EE579S Computer Security

Transcript EE579S Computer Security

ECE579S Computer Security 6: Access Control Revisited, IPSec

Profssor Richard A. Stanley, P.E.

Summary of Access Control

• It’s all about protection • Identification ties a physical entity to an abstract identity • Authentication verifies the identity of both entities: the user and the computer • Policy and audit trails are critical • No shortage of folks trying to break in Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #2

Perspective

• Computer security field is relatively new – Most of the key contributors to the theory are still practicing professionals • LaPadula at MITRE in MA • Bell consulting in VA • Lipner at Microsoft in Redmond, WA • Ken Biba is co-founder of Novarum in CA • …etc.

– This field is still developing, and all of us can have a major part in that.

• What other area today can make that claim?

Access Control

• The basic method of providing any kind of security • Much easier to describe than to implement • Must operate within bounds – Theoretical – Legal – Sociologically acceptable – …etc.

Discretionary and Mandatory Access Control

• Who decides the access rights?

• Discretionary access control (DAC): the owner of a resource decides • Mandatory access control (MAC): the administration decides (based on the policy in use) • Most widely-used operating systems have discretionary access control Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #5

Other Problems

• Disclosure – Some would argue that in a military setting, this is a non-problem, where it might be significant issue in a commercial system. What say you?

• Aggregation – Obtaining sensitive information by collecting lots of “unsensitive” information – How can this be a problem?

Different Types of Access Control

• Originator-controlled • Role-based • Issues: – Who

should

access data vs. who

will

access it?

Bell & LaPadula: What’s the Big Fuss?

• The BLP model was the first formal computer security model, and led the way for developments by others • The BLP model captures many of the critical issues that must be instantiated in a security policy if it is to be meaningful • This model is fairly easily transformed into actual security policies aimed at

people

Computer Security Models

• Deal with computers (doh!) – Which have no memory unless we give it to them – Which have no social organization that makes them vulnerable to risks that plague humans • Don’t necessarily capture or map well to human behavior Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #9

Lipner’s Security Requirements

• Users will not write their own programs • Program development will not be done on production systems • Special process required to install program from development to production system • The above special process must be both controlled and audited • Managers and auditors must have access to both system state and system logs Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #10

Principles of Operation

• These follow from Lipner’s Rules • Separation of duties – Critical functions broken into steps, where no single individual can perform all needed steps • Separation of functions – Development and production systems separated to prevent info leakage from one to the other • Audit – Analyze what actually was done, compare to policies, identify inappropriate actions (if any) – Done by still another group of individuals from above Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #11

Lipner Again

• Merged Bell-LaPadula and Biba models to obtain an integrity matrix model • Focused on Lipner’s impression of commercial needs • Requires implementation of a lattice of security and integrity labels Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #12

Lattice Models

• Labels consist of both security label and some other label(s), the second one typically called a

compartment

category

What’s a Lattice?

• A lattice is a mathematical structure whose elements: – Are under a relational operator. – Are ordered under a partial ordering • For all

a,b,c





b, b



, then



(transitive) • For all

a,b



if (antisymmetric)



b, b



, then

=

Lattice Example

These are NOT the same point in the lattice!

ECE579S/6 #15

Comparability

Combining Different Models

• Combinations of models can be useful, but they must be made carefully • For example when combining BLP and Biba there is a decision: use the same security labels for both model rules or not?

– If yes, then special care has to be paid to avoid a system where access is allowed only to same level objects (unless you really know that that is what you want) Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #17

The Objectives

• Secure computing systems – Software – Hardware • Security policies that can be tracked to the underlying, proven security model • This is not easy to do • Important not to let the model become the objective; it is a tool to get you there Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #18

Operating System Security

If the goal is to do security at the lowest level, what are we doing here?

Applications Services Operating System OS Kernel Hardware We have been here It falls to the O/S to implement many, if not most, of the tasks needed to implement computer security.

YASM: Yet Another Security Model

Users Privileges Accounts ID & Auth.

Operating Systems of Interest

• Unix – Many versions, discussion is generic – Basis for Mac OS X • Windows NT – Also many versions, much in common – Security model for Win 2K, XP, Vista, etc.

