ikev2 ipsec key management protocol
play

IKEv2: IPSec Key Management Protocol Lecture 20 Acknowledgement: - PowerPoint PPT Presentation

Jan 13, 2024 •423 likes •702 views

IKEv2: IPSec Key Management Protocol Lecture 20 Acknowledgement: Slides from Vincent Luk, revised by Cunsheng Ding IP Security Architecture IPSec module 1 IPSec module 2 SPD SPD IKE IKE AH/ESP AH/ESP SAD SAD SA IKE: Internet Key

  1. IKEv2: IPSec Key Management Protocol Lecture 20 Acknowledgement: Slides from Vincent Luk, revised by Cunsheng Ding

  2. IP Security Architecture IPSec module 1 IPSec module 2 SPD SPD IKE IKE AH/ESP AH/ESP SAD SAD SA IKE: Internet Key Exchange SAD: Security Association Database SPD: Security Policy Database 6/12/2020 Lecture 20 2

  3. Outline • Motivations of Key Management • Key Concepts • Diffie-Hellman Key Exchange Protocol • Perfect Forward Secrecy • Pseudo-Random Function (PRF) • IKEv2 • Authentication and Key Generation • Cryptographic Algorithm Negotiation • Re-keying • Some Comments on IKEv2 6/12/2020 Lecture 20 3

  4. Why Automated Key Management? • Have to configure keys used in AH & ESP. • Manual Techniques • Simplest • Practical in small and static environment • Human intervention, mis-configurations easily • Do not scale well • Static key not good for security 6/12/2020 Lecture 20 4

  5. Revision: Any problem about DH? 6/12/2020 Lecture 20 5

  6. Diffie-Hellman in Practice • Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE) • 768-bit modulus and primitive root 2. • 1024-bit modulus and primitive root 2. • Two elliptic curve DH parameters (details omitted here) • 1536-bit MODP Group • 2048-bit MODP Group • 3072-bit MODP Group • 4096-bit MODP Group • 6144-bit MODP Group • 8192-bit MODP Group 6/12/2020 Lecture 20 6

  7. Perfect Forward Secrecy (PFS) • Refers to the notion that compromise of a single session key will not compromise other session keys. • Any key should not be derived from any predecessor key 6/12/2020 Lecture 20 7

  8. Pseudo-Random Function (PRF) • PRF function takes a variable length key, variable length data, and produces a fixed length output • e.g. slightly modified HMAC • For generating keying material and authentication of IKE • In RFC4307: Recommended PRF • PRF_HMAC_SHA1 MUST RFC2104 • PRF_HMAC_MD5 MAY RFC2104 • PRF_AES128_CBC SHOULD+ AES-PRF 6/12/2020 Lecture 20 8

  9. PRF+ prf+ (K,S) = T1 , T2 , T3 , T4 , ... where: T1 = prf (K, S | 0x01) T2 = prf (K, T1 | S | 0x02) T3 = prf (K, T2 | S | 0x03) T4 = prf (K, T3 | S | 0x04) . where | means concatenation 0x01 etc. are constants A number of Ti ’ s are computed iteratively as needed 6/12/2020 Lecture 20 9

  10. Outline • Motivations of Key Management • Key Concepts • Diffie-Hellman Key Exchange Protocol • Perfect Forward Secrecy • IKEv2 • Authentication and Key Generation • Cryptographic Algorithm Negotiation • Re-keying • Some Comments on IKEv2 6/12/2020 Lecture 20 10

  11. IKEv2 Outline Phase 1, Step 1: Create IKE SA and compute a master secret Phase 1, Step 2: Mutual authentication and negotiation of IPSec algorithms Phase 2: Create IPSec SA 6/12/2020 Lecture 20 11

  12. IKEv2 Protocol Phase 1, Step 1: IKE_SA_INIT Negotiate IKE algorithms • Compute secret keys for IKE • Compute master secret k_d for computing • IPSec keys in Phase 2. Phase 1, Step 2: IKE_AUTH Mutual authentications • Negotiation of IPsec algorithms (piggybacked • here) Phase 2: CREATE_CHILD_SA Setup AH or ESP security associations • 6/12/2020 Lecture 20 12

  13. Phase 1.1: IKE_SA_INIT (1) Responder Initiator HDR, SAi1, KEi Ei, Ni HDR, SAr1, KEr Er, Nr, [CER ERTREQ EQ] • HDR (IKE header) • Nx • Version number • Nonce of • SPIi: A value chosen by the Initiator/Responder initiator to identify this IKE security association. • SAr1 • …… • Expressed the choice • SAi1 based on SAi1 • Supported Crypto algms of initiator for the IKE_SA (DH • [CERTREQ] group, encrpt, authen algor for protecting the messages in • Optional request Phase 1.2 and Phase 2) preferred CA • KEx • Diffie-Hellman Values 6/12/2020 Lecture 20 13

