Cryptography and Network Security
Download
Report
Transcript Cryptography and Network Security
Cryptography and Security Services:
Mechanisms and Applications
Chapter 11 and 12
VPNs, IPsec, and TLS/SSL
Manuel Mogollon
[email protected]
M. Mogollon – 0
Session 9 – Contents
• VPNs
• Tunneling
— IPsec
— Layer 2 Tunneling Protocol (L2TP)
• TLS/SSL
VPN
IPsec
IKE v2
TLS
M. Mogollon – 1
TCP/IP Stack and Security Related Protocols
•
•
•
•
Application Layer
Transport Layer
Network Layer
SMTP, Telnet, FTP, Gopher
TCP
IP
• IPsec (ISAKMP)
• SOCKS V5
• TLS/SSL
UDP
ARP
S/MIME
S-HTTP
PGP
SET
RARP
• IPsec (AH, ESP)
• Packet Filtering
• Tunneling Protocols
Data Layer
VPN
Ethernet, Token-Ring, FDDI,
X.25, Wireless, Async, ATM,
SNA...Data Layer
IPsec
IKE v2
• PPP-EAP, IEEE
802.1X, CHAP, PAP,
MS-CHAP
TLS
M. Mogollon – 2
What is a Virtual Private Network?
VPNs / Private data communication channels that use a
public IP network, i.e., Internet, as the basic transport
for connecting corporate data centers, remote offices,
mobile employees, telecommuters, customers,
suppliers, and business partners. The public network
is used as a wide area communications network, and it
offers the appearance, functionality, and usefulness of
a dedicated private network.
VPN
IPsec
IKE v2
TLS
M. Mogollon – 3
E-Commerce, E-Procurement, E-Care
Business
Partners
Mobile
Workforce
Headquarters
Internet
Suppliers
Customers
Telecommuters
Contractors
But, the Internet is a public network and it doesn’t have any security!
VPN
IPsec
IKE v2
TLS
M. Mogollon – 4
Secure VPNs
• Security is implemented in all products that offer VPNs.
• Secure VPNs are revolutionizing the way the Internet is
used.
• IETF has standardized IPsec (IP Security) for secure VPN
applications that have the following features:
— are transparent to all TCP/IP applications
— can be implemented in any LAN/WAN environment using TCP/IP
— can secure any business communication over the Internet.
• IPsec is a mandatory part of the forthcoming IPv6
standard.
VPN
IPsec
IKE v2
TLS
M. Mogollon – 5
Implementation of VPNs
• Located at the carrier’s network
— In the first scenario, the service provider provides a service similar to
the public switched Frame Relay or ATM service, and the customer
trusts that packets will not be misdirected, modified in transit, or
subjected to traffic analysis by unauthorized parties.
• On the customer’s premises
— In the second scenario, the customer does not trust the service
provider and implements a VPN using CPE equipment that provides
firewall functionality and security.
• Any devices with microprocessors, such as routers,
servers, firewalls or even PCs, can perform VPN
functions, such as creating tunnels and encrypting
packets.
VPN
IPsec
IKE v2
TLS
M. Mogollon – 6
Secure VPN
Business
Partners
Mobile
Workforce
Headquarters
Internet
Suppliers
Customers
Telecommuters
Contractors
VPNs
With Secure VPNs,
• I am sure to whom I am talking.
• I know my message has not been modified.
• I know that only authorized persons have seen my message.
• I know that the message recipient can’t deny receiving my message.
VPN
IPsec
IKE v2
TLS
M. Mogollon – 7
VPN Applications:
Extranets and Remote Access
Security
Policy Server
Security
Policy Server
Internet
Server
Tunnel Mode
Gateway
Protected
Subnet
• Tunnel Mode
•
Certificate
Authority
Protected
Subnet
Mobile Workforce with
IPsec Client Software
Authentication is provided between a client and a corporate VPN device, or between two VPN
devices.
Transport Mode
Authentication is provided directly between a client and a server or between two work
stations.
VPN
IPsec
IKE v2
TLS
M. Mogollon – 8
Virtual Private Networks (VPN)
• Network of virtual circuits for carrying private traffic.
• VPN Protocols
PPP
L2TP
IPsec
Client-server
Client-server
Host-to-Host
Purpose
Remote access
via tunneling
Remote access
via tunneling
OSI layer
Layer 2
Layer 2
Intranets, extranets,
remote access via
tunneling
Layer 3
Data
Data
Network
IP, IPX,
AppleTalk, etc
IP, IPX,
IP
Mode
TCP/IP Layer
Protocol
AppleTalk, etc
• PPP and L2TP are aimed at remote access use.
• IPsec is used for connecting LANs.
VPN
IPsec
IKE v2
TLS
M. Mogollon – 9
VPN Benefits
• Ease of use – Facilitating electronic communications makes
corporations more efficient and productive.
• Cost
— Eliminating long-haul leased lines, 800 numbers or long distance fees,
modem banks, and multiple access connections results in significant savings.