Unix Security Architecture

• Utilizes hardware security levels • Users and passwords • Groups and passwords • Superuser--kernel executes in Level 0 • Controlled invocation • Permissions attached to files -- ACL Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #22

Unix Permissions

• Only three: – r: read – w: write – x: execute • Others – s: SUID program (in user permissions) – s: SGID program (in group permissions) • Permissions are called

modes

Unix Users

• All users have a user ID • UID is a 16-bit number • Linked to passwords in /etc/passwd • Unix does not distinguish among users who have the same UID; there is a many to one correlation of actual users to UID • UID 0 is the superuser Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #24

Unix Groups

• All Unix users belong to a group • Association of users to groups is found in /etc/group, which looks like group name:group password:GID:users • All members of the group enjoy the group permissions Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #25

Unix File Structure

• • Directory entry is pointer to the

inode Inode

listing looks like: -rw-r--r-- 2 rstanley ece 153 Feb 28 04:55 sample • Permissions are checked from left to right • Unix files all look like text files Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #26

Files and Other Things

• Unix regards everything as a file, and a text file at that • Devices look like files, so they are accessed by the path specified • Placing a “ringer” in the path can lead to security compromises Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #27

Sequence is Everything

• The order in which things are checked is critical to security • You must know in intimate detail how things are checked to know if your security measures are adequate • If privileges are checked in the order user>group>others, will you get a different result than checking others>group>users?

Unix Passwords

• Often  8 characters long • Encrypted using modified DES algorithm • Stored in etc/passwd • Format user name: encrypted password: user ID: group ID: ID string: home directory: login shell Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #29

Password File Example

Password Crackers

• Crack – Original Unix password cracker • John the Ripper – Command-line tool, dictionary-based • Star Cracker – Command-line, brute force – Runs on DOS • Cracker Jack – Cracks Unix passwords, runs on DOS Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #31

Password Shadowing

• Actual encrypted passwords kept in shadow password file • etc/passwd entries for passwords are * • etc/passwd is world readable, but shadow file is not • Makes getting the password file harder,

but not impossible

SET Mischief

• Must find a way to allow users to execute certain OS functions w/o being superuser • Solution: SUID and SGID – Run with permissions of the owner – Provide temporary access not normally available • Root often owns SUID and SGID • Is there a problem here? Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #33

Changing Permissions

• Modes can be changed by file owner or SU • In absolute mode, permissions are granted by octal number codes • Real people prefer literal mode: chmod u+wx, g-rwx, o-rwx sample • If mode is changed improperly, problems!

Changing Owners

• Since the file owner gets to decide about permissions, can the owner be changed?

• Yes! And so can the group.

• chown and chgrp permit exactly those changes to be accomplished, normally only by the superuser (UID 0) • Lots of opportunity for mischief here Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #35

Stacks of Trouble

• Stack/buffer overflow: what does this mean?

• What is the stack or buffer, anyway?

• If you know how the OS allocates memory, can you think of a way to exploit this?

• Is it difficult to find out how Unix allocates memory?

Exploiting OS Syntax

• In Unix commands, - precedes a flag • -f is the “force” flag • So...

– What if we create lots of copies of a file named -foobar.doc?

– How do we delete it?

• rm -foobar.doc: what does this do?

Caveats

• Common security tools are usually indicative of where the worst problems can be found • We have not addressed network security problems; those come next semester • Be careful of tools and utilities – You don’t know where they have been!

Unix Security Summary

• Reasonable security features in the OS • Superuser can do anything, so anyone who can become superuser can subvert security • There are a lot of ways to use “holes” in the system to compromise security • As anywhere else, achieving good security takes effort and time -- two things that are usually in short supply Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #39

Windows Taxonomy

• The security features of Windows NT, 2000, and XP have their basis in NT – We’ll refer to all of them as “NT” in the course, but bear in mind that they are quite different • NT began it all by integrating network and computer operating systems, introducing real security features • 2000 is essentially NT v5.0

