IP SECURITY – Chapter 16 Security Mechanisms: email – S/MIME, PGP client/server - Kerberos web access - Secure Sockets Layer network - TCP/IP Three Areas: 1.
Download ReportTranscript IP SECURITY – Chapter 16 Security Mechanisms: email – S/MIME, PGP client/server - Kerberos web access - Secure Sockets Layer network - TCP/IP Three Areas: 1.
IP SECURITY – Chapter 16 Security Mechanisms: email – S/MIME, PGP client/server - Kerberos web access - Secure Sockets Layer network - TCP/IP Three Areas: 1. Authentication – verifies source / no alteration 2. Confidentiality – no eavesdropper 3. Key Management – secure exchange ATTACKS - REQUIREMENTS 1. IP Spoofing - false IP address 2. eavesdropping / packet sniffing - logon data, database contents Secure Branch Office over Internet - Virtual Private Network Secure Remote Access over Internet - local call to ISP remote company extranet/internet – secure comms other orgs Secure Commerce – enhanced by IPSEC …because encrypt/decrypt all traffic at IP level (fig 16.1) IP SECURITY SCENARIO Secure IP Payload I He P ade r IP ea de IP He S e c ade Sec r u Pay r IeP loa d Public (I nternet) or Private Network r I PS H ea ec de r S e P a cur e lyo I P ad IP IPSec Header Header H User system with IPSec Networking device with IPSec IP Header IP Payload Figure 16.1 An IP Security Scenario Networking device with IPSec IP Header IP Payload BENEFITS of IPSEC • Traffic within company – ”no need for security” • Transparent applications and end users • Security for ”off-site” individuals IPSEC and ROUTING • Authorises Routing Advertisement • Authorises Neighbour Advertisement • Redirect • Routing Update - not forged EXTENSION HEADER - follows main IP header Authentication Header Encapsulating Security Payload (ESP) header (encrypted) Fig 16.2 AH - Authentication Header ESP – Encryption + Authentication Table 16.1 IPSec DOCUMENT OVERVIEW Ar chi tectur e ESP Pr otocol AH Pr otocol Encr yption Algor ithm Authentication Algor ithm DOI K ey M anagement Fi gur e 16.2 I PSec Document Over vi ew SECURITY ASSOCIATIONS (SAs) One-way relationship between sender and receiver -For two-way, need two SAs - Three Parameters 1. Security Parameter Index (SPI) 2. IP Destination Address 3. Security Protocol Identifier SECURITY ASSOCIATIONS (SAs) 1. Security Parameter Index (SPI) - bit string – carried in AH and ESP headers enables receiver to select SA for processing packet. 2. IP Destination Address - end user or network system (e.g. firewall, router) 3. Security Protocol Identifier indicates AH or ESP SA PARAMETERS • Sequence Number Counter • Sequence Counter Overflow - overflow auditable? • Anti-Replay Windows - is incoming AH or ESP a replay? • AH information - auth. alg., keys, key lifetimes • ESP information - encryp. alg., auth. alg., keys, init. values, key lifetimes • Lifetime of SA • IPSec Protocol Mode: - Tunnel/Transport/Wildcard (mask) • Path MTU – max packet size SECURITY POLICY DATABASE (SPD) Relates IP traffic to specific SAs [ Subset0 of IP Traffic] [ Subset1 of IP Traffic] SA and/or [Subset of IP Traffic] SA0 SA1 SPD : IP and UPPER LAYER SELECTORS - filters/maps traffic SA • Dest. IP Address: single/list/range/wildcard • Source IP Address: single/list/range/wildcard • User ID • Data Sensitivity Level:e.g.secret/unclassified • Transport Layer Protocol: (number) individual/list/range IPSEC Protocol: AH/ESP/AH and ESP • • Source and Dest. Ports: (TCP or UDP values) individual/list/wildcard SPD : IP and UPPER LAYER SELECTORS - filters/maps traffic SA • IPv6 Class: specific/wildcard • IPv6 Flowlabel: specific/wildcard • IPv4 Type of Service (TOS): specific/wildcard TRANSPORT MODE Transport Upper-layer protection End-to-end communication (e.g. client server, two workstations) ESP encrypts IP payload (not header) (optionally authenticates) AH authenticates IP payload + selected portions of header TUNNEL MODE Tunnel