— Voice over IP reduces long distance phone call expenses.
— Savings of up to 65% on monthly circuit costs by moving from a FR and ATM
environment to an IP VPN
— Teleworker lower connection costs by 20%-25% per month over traditional
dial up & ISDN.
• Use of Standard Protocols – Internet Protocol IP and IPsec provide
needed standardization.
• Simplification of Maintenance and Support – Reducing scalability
issues and management complexity simplifies network operation.
VPN
IPsec
IKE v2
TLS
M. Mogollon – 10
What is IPsec?
IPsec / (1) A suit of security protocols standardized by
the Internet Engineering Task Force (IETF) that
address data privacy, integrity, authentication, and
key management, as well as, tunneling to TCP/IP
networks. (2) A secure architecture that supports
several applications that encrypt and/or authenticate
all traffic at the IP level.
VPN
IPsec
IKE v2
TLS
M. Mogollon – 11
Why IPsec
• IPsec-compliant products allow secure Virtual Private
Networks in any existing IP-based network.
• IPsec is based on several strong encryption standards.
• IPsec provides security services such as: data origin
authentication, access control, confidentiality
(encryption), connectionless integrity, rejection of
replayed packets (a form of partial sequence integrity),
and limited traffic flow confidentiality.
• IPsec has government and industry support.
• IPsec allows corporations to select security services
according to internal security policies.
VPN
IPsec
IKE v2
TLS
M. Mogollon – 12
Internet Protocol (IP) – Security Threats
• The Internet protocol has no
•
Attacks include:
—
—
—
—
security.
— Source/destination address &
port
IP Spoofing
Packet Sniffing
Session Hijacking
Man-in-the-Middle
IP Packet
Various IP
Header
Fields
Source IP
Address
Destination
IP Address
IP Header
IP Header
VPN
Upper Protocol
Header (i.e., TCP,
UDP, ICMP)
Data
TCP
Data
Payload Data
IPsec
IKE v2
TLS
M. Mogollon – 13
IPsec Interlocking Technologies
Cryptographic Security Mechanisms for IP
• Authentication Header (AH)
— Provides integrity and authentication without confidentiality to IP
datagrams.
— Available even in locations where the export, import or use of
encryption to provide confidentiality is regulated.
• Encapsulation Security Payload (ESP)
— Provides integrity, authentication, and confidentiality to IP datagrams.
Key Management
• Internet Key Exchange IKEv2
— Allows users to agree on authentication methods, encryption
methods, keys to use, and key duration.
— Key exchange could be manual or automated.
VPN
IPsec
IKE v2
TLS
M. Mogollon – 14
IP Security Architecture
•
—
—
—
•
•
Information shared between two
Gateways on how to secure
communications.
Encapsulation
Security
Payload Protocol
AH is used to authenticate.
ESP is used to encrypt and to
authenticate.
Algorithms for encryption and
authentication
—
—
Encryption
Algorithm
Symmetric encryption algorithms.
Keyed hash algorithms.
Key Management Protocols
—
IPsec Databases
(SPD, SAD, PAD)
ESP/AH
Engine
Security Protocols
—
—
•
Security Policy Database (SPD)
Security Association Database (SAD)
Peer Authorization Database (PAD)
Security Associations
—
•
IP Packets
IPsec Databases
Authentication
& Integrity
Algorithms
Key
Management
Manual and Automated
VPN
Authentication
Header Protocol
IPsec
IKE v2
TLS
M. Mogollon – 15
Security Protocols
• IPsec provides mechanisms to provide security services to IP and
upper layer protocols (e.g., UDP or TCP).
• IPsec protect IP datagrams by defining a method in a SA.
• The SA associated with a connection could be Encapsulating
Security Payload (ESP), or Authentication Header (AH), but not
both.
• If both AH and ESP protection are applied to a connection, then two
(or more) SAs are created to provide protection to the connection.
• To secure typical, bi-directional communication between two hosts,
or between two security gateways, two Security Associations (one
in each direction) are required.
• Both ESP and AH security protocols support two modes of
operation: transport or tunnel mode.
