Cryptography and Cryptography and Network SecurityNetwork Security

Chapter 19Chapter 19

Fifth EditionFifth Edition

by William Stallingsby William Stallings

Lecture slides by Lawrie BrownLecture slides by Lawrie Brown

Chapter 19 – IP SecurityChapter 19 – IP Security

If a secret piece of news is divulged by a spy If a secret piece of news is divulged by a spy before the time is ripe, he must be put to before the time is ripe, he must be put to death, together with the man to whom the death, together with the man to whom the secret was told.secret was told.

——The Art of WarThe Art of War, Sun Tzu, Sun Tzu

IP SecurityIP Security

Many application have implemented Many application have implemented specific security mechanisms:specific security mechanisms: S/MIME, PGP, Kerberos, SSL/HTTPSS/MIME, PGP, Kerberos, SSL/HTTPS

however there are security concerns that however there are security concerns that cut across protocol layerscut across protocol layers

We would like security implemented by the We would like security implemented by the network for all applicationsnetwork for all applications

IP SecurityIP Security general IP Security mechanismsgeneral IP Security mechanisms providesprovides

authenticationauthentication confidentialityconfidentiality key managementkey management

applicable to use over LANs, across public applicable to use over LANs, across public & private WANs, & for the Internet& private WANs, & for the Internet

need identified in 1994 reportneed identified in 1994 report need authentication, encryption in IPv4 & IPv6need authentication, encryption in IPv4 & IPv6

IP Security UsesIP Security Uses

Benefits of IPSecBenefits of IPSec

in a firewall/router:in a firewall/router: provides strong security to all traffic crossing provides strong security to all traffic crossing

the perimeterthe perimeter resistant to bypassresistant to bypass

It is below transport layer, hence It is below transport layer, hence transparent to applicationstransparent to applications

It can be transparent to end usersIt can be transparent to end users It can provide security for individual usersIt can provide security for individual users It secures routing architectureIt secures routing architecture

IP Security ArchitectureIP Security Architecture specification is quite complex, with groups:specification is quite complex, with groups:

ArchitectureArchitecture• RFC4301 RFC4301 Security Architecture for Internet ProtocolSecurity Architecture for Internet Protocol

Authentication Header (AH)Authentication Header (AH)• RFC4302 RFC4302 IP Authentication HeaderIP Authentication Header

Encapsulating Security Payload (ESP)Encapsulating Security Payload (ESP)• RFC4303 RFC4303 IP Encapsulating Security Payload (ESP)IP Encapsulating Security Payload (ESP)

Internet Key Exchange (IKE)Internet Key Exchange (IKE)• RFC4306RFC4306 Internet Key Exchange (IKEv2) Protocol Internet Key Exchange (IKEv2) Protocol

Cryptographic algorithmsCryptographic algorithms Other Other

IPSec ServicesIPSec Services

Access controlAccess control Connectionless integrityConnectionless integrity Data origin authenticationData origin authentication Rejection of replayed packetsRejection of replayed packets

a form of partial sequence integritya form of partial sequence integrity Confidentiality (encryption)Confidentiality (encryption) Limited traffic flow confidentialityLimited traffic flow confidentiality

Transport ModeTransport Mode Transport ModeTransport Mode

to encrypt & optionally to encrypt & optionally authenticate IP dataauthenticate IP data

can do traffic analysis but is can do traffic analysis but is efficientefficient

good for ESP host to host good for ESP host to host traffictraffic

Tunnel ModeTunnel Mode Tunnel ModeTunnel Mode

encrypts entire encrypts entire IP packetIP packet

add new header add new header for next hopfor next hop

no routers on no routers on way can way can examine inner examine inner IP headerIP header

good for VPNs, good for VPNs, gateway to gateway to gateway gateway securitysecurity

Security AssociationsSecurity Associations IPsec policy is determined primarily by the interaction of two IPsec policy is determined primarily by the interaction of two

databases: databases: the the security association database (SAD) security association database (SAD) and and the the security policy database (SPD).security policy database (SPD).

a one-way relationship between sender & receiver that affords a one-way relationship between sender & receiver that affords security for traffic flowsecurity for traffic flow

defined by 3 parameters:defined by 3 parameters: Security Parameters Index (SPI)Security Parameters Index (SPI) IP Destination AddressIP Destination Address Security Protocol IdentifierSecurity Protocol Identifier

has a number of other parametershas a number of other parameters seq no, AH & EH info, lifetime etcseq no, AH & EH info, lifetime etc

have a database of Security Associationshave a database of Security Associations

Security Policy DatabaseSecurity Policy Database relates IP traffic to specific SAsrelates IP traffic to specific SAs

match subset of IP traffic to relevant SAmatch subset of IP traffic to relevant SA use selectors to filter outgoing traffic to mapuse selectors to filter outgoing traffic to map based on: local & remote IP addresses, next based on: local & remote IP addresses, next

layer protocol, name, local & remote ports layer protocol, name, local & remote ports

Encapsulating Security Payload Encapsulating Security Payload (ESP)(ESP)

provides provides message content confidentiality, message content confidentiality, data data origin authentication, connectionless integrity, an origin authentication, connectionless integrity, an anti-replay serviceanti-replay service, limited traffic flow , limited traffic flow confidentialityconfidentiality

services depend on options selected when services depend on options selected when establish Security Association (SA), net locationestablish Security Association (SA), net location

can use a variety of encryption & authentication can use a variety of encryption & authentication algorithmsalgorithms