Windows NT Security Architecture

• Users and kernel in separate rings (3 & 0) • Object locking • Data in proprietary formats • Object oriented--access can vary by object • Security subsystem – Security Reference Monitor (SRM, in kernel) – Local Security Authority (creates SAT in user mode) – Security Account Manager (user mode) – Login Process (authenticates user) Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #41

Registry

• • Central configuration database

Hives

contain

keys

Not Only Massachusetts Has Registry Problems

• Default settings allow nearly everyone to change nearly everything • If a key doesn’t exist, if it is checked, no exception is raised • Proprietary format is no barrier to modification of the registry • Registry is the key to the system operation Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #43

Login

• Users login to a

user account

on a

domain

– Domain is set of machines sharing common user database and security policy – Login begins with

secure attention sequence

– User name and password matched by LSA with database – LSA creates a

System Access Token

NT Password System

• Passwords stored in encrypted form, à la Unix • Password filtering can be activated by registry key (>5 char., mixed mode, etc.) • Encrypted passwords stored in SAM database, which is part of the registry • There is a backup copy of the password file Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #45

Windows NT Password

• Hashed using a one-way function – Same approach as Unix, different algorithms • Stored in SAM database • SAM database is proprietary format, but tools exist to permit reading it • Encrypted passwords can be obtained from the database by subterfuge Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #46

NT Password Crackers

• L0phtcrack – GUI, fast • John the Ripper – Command-line tool, dictionary-based – Unix, but cracks LanMan hashes • Crack 5 with NT extensions – Many permutations used to crack – Not easy to use, but powerful Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #47

Anti-Cracking Countermeasures

• Choose good NT passwords – Above discussion on length pertains – Include non-printable ASCII characters for key accounts (like Admin) • ALT-255 = NUM LOCK – Protect the SAM • Physical security for the server • Keep track of the Admin group – Implement SYSKEY (NT SP2) Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #48

SAM’s the Man -- And the Target!

• SAM=Security Accounts Manager • NT equivalent to Unix /etc/password • Once you have Admin privileges, this is where the user names and PWs are found – Backwards compatibility hinders crypto – LanManager crypto has been broken – Relatively easy to crack PWs with tools (L0phtcrack can crack all alphanumeric PWs in <24 hrs with a Pentium II @ 450 mHz Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #49

Getting the SAM

• Boot to another OS and copy the file • Get the backup SAM from the repair directory • Extract PW hashes from the SAM (e.g. with pwdump or pwdump2) – Newer version bypasses SYSKEY • Network eavesdropping Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #50

Exploiting Trust

• Good account administration – User accounts don’t have Admin privileges – Local Admin, Domain Admin not mirrored • Exploit data in Local Security Authority – passwords, hashes, dialup info, etc.

TOCTTOU

• It’s

not

a tropical bird • Time Of Check To Time Of Use • Critical security parameter in many instances • Important in Windows NT vis-à-vis the login cache Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #52

User Account Entries

• User name (login name) • Full name (real name) • Password (up to 14 characters) • Login hours and workstations • Profile path and login script • Home directory • Account type (global or local) • Expiration date (default is

never

Windows NT Permissions

File Access Permissions

Directory Access Permissions

• Directories have a different permission set from files • New files inherit permissions from the directory, if it has a permissions set • Otherwise, everyone has full control for newly created files!

Object Access

• Discretionary access based on object type • Security descriptor stored with object – Security ID – Access Control List • AccessDenied • AccessAllowed • SystemAudit – System Access Control List Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #57

Access Control

• Local and global groups • User rights • Built-in groups • Trust relationships – Set up by system administrator – Trust is NOT transitive – Trust is NOT reflexive • Mandatory profiles Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #58

Audit Log

• Windows NT keeps an audit log – Events generated by SRM • Maximum log size is settable • Options when full – Overwrite, beginning with oldest entries – Overwrite events older than specified interval – Halt (i.e., do not overwrite) Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #59

DLL’s

• Dynamic Link Libraries are software modules linked to executing programs at run time • DLL’s run with rights of the host program • DLL’s are found by searching the path • Can be spoofed by putting Trojan Horse earlier in the search sequence, for example, or by replacing with bogus DLL Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #60

Windows NT Security Summary

• Comprehensive set of security tools, arguably better than Unix • Complexity is also an opportunity to subvert • Windows NT not markedly more secure than Unix Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #61

Machine Logon Security

• This is

beneath

the OS • BIOS-level user identity check – What happens if you forget your ID?