VPN
IPsec
IKE v2
TLS
M. Mogollon – 16
IPsec Negotiation
Applications
IPsec Databases
(SAD, PAD)
5
Applications
Negotiator
Engine
Negotiator
Engine
IPsec Databases
(SAD, PAD)
1
SA Attributes
6
4
TCP/IP
2
3
Security Policy
Database
TCP/IP
2
SPI
UnprotectProtect Engine
UnprotectProtect Engine
Security Policy
Database
1
Outbound IPsec Packet
VPN
Inbound IPsec Packet
IPsec
IKE v2
TLS
M. Mogollon – 17
IPsec Document Roadmap
IP Security Architecture
RFC 4301
AH Protocol
RFC 4302
ESP Protocol
RFC 4303
Encryption Algorithms
RPC 3602 (AES-CBC (128-Bit)
RFC 3686 (AES-CTR)
RFC 2451 (Triple DES-CBC)
IKE v2
RFC 4306
Authentication Algorithms
RFC 3566 (AES-XCBC-MAC-96)
RFC 2404 (HMAC-SHA1-96)
RFC 2403 (HMAC-MD5-96)
Key Management
RFC 4120 (Kerberos)
RFC 2093 (GKMP)
RFC 2412 (OAKLEY)
VPN
IPsec
IKE v2
TLS
M. Mogollon – 18
AH and ESP Modes of Operation
Tunnel
Transport
Server
Client
VPN Device
VPN Device
AH
Inner IP
Header
Outer IP
Header
Tunnel
Mode
New IP
Header
ESP
Header Original
AH
IP Header
Outer IP
Header
Payload
Data
New IP
Header
Confidentiality
Header
ESP
Transport
Mode
Original
IP Header
Inner IP
Header
Header
AH
Payload
Data
IPsec
Confidentiality
Original
IP Header
Header
ESP
Payload
Data
Authentication / Integrity
Authentication / Integrity
VPN
Payload
Data
Authentication / Integrity
Authentication / Integrity
Inner IP
Header
Original
IP Header
IKE v2
TLS
M. Mogollon – 19
Authentication Header (AH)
•
•
•
Authentication Data Algorithms
• HMAC-SHA-1-96 (Must be supported)
• AES-XCBC-MAC-96 (Should be supported)
• HMAC-MD5-96 (May be supported)
Data Integrity: Undetected modification to a
packet’s content in transit is not possible
Authentication: Enables a network device to
authenticate a user.
Anti-replay service (optional)
Authentication
IP Header
AH
8 bits
Word 1
Payload Data
8 bits
16 bits
Next Header AH Payload Length
Reserved
Word 2
Security Parameters Index (SPI)
Word 3
Sequence Number
Word 4 -
Integrity Check Value –ICV (variable)
32 bits
VPN
IPsec
IKE v2
TLS
M. Mogollon – 20
Encapsulation Security Payload (ESP)
•
•
•
Data Integrity + Authentication (optional)
Anti-replay Service (optional)
Confidentiality (optional)
Authentication
Encryption
Original IP Header ESP Header Payload Data ESP Trailer
ESP ICV
Security Parameters Index (SPI)
Sequence Number
Payload Data (variable)
Padding (0 – 255 bytes)
Pad Length Next Header
Integrity Check Value –ICV (variable)
8 bits
8 bits
32 bits
VPN
IPsec
IKE v2
TLS
M. Mogollon – 21
Internet Key Exchange (IKE v2)
• IPsec security services use symmetric encryption.
— Source and destination need to agree to the mechanisms used to
share the secret keys and the keys that are used for
authentication/integrity and encryption services.
• IPsec supports both manual and automatic distribution
of keys.
• Public Key is used for automatic key management, but
other automated key distribution techniques may be
used.
• IKE v2 defines procedures and packet formats to
establish, negotiate, modify, and delete Security
Associations (SA).
VPN
IPsec
IKE v2
TLS
M. Mogollon – 22
Negotiating a Security Association using IKE
IKE Security Association (IKE SA) proposes the following:
• Type of protection to use, either ESP or AH.
• Authentication algorithms and keys for signing data.
• Encryption algorithms and keys to protect data.
• Hash algorithms to reduce data for signing.
• Information about a group over which to do a DiffieHellman exchange.
• A pseudo-random function (prf) to hash certain values
during the key exchange.
VPN
IPsec
IKE v2
TLS
M. Mogollon – 23
Security Association
I would like to establish a secure IP communication,
and since we haven’t talked before, let’s agree on all
the security parameters we need by creating an SA.
Once we finish, let’s assign an index to the SA,
(Security Parameter Index) and store the
information in our Security Policy Databases. By
doing this, we will not have to create another SA
when we communicate again.
Source
Destination
Security Parameters
•
Encryption and authentication
algorithms
— Encapsulation Security Payload (ESP)
— Authentication Header (AH)
•
•
•
•
•
•
VPN
Crypto keys
Initialization values
Protocol mode
Source and destination IP addresses
Source and destination IDs
Key lifetimes
IPsec
IKE v2
TLS
M. Mogollon – 24
Internet Key Exchange (IKE)
• First Message Exchange
— IKE Security Association
– In IKE_SA_INIT, the initiator and responder negotiate the use of
encryption algorithms by establishing an IKE_SA. The agreed keys are
used to protect the IKE_AUTH exchange.
– In IKE_AUTH, the initiator and responder authenticate each other using
authentication mechanisms such as digital signatures (exchanging
certificates), Extensible Authentication Protocol (EAP), or pre-shared
keys.
— Child Security Association
– In IKE_AUTH, the first IKE_SA and associated IPsec SA, called child SA,
are created.
• Second Message Exchange
— CREATE_CHILD_SA exchange is used to create new CHILD_SAs and to
rekey IKE_SAs and CHILD_SAs.
— All messages are cryptographically protected using the encryption
algorithms and keys negotiated in IKE_SA_INIT and IKE_SA_AUTH.