  14. Phase 1.1: IKE_SA_INIT (2) • After this two messages, each party can generate SKEYSEED based on the values in KEi and KEr by DH • SKEYSEED=prf(Ni | Nr, g^(s_is_r)) [Remark: s_i the secret of I] Nonces add the freshness to the key materials. • {SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr } = prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr ) The prefix of output of the function prf+ is cut into pieces as different keys • SK_d is the master secret that will be used to compute IPSec SA keys later in Phase 2. • Following messages in Phase 1.2 will be encrypted and integrity protected by SK_ai, SK_ei, SK_ar, SK_er respect. • SK_pi and SK_pr are pre-shared secret keys for authentication in Phase 1.2 (technical details of this authentication method is given later). 6/12/2020 Lecture 20 14

  15. Phase 1.2: IKE_AUTH (1) Responder Initiator HDR, SK {IDi, [CER ERT,] [CER ERTREQ EQ,] [IDr,] AUTH, SAi AU Ai2, TSi, TSr} HDR, SK {IDr, [CER ERT,] AUTH, SAr2, TSi, TSr} • SAi2/SAr2 piggybacked here • {…} • For CREATE_CHILD_SA • indicated payloads are encrypted and integrity protected using that • They contain only algorithms direction ’ s SK_e & SK_a and the • TS IKE encryption and auth algorithms • Traffic Selector Info (IP Add + • IDi, IDr Port) • For auth based on preshared • It defines which traffic to be secrets SK_pi, SK_pr (details protected by SAi2, SAr2 omitted) • It contains protocol, port range, address range • Auth • TSi = (0, 0-65535,192.0.2.202-192.0.2.202) • Preshared secrets (SK_pi, SK_pr) + • TSr = (0, 0-65535,192.0.2.0-192.0.2.255) ID • Digital certificates 6/12/2020 Lecture 20 15

  16. The Whole Picture of Phase 1 Initiator Responder HDR, SAi1, KEi Ei, Ni HDR, SAr1, KEr Er, Nr, [C [CER ERTREQ EQ] HDR, SK {I {IDi, [C [CER ERT,] ] [C [CER ERTREQ EQ,] ] [I [IDr,] AUTH, AU , SAi Ai2, , TSi, , TSr} HDR, SK {I {IDr, [C [CER ERT,] ] AUTH, SAr2, TSi, TSr} Remark 1: [CERTREQ] means authentication with digital certificate. Remark 2: “ SK{} ” means encryption using the keys sk_{ei} and sk_{er} . Remark 2: SAi2 and SAr2 are negotiations of IPSec SA algorithms, piggybacked in this authentication step. 6/12/2020 Lecture 20 16

  17. Mutual Authent. by AUTH (2) • Two Authentication Methods • Digital Signature Based • Requires individual [CERT] exist in both messages • [CERTREQ] indicates to use certificate authentication • Initiator signs the 1 st message appended by Nr and prf(SK_pi, IDi) • responder signs the 2 nd message appended by Ni and prf(SK_pr, IDr) • Pre-shared Key (SK_pi, SK_pr) • HMAC using negotiated prf function • AUTH = prf(prf(Shared Secret, "Key Pad for IKEv2"), <msg octets>) • <msg octets> is the 1 st or 2 nd message in Phase 1.1. 6/12/2020 Lecture 20 17

  18. CHILD_SA Negotiations in IKE_AUTH • Establishment of CHILD_SA is piggybacked in IKE_AUTH • Initiator proposes SAi2 in message 3 • Responder answers SAr2 in message 4 • Traffic protected by the SA is also negotiated through traffic selectors (TSi, TSr) 6/12/2020 Lecture 20 18

  19. Phase 2: CREATE_CHILD_SA Responder Initiator HDR, SK {[ {[N], ], [S [SA], ], Ni, [K [KEi Ei], ], [T [TSi, TSr]} ]} HDR, SK {[S {[SA], ], Nr, [K [KEr Er], ], [T [TSi, TSr]} ]} • [N]: Indication negotiation of new IPSec SA • An established IKE SA may be used • [KEx] to create many IPSec SAs and may • Diffie-Hellman value, different from be used for a long time. those in Phase 1.1 • A set of IPSec algorithms was • Used only when PFS is required. In already negotiated in Phase 1.2. this case, they will be used in However, if a new IPSec SA should computing new IPSec keys be created, then [N] is used to • [TSx] indicate this. At the same time, new • Traffic Selector Negotiations for [KEi] and [TSi, TSr] (different new IPSec SA from those in Phase 1.2) may be • Used only when [N] is used negotiated. • If [N] is not used, this is the 1 st IPSec • The Ni and Nr here are different SA creation under this IKE SA from those in Phase 1.1, and will be • The protection SK{} here is by the IKE used to compute IPSec secret keys. SA negotiated before. • Ni and Nr should be different from those in Phase 1.1. 6/12/2020 Lecture 20 19