– Is this a foolproof approach?

O/S Summary

• We depend on the OS to implement low-level security features • OS security varies widely with the OS • Security features are valuable, but not bulletproof • The OS is an adjunct level for security implementation, but not the root level • Security measures must be designed into an OS; they cannot be bolted on later .

ISO Protocol Model (again)

Protocols

Protocol Layering & Internetworking

Consider DECNET

DECNET

• Supports many Layer 2 protocols • Address is of form 10.1, where 10 = Area number 1 = node number

• Addresses NOT associated with physical networks to which nodes are connected

Compare Appletalk

Source: http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/applet.htm

Appletalk

How Could We Connect These Two?

• Addressing completely different • Routing structure different • Electrical standards different • …etc.

• In fact, not much similar except that they are both digital networks • This is why IP came in, and why it remains!

IP Overview

• Layer 3 protocol • Provides packet routing • Does

not

ensure reliable delivery—that is left to higher-level protocols, like TCP & UDP • Facilitates interconnection of dissimilar computers, which is why it is important Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #71

IP Versions

• Most commonly used version is IP v4, which is widely used worldwide • Next version is IP v6 (there is no v5) – Adds address space – Adds security, QoS – Provides for additional routing capabilities – Improves housekeeping – Ability to add features in the future.

IP Version 4 Structure

Source: http://www.freesoft.org/CIE/Course/Section3/7.htm

IP Version 6 Structure

6 Source: http://courseptr.com/downloads/chapterpreview/MUDGameProgch1.pdf

IP in Short

• “Democracy is the worst form of government except for all those others that have been tried.” -Winston Churchill • This kind of describes IP – Not the best protocol ever established – But one of the most ubiquitous – It isn’t going away—huge investment in it Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #75

The Future: One Version

• Every outlet, light, and appliance in a home or office will have its own IP address • IP-enabled appliances are already available • Security issues here?

LG GR-D267DTU Internet Refrigerator

ECE579S/6 #76

IP Security

• Using the original IP standards, this is an oxymoron • Needs – Protection from eavesdropping – Protection from spoofing – Provision for secure user-to-user traffic • Problems – IP not designed for this Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #77

Enter IPSec

• IPSec intended to meet the security needs of IP networks, especially the Internet – Originally intended to come in as part of IP v6 – IP v6 may never come for many folks, and most of the IPSec functionality has become available in IP v4 – Widely available in products such as virtual private networks, etc.

– More info at http://unixwiz.net/techtips/iguide-ipsec.html

What Does IPSec Do?

• Enables secure VPNs over public networks • Allows secure remote access over public networks • Facilitates secure connectivity with business partners, especially temporarily • Improves eCommerce security • It does all this using the cryptographic tools we have studied. Now we’ll see how.

IPSec Features

• Can be applied at the perimeter – In-house traffic avoids security overhead that may not actually be needed • Lies below the transport layer, so is transparent to applications • Can be made transparent to end users, which keeps training and support costs low • Can support individual user security Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #80

Services

• Access control • Datagram integrity • Sender authenticity • Replay protection • Message body confidentiality • Traffic flow security (very limited, though) Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #81

Security Association

• IPSec concept that defines the relationship between one party and another for security – ONE-WAY! (i.e., not reflexive) – If A & B have bilateral security needs, two security associations are required • Defined by – Security parameters index (SPI) – Destination IP address – Security protocol identifier Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #82

So...

• Security association (SA) is

uniquely

defined by – Destination address in the IP header, and – SPI in the enclosed extension header (AH or ESP) • What’s an extension header?

• What are AH and ESP?

• Stick around!