VPN
IPsec
IKE v2
TLS
M. Mogollon – 25
IKE First Message Exchange
I would like to establish an IKE security
association and a child security association.
Initiator
Responder
Networking Device with IPsec
Networking Device with IPsec
End -system or Gateway environment
End -system or Gateway environment
1
Ni
KEi
SAi1
HDR
2
SK{IDi, [CERT], [CERTREQ], [IDr],
AUTH, SAi2, TSi, TSr}
HDR
HDR
SAr1
KEr
Nr
[CERTREQ]
3
4
HDR
SK{IDr, [CERT], AUTH, SAr2, TSi,
TSr}
AUTH – Authentication
CERT – Certificate
CERTREQ – Certificate Request
HDR – IKE Header
i, r – Initiator, Responder
IDi - Initiator Identification
IDr – Responder Identification KEi – Initiator DH gi
KEr – Responder DH gi
Ni, Nr – Nonce
SA - Security Association
TSi, TSr – Traffic Selector
SAi1 , SAr1 – Used to create IKE_SA
SAi2, SAr2 – Used to create the first CHILD_SA
SK{….} – Payload is encrypted and integrity protected using SK_e and SK_a.
VPN
IPsec
IKE v2
TLS
M. Mogollon – 26
IKE Second Message Exchange
I would like to generate a new Child_SA or rekey
IKE SA and/or a previous Child_SA.
Initiator
Responder
Networking Device with IPsec
Networking Device with IPsec
End -system or Gateway environment
End -system or Gateway environment
5
SK{ [N+], SA, Ni, [KEi], TSi, TSr}
HDR
6
HDR
SK{ [N+], SA, Nr, [KEr], TSi, TSr}
HDR – IKE Header
i, r – Initiator, Responder
[KE] – Optional Key Exchange [N+] – Optional Notify
Ni, Nr – Nonce
SA - Security Association
TSi, TSr – Traffic Selector
SK{….} – Payload is encrypted and integrity protected using SK_e and SK_a.
VPN
IPsec
IKE v2
TLS
M. Mogollon – 27
IKE v2 Header
IKE_SA Initiator’s Security Parameters Index (SPI)
IKE_SA Responder’s Security Parameter Index (SPI)
Next Payload MjVer MjVer Exchange Type
Flags
Message ID
Length
•
•
Initiator’s SPI (8 Octets) – A value selected by the initiator to identify a unique IKE security association.
•
•
•
•
Next Payload (1 Octet) – the type of payload that follows the header.
•
•
Flags (1 Octet) – Indicates specific options that are set for the message.
•
Length (4 Octets) – Length of total message (header and payload)
Responder’s SPI (8 Octets) – A value selected by the responder initiator to identify a unique IKE security
association. This value is zero in the first message of the IKE_INIT.
Major Version (4 bits) – The major version of the IKE protocol used.
Minor Version (4 bits) – The minor version of the IKE protocol used.
Exchange Type (1 Octet) – The type of exchange being use, IKE_INIT, IKE_AUTH, CREATE_CHILD_SA, or
INFOTMATIONAL.
Message ID (4 Octets) – Message identifier used to control retransmision of lost packets. It is used to prevent
message replay attacks.
VPN
IPsec
IKE v2
TLS
M. Mogollon – 28
Generating Key Material in IKE_SA
• In IKEv2, Diffie-Hellman is the only key exchange algorithm used.
• Key material for all of the cryptographic algorithms used in both
IKE_SA and CHILD_SA is always derived as the output of a prf
algorithm.
• Diffie-Hellman exchange has the following three components: a
generator g, the modulo p, and a secret that in IKEv2 terminology is
called i or r.
• During IKE_INIT, in KEi and KEr, the Initiator and Responder
exchange Diffie-Hellman information, gi and gr, as well as nonces Ni
and Nr
• The shared key, SKEYSEED, is calculated by both the Initiator and
Responder from the nonces exchanged and the Diffie-Hellman
shared secret key generated, gi and gr, according to the following
formula: SKEYSEED prf ( Ni | Nr , g ir )
VPN
IPsec
IKE v2
TLS
M. Mogollon – 29
IKE v2 DH Key Agreement
In the security association, the
initiator and responder agreed on
the same group or pair of g and p.
Initiator
g =12 p = 47
I Secret = i = 3
Nonce = Ni = 11
g i 123 (mod 47) 36
g and p do not need to
be secret
36, 11
Responder
g = 12 p = 47
R Secret = r =5
Nonce = Nr = 7
g r 125 (mod 47) 14
14, 7
g i r 365 (mod 47) 18
g i r 143 (mod 47) 18
18
18
Both ends use 11, 7, and 18, as the secret and seed to calculate SKEYSEED
SKEYSEED prf ( Ni | Nr , g ir )
SKEYSEED prf ( secret, seed )
VPN
IPsec
IKE v2
TLS
M. Mogollon – 30
Diffie-Hellman Groups in IKE
• Three distinct group representations can be used with IKE.