  20. Finally, Keys for AH or ESP • After CREATE_CHILD_SA, the key(s) for AH or ESP will be generated! • KEYMAT = prf+(SK_d, Ni | Nr) • Ni and Nr are the new nonces in Phase 2 • They are independent of the two nonces in Phase 1 • For stronger PFS • KEYMAT = prf+(SK_d, g^(s_i s_r) (new) | Ni | Nr ) , • Where s_i and s_r are the new DH values in Phase 2, SK_d is the old one Phase 1, Ni and Nr are new ones in Phase 2. 6/12/2020 Lecture 20 20

  21. Outline • Motivations of Key Management • Key Concepts • Diffie-Hellman Key Exchange Protocol • Perfect Forward Secrecy • Pseudo-Random Function (PRF) • IKEv2 • Authentication and Key Generation • Cryptographic Algorithm Negotiation • Re-keying • Improvements over IKE (v1) • Some Comments on IKEv2 6/12/2020 Lecture 20 21

  22. Cryptographic Algorithm Negotiation • “ SA ” payload consists of one or more proposals: • IPSec protocols: IKE, ESP, AH • Cryptographic algorithms associated with each protocol • The responder answers this choice based on the proposals proposed by Initiator 6/12/2020 Lecture 20 22

  23. Re-keying • Secret keys of IKE, ESP and AH should be only used in a limited of time. • After SA lifetime expires, re-keying has to be done. • Either side thinks an SA has been enough time, it negotiates a new SA. • After the new SA is setup, delete the old one. 6/12/2020 Lecture 20 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Key Exchange in IPsec revisited: Formal Analysis of IKEv1 and IKEv2 Cas Cremers, ETH Zurich

Key Exchange in IPsec revisited: Formal Analysis of IKEv1 and IKEv2 Cas Cremers, ETH Zurich

Key Exchange in IPsec revisited: Formal Analysis of IKEv1 and IKEv2 Cas Cremers, ETH Zurich Overview What is IKE ? Internet Key Exchange , part of IPsec Formal analysis of IKE Previously considered infeasible Using Scyther

410 views • 19 slides
Labeled IPsec draft-jml-ipsec-ikev1-security-context-00.txt

Labeled IPsec draft-jml-ipsec-ikev1-security-context-00.txt

Labeled IPsec draft-jml-ipsec-ikev1-security-context-00.txt draft-jml-ipsec-ikev2-security-context-00.txt Presented by: Joy Latten Document authors: Serge Hallyn, Trent Jaeger, Joy Latten, and George Wilson Problem Description Mandatory

295 views • 6 slides
Use of IKEv2 and IPsec with Multiple CoA support MONAMI6 WG, IETF 68 Vijay Devarapalli

Use of IKEv2 and IPsec with Multiple CoA support MONAMI6 WG, IETF 68 Vijay Devarapalli

Use of IKEv2 and IPsec with Multiple CoA support MONAMI6 WG, IETF 68 Vijay Devarapalli (vijay.devarapalli@azairenet.com) Assumptions in RFC 3775, 3963 There is only one primary care-of address per mobile node The primary care-of

240 views • 7 slides
ilab 2 - IPSec with IKEv2 and Strongswan Lukas Grillmayer and Linus Lotz Chair for Network

ilab 2 - IPSec with IKEv2 and Strongswan Lukas Grillmayer and Linus Lotz Chair for Network

ilab 2 - IPSec with IKEv2 and Strongswan Lukas Grillmayer and Linus Lotz Chair for Network Architectures and Services Department for Computer Science Technische Universit at M unchen June 4, 2014 Lukas Grillmayer and Linus Lotz: ilab 2 -

1.39k views • 51 slides
IKEv2 with CGA Jean-Michel Combes jeanmichel.combes@orange.com Aurlien Wailly

IKEv2 with CGA Jean-Michel Combes jeanmichel.combes@orange.com Aurlien Wailly

IKEv2 with CGA Jean-Michel Combes jeanmichel.combes@orange.com Aurlien Wailly aurelien.wailly@orange.com Maryline Laurent Maryline.Laurent@it-sudparis.eu 2011-10-25 ICSNA 2011 1 Outline IPsec IKEv2 CGA IKEv2 with CGA?