Security Parameters

• Encapsulating Security Payload (ESP) – Deals with packet encryption • Authentication Header (AH) – Deals with packet authentication • Encryption algorithm (several available) • Authentication algorithm (ditto) • Key management scheme Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #84

SA Parameters

• Sequence number counter • Sequence counter overflow flag • Anti-replay window • AH information • ESP information • SA lifetime • IPSec protocol mode (tunnel, transport, wildcard) • Path MTU Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #85

Policy

• Association of traffic with SAs is done by the Security Policy Database (SPD) • Each SPD entry is defined by a

selector

– Selectors filter outbound traffic • Compare packet selector fields with SPD to find matching SPD entry; points to zero or more SAs • Determine SA for this packet and its SPI (Security Parameters Index) • Perform the required processing (AH or ESP) Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #86

Authentication Header (AH)

• Supports data integrity and authentication – Assures data modification will be detected – Also guards against replay • Based on Message Authentication Code (MAC) – Requires shared secret key Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #87

AH Fields

• Next header – Identifies type of header that follows • Payload length • Reserved for future use • SPI (defines an SA) • Sequence number • Authentication data Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #88

AH Overview

0 8 16 31 Next header Payload Length (reserved) SPI Sequence number Authentication data (variable length) ECE579S/6 #89

Overview of Headers (IP v4)

Standard Original IP header TCP Payload (data) Transport mode Original IP header AH TCP Payload (data) Tunneling mode New IP header AH Original IP header TCP Payload (data) Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #90

Integrity Check Value (ICV)

• Included in the Authentication Data field – Based on HMAC (keyed hash) • HMAC MD5 • HMAC SHA-1 – 96 MSB of HMAC result used for ICV – HMAC calculated over • Immutable or predictable IP header fields • The AH header

except

Anti-Replay Service

• Replay: retransmission of an already authenticated packet at a later time – A favorite way to break into or disrupt services • IPSec implements anti-replay using the Sequence Number field (32 bits), so the maximum Sequence Number is 2 32 • If the Sequence Number would wrap around, a new SA, with new key, is needed Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #92

Anti-Replay in Action

• Sender initializes sequence counter to 0, increments counter by 1 for every packet sent • Counter value is placed in SN field • Receiver has a problem: – IP is connectionless, so packets can arrive in any order – IP doesn’t guarantee delivery (that is done by TCP), so packets can -- and do -- go missing Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #93

Anti-Replay at the Receiver

• Receiver maintains a sliding window over received packets, default width = 64 = W • Right edge of window holds highest SN packet so far received

that is valid

• All slots from (

N-W+1)

Window Management

• If new packet is within the window and is new, the corresponding slot is marked • If new packet is outside window to the right, and is authenticated, window is moved to the right and slot is marked • If new packet is outside the window to the left, or if not authenticated, packet discarded and audit event raised Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #95

The Window in Action

Window N N-W

Space for valid packet not yet received Received, valid, marked The window makes replay attacks much more difficult, as they would have to occur within the width of the window: possible, but unlikely (most of the time) Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #96

IPSec Authentication: Transport Mode

• Transport Mode uses the Authentication Header (AH) – IP v4: AH inserted after original IP header, but before the IP payload – IP v6: AH is an end-to-end payload, not examined by intermediate routers. So, AH comes after the other IP v6 header routing fields (base, hop-to-hop, etc.) • Clearly, AH does

not

IPSec Authentication: Tunnel Mode

• Entire

original

IP packet authenticated – AH inserted before original IP header and after new “outer” IP header – Allows placing original routing info within the authentication envelope, but more importantly – Allows a new set of IP addresses to be used as a wrapper for the original packet • As we shall see, this forms the basis for IPSec-based virtual private networks.

Encapsulating Security Payload (ESP)

• Provides confidentiality services – Optionally, can also provide authenticity • Fields – SPI – Sequence number – Payload data – Padding – Pad length – Next header Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #99

Confidentiality Coverage

ESP

SPI Sequence number Payload data (variable length)

Authentication Coverage

Padding (0-255 bytes) Pad length Next header Authentication data (variable) ECE579S/6 #100

Encryption Algorithms

• Confidentiality services provided by symmetric cryptography • Algorithms supported: – DES (CBC) – IDEA – CAST – TDEA (three key) – Three key triple IDEA – Blowfish – AES – RC5 • MAC same as AH (96-bit HMAC) Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #101

Padding?