— Modular Exponentiation Groups (named MODP)
— Elliptic Curve Groups over the field GF [2n] (named EC2N)
— Elliptic Curve Groups over GF [P] (named ECP).
• Groups Identifiers supported in IKE
—
—
—
—
—
—
—
—
—
—
Group 0:
Group 1:
Group 2:
Group 4:
Group 5:
Group 14:
Group 15
Group 16
Group 17
Group 18
No group (used as a placeholder and for non-DH exchanges)
A modular exponentiation group with a 768 bit modulus
A modular exponentiation group with a 1024 bit modulus
An elliptic curve group over GF [2^155]
A modular exponentiation group with a 1536 bit modulus
A modular exponentiation group with a 2048 bit modulus
A modular exponentiation group with a 3072 bit modulus.
A modular exponentiation group with a 4096 bit modulus.
A modular exponentiation group with a 6144 bit modulus.
A modular exponentiation group with a 8192 bit modulus.
VPN
IPsec
IKE v2
TLS
M. Mogollon – 31
TCP/IP Stack and Security Related Protocols
Application Layer
Transport Layer
Network Layer
Data Layer
VPN
SMTP, Telnet, FTP, Gopher
TCP
IP
RARP
Ethernet, Token-Ring, FDDI,
X.25, Wireless, Async, ATM,
SNA...Data Layer
IPsec
S/MIME
S-HTTP
PGP
IPsec (ISAKMP)
• SOCKS V5
• TLS/SSL
UDP
ARP
•
•
•
•
IKE v2
• IPsec (AH, ESP)
• Packet Filtering
• Tunneling Protocols
• PPP-EAP, IEEE
802.1X, CHAP, PAP,
MS-CHAP
TLS
M. Mogollon – 32
TLS and SSL
•
TLS and SSL protocols are used to secure the communication between a
client (Web browser) and a server (Web Server) over the Internet.
•
TLS versions 1.1, 1.0, and SSL 3.1 and 3.0 are very similar. TLS and SSL
clients are built into all web browsers.
•
TLS and SSL provide mutual authentication (digital signature),
confidentiality (data encryption), and data integrity (hash algorithms).
•
A secure client-server communication requires:
— Which protocol and version (TLS 1.0, 1,1, SSL2 or SSL3) to use and which
cryptographic algorithm will be used.
— Whether or not to authenticate each other. Server and client authentication.
— The type of cryptographic key exchange where both parties agree on a pre-master
secret key
— The creation of session keys to encipher the message.
— The encryption technique to the enciphering of data using keys generated from the premaster key.
VPN
IPsec
IKE v2
TLS
M. Mogollon – 33
TLS Architecture
• Session
— A TLS session is an association between a client and a server.
Sessions are created by the handshake protocol.
— Sessions define a set of cryptographic security parameters, which
can be shared among multiple connections.
— Sessions are used to avoid the negotiation of new security
parameters for each connection.
• Connection
— A connection is a transport (in the OSI layering model definition) that
provides a suitable type of service.
— For TLS, such connections are peer-to-peer relationships.
— A connections is transient. Every connection is associated with one
session.
VPN
IPsec
IKE v2
TLS
M. Mogollon – 34
Session Parameters
•
Session identifier
— An arbitrary byte sequence chosen by the server to identify an active or resumable
session state.
•
Peer certificate
— An X509.v3 certificate of the peer. This element of the state may be null.
•
Compression method
— The algorithm used to compress data prior to encryption.
•
Cipher spec
— Specifies the data symmetric encryption algorithm (such as null, DES, etc.) and a MAC
algorithm (such as MD5 or SHA). It also defines cryptographic attributes such as the
hash_size.
•
Master secret
— A 48-byte secret shared between the client and server.
•
Is Resumable
— A flag indicating whether the session can be used to initiate new connections.
VPN
IPsec
IKE v2
TLS
M. Mogollon – 35
Connection Parameters
•
Server and client random
— Byte sequences that are chosen by the server and client for each connection.
•
Server write MAC secret
— The secret key used in MAC operations on data written by the server.
•
Client write MAC secret
— The secret key used in MAC operations on data written by the client.
•
Server write key
— The symmetric cipher key used by the server to encipher data and by the client to
decipher it.
•
Client write key
— The symmetric cipher key used by the client to encipher data and by the server to
decipher it.
•
Initialization vectors
— When a block cipher in CBC mode is used, an initialization vector (IV) is maintained for
each key.
•
Sequence numbers
— Sequence numbers maintained by each party for transmitted and received messages.
VPN
IPsec
IKE v2
TLS
M. Mogollon – 36
TLS Record Protocol
• The TLS Record Protocol provides connection security that has four
basic properties:
— The connection is private. Symmetric encryption (e.g., AES, DES, RC4, etc.)
is used for data encryption, after an initial handshake in which a pre-master
secret key is defined.
— The negotiation of a shared secret is secure.
– No attacker can modify the negotiation communication without being
detected by the parties to the communication.
