310 likes | 578 Views
IP Security. Yuan Xue. Where to Place Security. Application/Transport layer based solutions Secure network-based applications Web – SSL, transportation layer solution Email – PGP, application layer solution Network/Link layer based solutions (this class)
E N D
IP Security Yuan Xue
Where to Place Security • Application/Transport layer based solutions • Secure network-based applications • Web – SSL, transportation layer solution • Email – PGP, application layer solution • Network/Link layer based solutions (this class) • Secure network + support for application • IPsec • Internet Security • BGP security • Wireless Security • IEEE 802.11 security • IPSec • No need to change code (transparent to end user) Application PGP SSL Transport IPsec Network Link WEP, WPA, IEEE 802.11i
IPSec • Background • A collection of protocols and mechanisms • RFC 2401, RFC 2402, RFC 2406, RFC 2408 • IPsec is a mandatory part of IPv6 (mandatory to implement, not mandatory to use), and is optional for use with IPv4 • IPsec aims to provide a framework of open standards for secure communications over IP • Protect every protocol running on top of IPv4 and IPv6 • Data confidentiality • Data integrity • Authentication • Prevent IP spoofing • Guard against packet replay
Overview • Authentication and encapsulation can be used separately or together • Either provided in transport or tunnel mode • These services are transparent to applications above transport (TCP/UDP) layer
New IP header IP header data payload Transport Mode vs. Tunnel Mode • Transport mode • Encrypts the payload data from upper-layer protocol • IP header in clear text • Host-to-host communication • Tunnel-mode • Encrypts the entire IP packets including the IP header • Adding a new IP header • Network-to-network/host-to-network/host-to-host communication Encrypted IP header Encrypted data payload IPSec header
IPsec in Transport Mode • End-to-end security between two hosts • Typically, client to gateway (e.g., PC to remote host) • Requires IPsec support at each host
IPsec in Tunnel Mode • Gateway-to-gateway security • Internal traffic behind gateways not protected • Typical application: virtual private network (VPN) • Only requires IPsec support at gateways
Tunnel Mode Illustration Implements IPsec Implements IPsec IPsec protects communication on the insecure part of the network
SPI and SA • To decide the protection for an outgoing packet, • IPsec uses the security parameter index (SPI), an index to the security association database (SADB), along with the destination address in a packet header, which together uniquely identify a security association for that packet. • For an incoming packet • IPsec gathers decryption and verification keys from the security association database. • Security Association • One-way relationship between a sender and a receiver • For two-way security exchange, two SA are required • SPI +IP Destination Address + Security Protocol Identifier (whether an AH or an ESP) • Security Parameters Index (SPI) • carried in AH/ESP headers to enable the receiving system to select the SA to process the packet SADB SPI SA
Version Header Length TOS Packet length Packet Id Flags Fragment offset TTL Protocol number Checksum Source IP address Destination IP address Options IP Headers Immutable Predictable Mutable AH sets mutable fields to zero and predictable fields to final value and then uses this header plus packet contents as input to HMAC
Authentication Header • Security Service • Data integrity • Source authentication -- Prevent IP spoofing • Guard against replay attack • Integrity check value • MAC -- HMAC-MD5-96/HMAC-SHA-1-96 • Calculated over • Immutable IP header field, set the mutable field to zero • AH header other than AD field • Upper-level protocol data IP v4 Identifies security association (shared keys and algorithms) Anti-replay Authenticates source, verifies integrity of payload
AH in Transport Mode Before AH is applied
AH in Tunnel Mode Before AH is applied
Prevention of Replay Attacks • When SA is established, sender initializes 32-bit counter to 0, increments by 1 for each packet • If wraps around 232-1, new SA must be established • Recipient maintains a sliding 64-bit window • If a packet with high sequence number is received, do not advance window until packet is authenticated
ESP: Encapsulating Security Payload • Security Service • Confidentiality • Authentication (optional) • Encryption Algorithm • 3DES, RC5, IDEA, CAST, Blowfish… +CBC mode • Authentication Algorithm • MAC -- HMAC-MD5-96/HMAC-SHA-1-96 • Packet format • Adds new header and trailer fields to packet • Transport mode • Confidentiality of packet between two hosts • Complete hole through firewalls • Tunnel mode • Confidentiality of packet between two gateways or a host and a gateway • Implements VPN tunnels