744 views • 36 slides
Cryptography and Network Security IPSEC Security architecture and protocol stack Secure

Cryptography and Network Security IPSEC Security architecture and protocol stack Secure

Cryptography and Network Security IPSEC Security architecture and protocol stack Secure applications: Applicaz. (SHTTP) PGP, SHTTP, SFTP, or SSL/TLS Security down in the TCP protocol stack -SSL between TCP IPSEC and applic. layer

723 views • 59 slides
IPsec Slide 1 Protocol security - where? Application layer: (+): easy access to user credentials,

IPsec Slide 1 Protocol security - where? Application layer: (+): easy access to user credentials,

IPsec 1 IPsec Slide 1 Protocol security - where? Application layer: (+): easy access to user credentials, extend without waiting for OS vendor, understand data; (-): design again and again; e.g., PGP, ssh, Kerberos Transport layer: (+):

420 views • 18 slides
Minimal IKEv2 AuthenTec Oy Tero Kivinen kivinen@iki.fi draft-kivinen-ipsecme-minimal-ikev2-01

Minimal IKEv2 AuthenTec Oy Tero Kivinen kivinen@iki.fi draft-kivinen-ipsecme-minimal-ikev2-01

Minimal IKEv2 AuthenTec Oy Tero Kivinen kivinen@iki.fi draft-kivinen-ipsecme-minimal-ikev2-01 What Problem Does This Document Solve Tries to educate implementors that IKEv2 is not complex and difficult to implement. Why Do People

363 views • 5 slides
Uses of IPSEC with VPNs VPNs Uses of IPSEC with Purpose Outline some scenarios where IPSEC

Uses of IPSEC with VPNs VPNs Uses of IPSEC with Purpose Outline some scenarios where IPSEC

Uses of IPSEC with VPNs VPNs Uses of IPSEC with Purpose Outline some scenarios where IPSEC can be used with VPNs Identify areas where extensions to IPSEC could be useful Bryan Gleeson, Page-1 VPN Reference Model CE CE PE

352 views • 9 slides
Traffic Flow Flow Confidentiality Confidentiality in in IPsec IPsec: : Traffic Protocol and

Traffic Flow Flow Confidentiality Confidentiality in in IPsec IPsec: : Traffic Protocol and

Universit di Roma di Roma Tor Tor Vergata Vergata Universit Traffic Flow Flow Confidentiality Confidentiality in in IPsec IPsec: : Traffic Protocol and and Implementation Implementation Protocol Giuseppe Bianchi,

514 views • 26 slides
IPsec encapsulation over TCP Sabrina Dubroca sd@queasysnail.net Red Hat netdev 0x13, 2019-03-22

IPsec encapsulation over TCP Sabrina Dubroca sd@queasysnail.net Red Hat netdev 0x13, 2019-03-22

IPsec encapsulation over TCP Sabrina Dubroca sd@queasysnail.net Red Hat netdev 0x13, 2019-03-22 1 / 22 Introduction 2 / 22 ESP and IKE Components of the IPsec protocol suite ESP Encapsulating Security Payload AH Authentication Header IKE

478 views • 22 slides
IPsec, BGPsec, DNSSEC Lecture 20 Internet Protocol Suite TCP/IP: Developed in the 70 s IP: at

IPsec, BGPsec, DNSSEC Lecture 20 Internet Protocol Suite TCP/IP: Developed in the 70 s IP: at

IPsec, BGPsec, DNSSEC Lecture 20 Internet Protocol Suite TCP/IP: Developed in the 70 s IP: at the internet layer. Handles addressing and routing TCP: at the transport layer. Setting up channels (between ports), with traffic control, error-

292 views • 17 slides
IPSEC VPN overview IPSEC VPN overview Basic VPN Architecture CPE/CLE CPE/CLE PE

IPSEC VPN overview IPSEC VPN overview Basic VPN Architecture CPE/CLE CPE/CLE PE

IPSEC VPN overview IPSEC VPN overview Basic VPN Architecture CPE/CLE CPE/CLE PE PE CPE/CLE Host PE CPE to CPE IPSEC can be used for : PE to PE PE to CPE Bryan Gleeson, Page-1 CPE to CPE IPSEC tunnels

680 views • 8 slides
IPsec, BGPsec, DNSSEC Lecture 18 And a bit of Zero-Knowledge Proofs Internet Protocol Suite

