq.der --serial 02 > carolCert.der

andreas steffen, 29.06.2015, siemens-2.pptx 1 strongswan workshop for siemens block 2 internet key...

Documents

ike authentication of

child sa ike

ike header encrypted

andreas steffen

dos attacks ike header

ike header isakmp sa

auth exchange pair ike

ike header encrypted