— The peer's identity can be authenticated using asymmetric or public key
cryptography (e.g., RSA, DSS, etc.).
— The connection is reliable.
– Message transport includes a message integrity check using a keyed
MAC (HMAC).
– HMAC can be used with a variety of different hash algorithms, but TLS
uses MD5 and SHA-1, denoting these as HMAC_MD5(secret, data) and
HMAC_SHA(secret, data).
VPN
IPsec
IKE v2
TLS
M. Mogollon – 37
TLS Record Protocol
The Record Protocol is responsible for coordinating the client and server sessions.
Message Block Mn
M1
M2
…
Mn
Key
Exchange
..
Key
Blocks of equal size such that the
final SSL Record is not bigger
than 214 bytes.
Stream
Cipher
Compressed
Cleartext
Message
Compression
(Optional)
HMAC
Padding
Block
Cipher
SSL
Header
Enciphered
[Compressed
Cleartex
Message ║
HMAC]
HMAC
Key
Key
Exchange
HMAC-SHA-1
HMAC-RSA
Data Encryption
Stream Ciphers: RC4 40-bit or 128-bit key.
Block Ciphers: DES 56-bit, 3DES 168-bit, or AES-128
VPN
IPsec
IKE v2
TLS
M. Mogollon – 38
Handshake Protocol (Session State)
Phase 1 Establishing Security Capabilities
Client_Hello
Exchange client and server security
capabilities:secure ID, compression
method, and initial random number.
Server_hello
Client
Web Server
Phase 2 and 3 Server & Client Authentication and Key Exchange
Client_Key_
Server and client exchange
Exchange
authentication, type of key exchange, Server_Key_
and public-key parameters.
Exchange
Generating the Master Secret Keys
Client-Shared
Master Key
Server and client create the
shared master key and the
cryptographic parameters.
Server-Shared
Master Key
Phase 4 Finish Message
Client Finish
VPN
Client and server exchange
Finish Message and a hash of the
Finish Message
IPsec
IKE v2
Server Finish
TLS
M. Mogollon – 39
Phase 1 Handshake Protocol
Web Server
Client
Phase 1 Establishing Security Capabilities
Client_Hello
1.
A ClientHello.random number (28 bytes), which is used
later in the protocol;
2.
A CipherSuite list containing the combinations of
cryptographic algorithms supported by the client (in
order of the client's preference, first choice first);
3.
A list of the compression methods supported by the
client, sorted by client preference.
Server_hello
1.
A ServerHello.random number (28 bytes), different from
the one sent by the client;
2.
A CipherSuite list containing the combinations of
cryptographic algorithms supported by the server (in
order of the server's preference, first choice first);
3.
A list of the compression methods supported by the
server, sorted by the server.
When the client sends a client_hello message, the server must
respond with a server_hello message, or else a fatal error will occur
and the connection will fail.
VPN
IPsec
IKE v2
TLS
M. Mogollon – 40
Phase 2 Handshake Protocol
Web Server
Server Authentication and Key Exchange
Client
1.
Server sends its authentication certificate, using a X.509.v3
certificate.
2.
Information about the type of key exchange the server is proposing.
—
—
—
—
RSA: The secret key is encrypted with the server’s private key.
Fixed Diffie-Hellman: The server’s certificate has the Diffie-Hellman
parameters, signed by a Certificate Authority (CA).
Ephemeral Diffie-Hellman: The Diffie-Hellman parameters are signed using the
server’s RSA or DSA.
Anonymous Diffie-Hellman: The Diffie-Hellman parameters are not signed.
Key Exchange Parameters for RSA or Diffie-Hellman
—
—
RSA: The modulo of the server's temporary RSA key and the public exponent
of the server's temporary RSA key.
Diffie-Helman:
–
The prime modulus p used for the Diffie-Hellman operation.
–
The generator g used for the Diffie-Hellman operation.
–
The server's Diffie-Hellman public value y (y = gx mod p).
3.
A message requesting a client certification (optional);
4.
A message indicating that the handshake of phase 2 is complete.
Key Exchange Parameters Signing =
ESPriv[Hash(ClientHello.random ║ ServerHello.random ║
ServerParams)]
VPN
IPsec
IKE v2
TLS
M. Mogollon – 41
Phase 3 Handshake Protocol
Web Server
Client Authentication and Key Exchange
Client
1.
2.
Client verifies whether or not the server’s certificate is valid.
Client sends certificate, if the server has requested it.
—
3.
Pre-master key exchange
—
—
4.
Client must send either the certificate message or a no_certificate alert; this
alert is only a warning. If client authentication is required, the server may
respond with a fatal handshake failure alert.
RSA: A 48-byte pre-master secret key, encrypted with the server’s RSA public
key.
Diffie-Helman: Both client and server perform the Diffie-Hellman calculation to
create a pre-master key.