Protects entire IP packet entire packet + security fields treated as ”outer” payload with new IP header Original (inner) packet travels through tunnel. Routers cannot examine inner IP header e.g. tunneled through firewall Table 16.2 AUTHENTICATION HEADER - Detects modification - Prevents address spoofing, replay Uses MAC - Alice, Bob share secret key Fig 16.3 AUTHENTICATION HEADER Bit: 0 16 8 Next Header Payload Length 31 RESERVED Security Parameters Index (SPI) Sequence Number Authentication Data (variable) Figure 16.3 IPSec Authentication Header ANTI-REPLAY SERVICE Sequence Number Field (SNF) thwarts attack New SA: Sender initialises C=0 For every new packet on SA: C++ Anti-Replay operates up to max C = 232 – 1 If max reached, terminate SA ANTI-REPLAY SERVICE IP is, connectionless, unreliable protocol does NOT guarantee: packets delivered in order all packets delivered ANTI-REPLAY MECHANISM Advance window if valid packet to the right is r eceived Fixed window size W ¥¥¥ N N ÐW N+1 marked if valid packet r eceived unmarked if valid packet not yet r eceived Figure 16.4 Anti-Replay Mechanism ANTI-REPLAY MECHANISM (Fig 16.4) 1. if Rx packet falls in window and new then check MAC. if authentic then mark slot 2. if Rx packet to right of window and new then check MAC. if authentic advance window up to packet. 3. if Rx packet to left of window or authentication fails then, discard, audit INTEGRITY CHECK VALUE (ICV) - MAC HMAC–MD5-96, HMAC-SHA-1-96 (trunc to 96 bits) MAC over: IP Header Fields which are unchanged in transit (or are predictable at receiver), other fields set ot 0 for calculation purposes. AH Header except Authentication Data Field – AD 0 Upper-Level protocol data TRANSPORT / TUNNEL MODES Fig 16.5 Transport SA: workst. server Tunnel SA: (secret key) workst. intern. network firewall intern. server without auth. Fig 16.6 IP Payload is TCP or data for other protocol. End-to-End vs. End-to-intermediate Auth. Server End-to-end authentication Internal Network End-to-end authentication External Network Router/Firewall End-to-intermediate authentication Figure 16.5 End-to-end vs. End-to-intermediate Authentication SCOPE OF AH AUTHENTICATION or ig I P hdr T CP Data extension header s (i f present) T CP Data I Pv4 I Pv6 or ig I P hdr (a) Befor e Applying AH authenticated except for mutable fields I Pv4 or ig I P hdr AH T CP Data authenticated except for mutable fields I Pv6 or ig I P hdr hop-by-hop, dest, r outing, fragment AH dest T CP Data (b) T r anspor t M ode authenticated except for mutable fields in the new I P header I Pv4 New I P hdr AH or ig I P hdr T CP Data authenticated except for mutable fields in new I P header and i ts extension header s I Pv6 new I P hdr ext header s AH or ig I P hdr ext header s T CP (c) T unnel M ode Fi gur e 16.6 Scope of AH Authentication Data ENCAPSULATING SECURITY PAYLOAD (ESP) Message Confidentiality Limited Traffic flow Confidentiality Authentication (like AH) Fig 16.7 A u th e n tic a tio n C o v e r a g e C o n f id e n t ia lit y C o v e r a g e Bit: ENCAPSULATING SECURITY PAYLOAD (ESP) 0 16 24 Secur ity Par ameter s I ndex (SPI ) Sequence Number Payload Data (var iable) Padding (0 - 255 bytes) Pad L ength Authentication Data (var iable) Figur e 16.7 I PSec ESP For mat Next Header 31 ENCAPSULATING SECURITY PAYLOAD (ESP) • SPI – Security Association • Sequence Number • Payload – Transport/Tunnel – encrypt • Padding - 0 – 255 bytes • Pad Length • Next Header – Payload type by identifying first header in payload. • Auth. Data – ICV (MAC) ESP Encrypts payload, padding, pad length, next header Optimal init. vector (IV) for encryp. alg. at beginning of Payload Uses DES(CBC), 3DES, RC5, IDEA, 3IDEA, CAST, Blowfish Uses HMAC-MD5-96, HMAC-SHA-1-96 PADDING Required, • if encryp. alg. requires plaintext to be certain multiple of bytes. • to make ciphertext a multiple of 32-bits • for Partial