Encapsulating Security Encapsulating Security PayloadPayload

Encryption & Authentication Encryption & Authentication Algorithms & PaddingAlgorithms & Padding

ESP can encrypt payload data, padding, ESP can encrypt payload data, padding, pad length, and next header fieldspad length, and next header fields if needed have IV at start of payload dataif needed have IV at start of payload data

ESP can have optional ICV for integrityESP can have optional ICV for integrity is computed after encryption is performedis computed after encryption is performed

ESP uses paddingESP uses padding to expand plaintext to required lengthto expand plaintext to required length to align pad length and next header fieldsto align pad length and next header fields to provide partial traffic flow confidentialityto provide partial traffic flow confidentiality

Anti-Replay ServiceAnti-Replay Service replay is when attacker resends a copy of replay is when attacker resends a copy of

an authenticated packetan authenticated packet use sequence number to thwart this attackuse sequence number to thwart this attack sender initializes sequence number to 0 sender initializes sequence number to 0

when a new SA is establishedwhen a new SA is established increment for each packetincrement for each packet must not exceed limit of 2must not exceed limit of 23232 – 1 – 1

receiver then accepts packets with seq no receiver then accepts packets with seq no within window of (within window of (N –W+1N –W+1))

Combining Security Combining Security AssociationsAssociations

SA’s can implement either AH or ESPSA’s can implement either AH or ESP to implement both need to combine SA’sto implement both need to combine SA’s

form a security association bundleform a security association bundle may terminate at different or same endpointsmay terminate at different or same endpoints combined bycombined by

• transport adjacencytransport adjacency• iterated tunnelingiterated tunneling

combining authentication & encryptioncombining authentication & encryption ESP with authentication, bundled inner ESP & ESP with authentication, bundled inner ESP &

outer AH, bundled inner transport & outer ESPouter AH, bundled inner transport & outer ESP

Combining Security Combining Security AssociationsAssociations

IPSec Key ManagementIPSec Key Management

handles key generation & distributionhandles key generation & distribution typically need 2 pairs of keystypically need 2 pairs of keys

2 per direction for AH & ESP2 per direction for AH & ESP manual key managementmanual key management

sysadmin manually configures every systemsysadmin manually configures every system automated key managementautomated key management

automated system for on demand creation of automated system for on demand creation of keys for SA’s in large systemskeys for SA’s in large systems

has Oakley & ISAKMP elementshas Oakley & ISAKMP elements

OakleyOakley a key exchange protocola key exchange protocol based on Diffie-Hellman key exchangebased on Diffie-Hellman key exchange adds features to address weaknessesadds features to address weaknesses

no info on parties, man-in-middle attack, costno info on parties, man-in-middle attack, cost1.1. cookies, cookies,

2.2. groups (global params), groups (global params),

3.3. nonces, nonces,

4.4. DH key exchangeDH key exchange

5.5. authenticationauthentication

can use arithmetic in prime fields or elliptic curve can use arithmetic in prime fields or elliptic curve fieldsfields

ISAKMPISAKMP Internet Security Association and Key Internet Security Association and Key

Management ProtocolManagement Protocol provides framework for key managementprovides framework for key management defines procedures and packet formats to defines procedures and packet formats to

establish, negotiate, modify, & delete SAsestablish, negotiate, modify, & delete SAs independent of key exchange protocol, independent of key exchange protocol,

encryption alg, & authentication methodencryption alg, & authentication method IKEv2 no longer uses Oakley & ISAKMP IKEv2 no longer uses Oakley & ISAKMP

terms, but basic functionality is sameterms, but basic functionality is same

IKEV2 ExchangesIKEV2 Exchanges

ISAKMPISAKMP

IKE Payloads & ExchangesIKE Payloads & Exchanges

have a number of ISAKMP payload types:have a number of ISAKMP payload types: Security Association, Key Exchange, Security Association, Key Exchange,

Identification, Certificate, Certificate Request, Identification, Certificate, Certificate Request, Authentication, Nonce, Notify, Delete, Vendor Authentication, Nonce, Notify, Delete, Vendor ID, Traffic Selector, Encrypted, Configuration, ID, Traffic Selector, Encrypted, Configuration, Extensible Authentication ProtocolExtensible Authentication Protocol

payload has complex hierarchical structurepayload has complex hierarchical structure may contain multiple proposals, with may contain multiple proposals, with

multiple protocols & multiple transformsmultiple protocols & multiple transforms

Cryptographic SuitesCryptographic Suites variety of cryptographic algorithm typesvariety of cryptographic algorithm types to promote interoperability haveto promote interoperability have

RFC4308 defines VPN cryptographic suitesRFC4308 defines VPN cryptographic suites• VPN-A matches common corporate VPN security VPN-A matches common corporate VPN security

using 3DES & HMACusing 3DES & HMAC• VPN-B has stronger security for new VPNs VPN-B has stronger security for new VPNs

implementing IPsecv3 and IKEv2 using AESimplementing IPsecv3 and IKEv2 using AES RFC4869 defines four cryptographic suites RFC4869 defines four cryptographic suites

compatible with US NSA specscompatible with US NSA specs• provide choices for ESP & IKEprovide choices for ESP & IKE• AES-GCM, AES-CBC, HMAC-SHA, ECP, ECDSAAES-GCM, AES-CBC, HMAC-SHA, ECP, ECDSA

SummarySummary

have considered:have considered: IPSec security frameworkIPSec security framework IPSec security policyIPSec security policy ESPESP combining security associationscombining security associations internet key exchangeinternet key exchange cryptographic suites usedcryptographic suites used