Master Key generation
—
Once the pre-master key has been created, either from RSA or from DiffieHellman, the master key is computed as follows:
Master_Key = PRF(pre_master_secret, "master secret", ClientHello.random + ServerHello.random)
PRF = Pseudo Random Function. See slide 20
VPN
IPsec
IKE v2
TLS
M. Mogollon – 42
Phase 4 Handshake Protocol
Web Server
Finish
Client
1.
Client and server update the cipher_spec with the new,
agreed-upon encryption algorithms, keys, and hash
functions.
2.
Client sends a “finished message” using the just
negotiated encryption algorithms, hash functions, and
symmetric encrypting keys to verify that the key exchange
and authentication processes were successful.
3.
The finished message is hashed as follows:
—
MD5[master_secret ║ pad2 ║ MD5(handshake_messages
║ Sender ║ master_secret ║ pad1)]
—
SHA[master_secret ║ pad2 ║ SHA(handshake_messages
║ Sender ║ master_secret ║ pad1)]
Pad1 and pad 2 are the values defined in the MAC
Handshake refers to all handshake messages exchanged
Sender is a code that identifies that the sender is a client
(0x434C4E54) or a server (0x53525652).
Client and server may begin sending confidential data immediately after
sending the Finish message. The master secret is used as an entropy source
to generate random values for the export and non-export MACS, secret keys,
and initialization values (IV) required to encipher the data.
VPN
IPsec
IKE v2
TLS
M. Mogollon – 43
TLS Alert Protocol
• Alert messages convey information about the status of the connection.
• There are two types of alerts: Fatal and Warning.
Fatal Alert: Indicates that the connection is so bad that it needs to be terminated
immediately.
Warning Alert: Indicates that there are some problems in the connection.
• Error Alerts
unexpected_message: An inappropriate message was received. Fatal.
bad_record_mac: This alert is returned if a record is received with an incorrect MAC. Fatal.
decompression_failure: The decompression function received improper input. Fatal.
handshake_failure: Reception of a handshake_failure alert message indicates that the sender was
unable to negotiate an acceptable set of security parameters given the options available. Fatal.
illegal_parameter: A field in the handshake was out of range or inconsistent with other fields. Fatal.
no_certificate: A no_certificate alert message may be sent in response to a certification request if
no appropriate certificate is available.
bad_certificate: A certificate was corrupt, contained signatures were not verifiable.
unsupported_certificate: A certificate was of an unsupported type.
certificate_revoked: A certificate was revoked by its signer.
certificate_expired: A certificate has expired or is not currently valid.
certificate_unknown: Some other (unspecified) issue arose in processing the certificate, rendering
it unacceptable.
VPN
IPsec
IKE v2
TLS
M. Mogollon – 44
Key Calculation - Pre Master Key Generation
Client
Web Server
Method 1 RSA – 48-byte Generated by the Client
Server’s
Certificate
Server’s
Public Key
Server’s
Secret Key
Pre
Master Key
Encipher
Decipher
RSA
RSA
Pre
Master Key
Method 2: Diffe-Hellman
Diffie-Hellman
Key Exchange
Diffie-Hellman
Key Exchange
Pre
Master Key
Pre
Master Key
VPN
IPsec
IKE v2
TLS
M. Mogollon – 45
Key Calculation – Key and MAC Secrets
Client
Web Server
Exchange (wrap / transport ) or agree on
(Diffie-Hellman) a pre-master key.
Pre_Master_
Key
Pre_Master_
Key
Master_Key
Generation
Master_Key
Generation
Key_Block prf
Expansion
Key_Block prf
Expansion
Client MAC
Server MAC
Client Key, IV
Server Key, IV
Symmetric
Block
Encryption
Confidentiality
Symmetric
Block
Encryption
Client Key, IV
Server Key, IV
Decipher
Encipher
VPN
Client MAC
Server MAC
Integrity
IPsec
IKE v2
TLS
M. Mogollon – 46
TLS – Pseudo Random Function
Secret Label
(Password)
S1
S2
PRF(secret, label, seed) = P_MD5 (S1, label ║ seed) XOR P_SHA-1 (S2, label ║ seed)
The PRF is created by splitting the secret key into two and using one half to
generate data with P_MD5 and the other half to generate data with P_SHA-1.
Then, the outputs of these two expansion functions together are XORed.
•
The label is an ASCII string. For example, the label "plano tx" would be
processed by hashing the following bytes (hex): 70 6C 61 6E 6F 20 74 78.
•
The P_Hash data expansion function is used to create a pseudo random
function (PRF).
VPN
IPsec
IKE v2
TLS
M. Mogollon – 47
TLS – P_hash (secret, seed)
Seed
Secret
║
HMAC
A1
Secret
║
HMAC
A2
Secret
║
HMAC
A3
Secret
HMAC(secret, A(1) ║ seed)
HMAC(secret, A(2) ║ seed)
HMAC
HMAC(secret, A(3) ║ seed)
P_hash(secret, seed) = HMAC_hash (secret, A(1) ║ seed) ║
HMAC_hash (secret, A(2) ║ seed) ║
HMAC_hash (secret, A(3) ║ seed) ║ ...