• Extends the plaintext to a multiple of some number of bytes to accommodate those encryption algorithms that require fixed block sizes (e.g. DES, AES) • Ensures that the end of the Next Header field is right-aligned with the 32-bit word • Can be used to provide partial traffic flow security, by concealing payload length Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #102

Transport mode ESP Service

• Encrypts data carried by IP – Optionally, also authenticates the data Standard Original IP header TCP Payload (data) Transport mode Original IP header

ESP header

TCP Authenticated Encrypted Payload (data)

ESP trlr ESP auth

Transport Mode

• Provides end-to-end confidentiality • Is transparent to applications • Is efficient, adds little extra to IP overhead • Does

not

provide traffic flow security – Possible to analyze source - destination traffic flows and volumes – Useful for drawing conclusions about associations, workload, etc.

Tunneling Mode ESP

• Encrypts the entire IP packet – Including the original source, destination Standard Original IP header TCP Payload (data) Tunneling mode New IP header

ESP header

Original IP header Authenticated Encrypted TCP Payload (data)

ESP trlr ESP auth

Tunneling Mode

• Encrypts

entire

original IP packet, including source and destination addresses – Can help to counter traffic analysis • Allows construction of secure virtual private networks (VPNs) over unsecured networks • Useful when firewalls in the path -- security can be done only at the network edge Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #106

Edge routers need info about the other end of the network

VPN Example

IPSec starts/ends here

SA Limits

• An individual SA can implement either AH or ESP,

but not both

• But, sometimes both services are needed – This requires multiple SA’s in the same traffic flow – Just as with Feistel encryption/decryption key scheduling, we must “unwrap” the SA’s in inverse order to their application – Referred to as

SA bundle

Key Management

• IPSec has many good features. Performing key distribution manually is not one of them • Protocol has been developed to provide for session key distribution – Internet Key Exchange (IKE) [RFC 4306] – IKE incorporates • ISAKMP [RFC 2408] • Oakley • A few other things – Current version referenced above (Dec 2005) is v2 Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #109

Diffie-Hellman Revisited

• Advantages – Generates keys only when required – Requires no preexisting infrastructure • Disadvantages – No authentication of communicating parties – Vulnerable to man-in-the-middle attack – Computationally intensive • Slow • Vulnerable to denial of service attack Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #110

Oakley Key Determination

• Based on D-H, but improved (RFC 2412) • Advantages over Diffie-Hellman – Uses cookies to avoid denial of service attacks – Enables prior negotiation of global parameters – Uses nonces to guard against replay – Allows exchange of D-H public key values – Authenticates D-H exchange (defeats man-in the-middle attacks) Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #111

Nonce

•

nonce

(n  ns)

noun

– The present or particular occasion:

“Her tendency to discover a touch of sadness had for the nonce disappeared”

(Theodore Dreiser).

– [From Middle English

for the nones

, for the occasion] • The American Heritage® Dictionary of the English Language, Third Edition, 1992, Houghton Mifflin Company • Say what?

• In cryptography, a

nonce

Oakley Authentication

• Three types available – Digital Signature – Asymmetric-key cryptography – Symmetric-key cryptography • This guards against man-in-the-middle attacks Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #113

We Like IKE

• IKE is an IPSec protocol that defines the procedures and formats needed to establish, negotiate, modify, or delete Security Associations within IPSec • Built on the ISAKMP protocol, which is sometimes viewed as IKE v0.1

IPSec Summary

• IPSec is a complex security protocol, originally developed for roll-out with IP v6 • Provides authentication, integrity, and confidentiality services to IP transmission • IKE improves on basic protocols like D-H • Many implementations available for IP v4, so it it usable today • Authentication and encapsulation services provide a basis for VPNs Spring 2011 © 2000-2011, Richard A. Stanley ECE579S/6 #115

Homework

• Read Chapters 6 & 32 in the text • Examine the structure of the IPSec protocol and how it is applied. Write a critique of the benefits and possible pitfalls of using this protocol to secure a network. How does IPSec relate to HAIPE (High Assurance IP Encryption)?