ESP Security Guarantees • Confidentiality and integrity for packet payload • Symmetric cipher negotiated as part of SA • Authentication (Optional) • Transport mode • Tunnel mode encrypted Original IP header ESP header TCP/UDP segment ESP trailer ESP auth authenticated New IP header ESP header Original IP header TCP/UDP segment ESP trailer ESP auth
ESP Packet Identifies security association (shared keys and algorithms) Anti-replay TCP segment (transport mode) or entire IP packet (tunnel mode) Pad to block size for cipher, also hide actual payload length Type of payload HMAC-based Integrity Check Value (similar to AH)
Virtual Private Networks (VPN) • VPN tunnel • Secure communication between parts of the same organization over public untrusted Internet • ESP can be used to implement a VPN Packets go from internal network to a gateway with destination IP address Entire packet protected by ESP, including original headers so destination addresses are hidden Receiving gateway decrypts packet and forwards original IP packet to receiving address in the network that it protects
AH vs. ESP • AH protects some of the field in IP header • ESP only protects everything beyond the ESP header • Separation of authentication and encryption • Port information in clear text for firewall
Combination of SA • Authentication + confidentiality • ESP with authentication option • AH SA + ESP SA bundle • Transport + Tunnel Bundle
Key Management • Oakley Key Determination Protocol • Based on Diffie-Hellman algorithm • Internet Security Association and Key Management Protocol (ISAKMP) • A framework for Internet key management • Internet Key Exchange Protocol (IKE) • The first phase establishes an ISAKMP SA • based on pre-shared keys (PSK), RSA keys and X.509 certificates, even via Kerberos. • In the second phase the ISAKMP SA is used to negotiate and setup the IPsec SAs.
BGP • Overview • AS: Internet routers are grouped into management domains called Autonomous Systems (AS). • BGP: Routing information between AS is exchanged via BGP UPDATE messages.
BGP • Overview • AS: Internet routers are grouped into management domains called Autonomous Systems (AS). • BGP: Routing information between AS is exchanged via BGP UPDATE messages. • Threat • BGP does not have any security protection over routing information, for example: • Routing information source authentication • UPDATE message integrity protection • If malicious attacker injects or modifies routing information (UPDATE messages), BPG routing will be interrupted and packets will get dropped.
S-BGP • Three security mechanisms are employed • Public Key Infrastructure (PKI) is used to support the authentication of AS's identity, and BGP router's identity. • BGP transitive path attribute is employed to carry digital signatures covering the routing information in a BGP UPDATE message. • IPsec is used to provide data and partial sequence integrity, and to enable BGP routers to authenticate each other for exchanges of BGP control traffic. • Further reading • Stephen Kent, Charles Lynn, and Karen Seo, Secure Border Gateway Protocol (Secure-BGP), IEEE Journal on Selected Areas in Communications Vol. 18, No. 4, April 2000, pp. 582-592 • Stephen Kent, Charles Lynn, J. Mikkelson, and Karen Seo, Secure Border Gateway Protocol (S-BGP) -- Real World Performance and Deployment Issues, in ISOC Symposium on Network and Distributed System Security, 2000.
Security in Wireless LAN • WEP (Wireless Equivalent Privacy) • a link-level security mechanism defined in IEEE 802.11 • Stream cipher RC4 used in a nonstandard way • A base key is concatenated with a 24-bit per-packet nonce, and is used as a per-packet RC4 key. • CRC checksum is used for integrity protection • Fluher, Mantin, and Shamir Attack • An eavesdropping can deduce the base RC4 key based on several millions encrypted packets whose first byte of plaintext is known. • Stubblefield, Ioannidis, and Rubin demonstrated its feasibility • Problems with WEP: A summary • 24-bit IVs are too short to provide confidentiality • CRC checksum is insecure, and can not protect packet integrity • The way that IV is combined with the key is subject to cryptanalysis. Passive eavesdroppers can learn the key after observing a few million encrypted packets • Lack of source and destination address authentication
Countermeasures • Countermeasures • Use higher-level security mechanism such as IPSec, VPN, SSL, and SSH for security • WPA (Wi-Fi protected access) – an intermediate soution. • IEEE 802.11i • IEEE 802.11X for authentication • CCMP for confidentiality integrity and source authentication • Further readings • Security flaws in 802.11 data link protocols, Nancy Cam-Winget, Russ Housley, David Wagner, and Jesse Walker. Communications of the ACM, 46(5), May 2003, Special Issue on Wireless networking security, pp.35-39. • Intercepting Mobile Communications: The Insecurity of 802.11 Nikita Borisov, Ian Goldberg, David Wagner, INFOCOM 2001. • Using the Fluhrer, Mantin, and Shamir Attack to Break WEP , Adam Stubblefield, John Ioannidis, and Aviel D. Rubin, NDSS 2002.