Traffic Flow Confidentiality TRANSPORT and TUNNEL MODES Fig 16.8 Transport - confidentiality for all appl. - drawback : traffic analysis Tunnel – hosts avoid security (VPN) Fig 16.9 Transport vs. Tunnel Encryp. Encr ypted TCP Session Exter nal Networ k I nter nal Networ k (a) Tr anspor t-level secur ity Cor por ate Networ k Encr ypted tunnels car r ying I P tr affic Cor por ate Networ k Cor por ate Networ k I nter net Cor por ate Networ k (b) A virtual pr ivate networ k via Tunnel M ode Fi gur e 16.8 Tr anspor t-M ode vs. Tunnel -M ode Encr yption Scope of ESP Encryp. and Auth. authenticated encr ypted I Pv4 or ig I P hdr ESP hdr T CP Data ESP ESP trlr auth Data ESP ESP trlr auth Data ESP ESP trlr auth Data ESP ESP trlr auth authenticated encr ypted I Pv6 or ig I P hdr hop-by-hop, dest, r outing, fragment ESP hdr dest T CP (a) T r anspor t M ode authenticated encr ypted I Pv4 New I P hdr ESP hdr or ig I P hdr T CP authenticated encr ypted I Pv6 new I P hdr ext header s ESP hdr or ig I P hdr ext header s T CP (b) T unnel M ode Fi gur e 16.9 Scope of ESP Encr yption and Authentication COMBINING SAs Each SA implements AH or ESP, but, Some traffic flow may require both. multiple SAs Security Association Bundle Sequence of SAs SAs may terminate at different endpoints TWO BUNDLE TYPES Transport Adjacency: more than one security protocol to same IP packet, no tunneling, one endpoint. Iterated Tunneling: multiple (nested) security layers using tunnelling, possible different end points. TWO BUNDLE TYPES Two approaches can be Combined e.g. Transport SA between hosts travels partway through a Tunnel SA between security gateways. AUTHENTICATION + CONFIDENTIALITY 1. ESP with Auth. Option - Fig 16.9 Transport mode ESP: IP header not protected Tunnel mode ESP: Auth. entire outer IP packet Encryp. entire inner IP packet For both cases, ciphertext authenticated Scope of ESP Encryp. and Auth. authenticated encr ypted I Pv4 or ig I P hdr ESP hdr T CP Data ESP ESP trlr auth Data ESP ESP trlr auth Data ESP ESP trlr auth Data ESP ESP trlr auth authenticated encr ypted I Pv6 or ig I P hdr hop-by-hop, dest, r outing, fragment ESP hdr dest T CP (a) T r anspor t M ode authenticated encr ypted I Pv4 New I P hdr ESP hdr or ig I P hdr T CP authenticated encr ypted I Pv6 new I P hdr ext header s ESP hdr or ig I P hdr ext header s T CP (b) T unnel M ode Fi gur e 16.9 Scope of ESP Encr yption and Authentication AUTHENTICATION + CONFIDENTIALITY 2. Transport Adjacency Two Bundled SAs: - inner being ESP (no auth.) outer being AH - advantage: auth. covers more fields - disadvantage: two SAs versus one AUTHENTICATION + CONFIDENTIALITY 3. Transport-Tunnel Bundle Auth. Prior to encryp.: - advantages: Impossible to intercept and alter without detection. Store MAC with message at destination for later. Use Bundle: Inner AH: Transport SA Outer ESP: Tunnel SA entire auth. inner packet encrypted. new outer IP header added BASIC COMBINATION OF SAs CASE 1 End systems implement IPSec - share keys CASE 2 Security between gateways (routers,firewalls) No hosts implement IPSec Simple VPN Nested tunnels not required because IPSec applied to entire packet. CASE 3 Case 2 + end-to-end security. Gateway-to-gateway ESP provides traffic confidentiality. CASE 4 Support for remote host to reach firewall. Only tunnel mode required. Key Management - Read BASIC COMBINATION OF SAs Tunnel SA One or M or e SAs Router Secur ity Gateway* Router Host* Host* L ocal I ntranet Internet L ocal I ntranet Host* L ocal I ntranet Internet Tunnel SA Secur ity Gateway* Host (b) Case 2 L ocal I ntranet One or Two SAs Secur ity Gateway* H ost Internet L ocal I ntranet (c) Case 3 Tunnel SA L ocal I ntranet Secur ity Gateway* Host* (a) Case 1 Secur ity Gateway* One or Two SAs Host* Host* Internet (d) Case 4 * = implements IPSec Figur e 16.10 Basic Combinations of Secur ity Associations L ocal I ntranet