VPN
IPsec
IKE v2
TLS
M. Mogollon – 48
SSL VPN
SSL VPN Gateway
Internet
SSL (TLS) Secure Connection
S
S
L
Applications
Proxy
Socks
Address Translation
Kiosk
•
•
•
•
•
• Web
Applications
• Client/Server
• Telnet
• SSH
• Email
• File Transfer
Provides secure remote access to corporate applications.
Uses SSL & TTL as the underlying transport to establish a secure session
between any web browser and the proxy server in the SSL VPN Gateway.
Presents users with a web portal containing links to applications.
Functions as a proxy for both client (web browser) and server (web server) –
there is never a direct connection to the private network.
Ensures that authorized users have access only to specific resources as
allowed by the company security policy implemented by the proxy server and
integrated traffic management.
VPN
IPsec
IKE v2
TLS
M. Mogollon – 49
SSL VPN Threats
• User passwords may remain on public-computers after
users log off.
— User passwords are stored by the browser.
• Sensitive data, such as browser cache entries, URL
entries, cookies, and any historical information created
during the session, may remain on public computers
after users complete their SSL VPN sessions.
• Downloaded files are stored in the public computer’s
“Temporary Folder.”
• Users forget to logout.
— Next public computer user may have access to applications.
• Worms and viruses may be transferred from the public
computers to the corporate internal network.
VPN
IPsec
IKE v2
TLS
M. Mogollon – 50
IPsec and TLS: Complementary Solutions
Ideal
Solutions
Appropriate
Overkill / Complex
SSL
Comments
IP Sec
Inappropriate
IPsec provides secure access to all network resources and applications.
SSL requires legacy applications to be first ‘translated’ into HTTP or will
give access to SSL-enabled apps only.
Telecommuter
Eg. Employee working from Home Office
IPsec provides a secure tunnel between permanent locations
Site-to-Site VPN
Eg. Remote branch office requires connectivity
to corporate WAN
SSL allows secure access from any web browser.
Remote Webmail
Eg. Outlook Web Access, Lotus iNotes
SSL provides application layer security within VPNs
Internal Application Security
Eg. HR Self-service
Eg. Supplier access to inventory system
SSL doesn’t require installation of software on partner’s equipment but no
control on workstation security
IPsec might require firewall reconfiguration – need to police access but
closer control on workstation security
Web Application Portals
SSL is simplest choice for native web apps.
IPsec is overkill
Partner Extranet
Eg. iPlanet, web-enabled enterprise apps,
custom web apps.
VOIP can’t be carried by SSL
IPsec is the solution for VOIP encryption
VOIP security
Eg. Either site-to-site or telecommuter VOIP
security.
IPsec provides secure access to all network resources and applications.
SSL requires legacy applications to be first ‘translated’ into HTTP or will
give access to web apps only
Wireless LAN security
Eg. Securing WLAN access to the network by
using stronger authentication and encryption.
VPN
IPsec
IKE v2
TLS
M. Mogollon – 51
To Probe Further
• Atkinson, R. (1995). IP Encapsulating Security Payload (ESP). RFC
1827.
• Gleeson B., Lin A., Heinanen J, Armitage G., Malis A. (2000). A
Framework for IP Based Virtual Private Networks. RFC 2764.
• C. Kaufman, Ed. (2005). The Internet Key Exchange (IKEv2). RFC
4306.
• Kent, S., Seo K. (2005). Security Architecture for the Internet
Protocol. RFC 4301.
• Kent, S. (2005). IP Authentication Header. RFC 4302.
• Kent, S. (2005). IP Encapsulating Security Payload (ESP). RFC 4303.
• Madson, C., Glenn, R. (1998). The Use of HMAC-SHA-1-96 within
ESP and AH. RFC 2404.
• Orman, H. (1998). The OAKLEY Key Determination Protocol. RFC
2412.
VPN
IPsec
IKE v2
TLS
M. Mogollon – 52
To Probe Further
• Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., & Wright,
T. (2006). Transport Layer Security (TLS) Extensions. RFC 4366,
IETF. http://www.ietf.org/rfc/rfc4366.txt?number=4366
• Dierks, T., Rescorla, E. (2006). 4346 The Transport Layer Security
(TLS) Protocol Version 1.1. RFC 4346, IETF.
http://www.ietf.org/rfc/rfc4346.txt?number=4346
• Freier, A., Karlton, P., & Kocher, P. The SSL Protocol Version 3.0.
Internet-Draft, November 1996.
• Santesson, S. (2006). TLS Handshake Message for Supplemental
Data. RFC 4680, IETF.
http://www.ietf.org/rfc/rfc4680.txt?number=4680
• Santesson, S., Medvinsky, A., & Ball, J. (2006). TLS User Mapping
Extension. RFC 4681, IETF.
http://www.ietf.org/rfc/rfc4681.txt?number=4681
VPN
IPsec
IKE v2
TLS
M. Mogollon – 53