IPsec, BGPsec, DNSSEC Lecture 18 And a bit of Zero-Knowledge Proofs Internet Protocol Suite

IPsec, BGPsec, DNSSEC Lecture 18 And a bit of Zero-Knowledge Proofs Internet Protocol Suite TCP/IP: Developed in the 70 s IP: at the internet layer. Handles addressing and routing TCP: at the transport layer. Setting up channels (between

418 views • 21 slides
IPsec, BGPsec, DNSSEC Lecture 20 Internet Protocol Suite Link layer: ethernet, wifi etc. Internet

IPsec, BGPsec, DNSSEC Lecture 20 Internet Protocol Suite Link layer: ethernet, wifi etc. Internet

IPsec, BGPsec, DNSSEC Lecture 20 Internet Protocol Suite Link layer: ethernet, wifi etc. Internet layer: addressing and routing Transport layer: Setting up channels (between ports), with traffic control, error-correction etc. TCP/IP for

676 views • 16 slides
Ipsec unter Linux 2.6 Einleitung: Die native IPsec Implementierung im Linux Kernel ab

Ipsec unter Linux 2.6 Einleitung: Die native IPsec Implementierung im Linux Kernel ab

Ipsec unter Linux 2.6 Einleitung: Die native IPsec Implementierung im Linux Kernel ab Version 2.5.47 basiert auf dem USAGI Projekt. Hierbei handelt es sich um eine alternative Implementierung des IPsec Stacks zum FreeS/WAN Projekt.

610 views • 8 slides
Directional morphology and person marking Felix Rau Leiden University / University of Cologne

Directional morphology and person marking Felix Rau Leiden University / University of Cologne

Directional morphology and person marking Felix Rau Leiden University / University of Cologne Universitt zu Kln Talk map General Idea Patterns Typology I (coarse) Closer Look Typology II (fine / preliminary) 2 General

707 views • 49 slides
Fe P - Ei Iq . &gt; o } - Eitan .co } N' : Eai 's } F={LInPlu( N' I &gt; II Sterner

Fe P - Ei Iq . &gt; o } - Eitan .co } N' : Eai 's } F={LInPlu( N' I &gt; II Sterner

b - an ai FO - b ) h A , - - IE Cn ] P a - . LITTLEWOOD - OFFORD PROBLEM r I rn . P 4936 &lt; s A ERDE 's PAUL : special Case All ai &gt; O : F - { I l za : - b ) En ) c' EI Spenner Fe P - Ei Iq . &gt; o } - Eitan .co } N' :

425 views • 8 slides
P2S2-2010 Panel Is Hybrid Programming a Bad Idea Whose Time Has Come ? Taisuke Boku Center for

P2S2-2010 Panel Is Hybrid Programming a Bad Idea Whose Time Has Come ? Taisuke Boku Center for

P2S2-2010 Panel Is Hybrid Programming a Bad Idea Whose Time Has Come ? Taisuke Boku Center for Computational Sciences University of Tsukuba 2010/09/13 P2S2-2010 Panel 1 Definition Term of Hybrid Programming sometime means

111 views • 10 slides
Boolean networks, local models, and finite polynomial dynamical systems Matthew Macauley

Boolean networks, local models, and finite polynomial dynamical systems Matthew Macauley

Boolean networks, local models, and finite polynomial dynamical systems Matthew Macauley Department of Mathematical Sciences Clemson University http://www.math.clemson.edu/~macaule/ Math 4500, Spring 2017 M. Macauley (Clemson) Boolean

618 views • 15 slides
MTLE-6120: Advanced Electronic Properties of Materials Quantum kinetics Reading: Kasap: 3.7

MTLE-6120: Advanced Electronic Properties of Materials Quantum kinetics Reading: Kasap: 3.7

1 MTLE-6120: Advanced Electronic Properties of Materials Quantum kinetics Reading: Kasap: 3.7 Griffiths QM: 9.1 - 9.2 2 Operators and expectation values r ) | 2 probability distribution of | ( r Average value of

569 views • 12 slides
Te Mana o te Wai Ko Hikur urang ngi t te M Maung nga, Ko Waiapu t pu te A Awa Ko o Ngati

Te Mana o te Wai Ko Hikur urang ngi t te M Maung nga, Ko Waiapu t pu te A Awa Ko o Ngati

Te Mana o te Wai Ko Hikur urang ngi t te M Maung nga, Ko Waiapu t pu te A Awa Ko o Ngati P Por orou t te Iwi IAG/ILG/ICF IAG: Group of Iwi technicians ILG: Key Leaders who support the Freshwater kaupapa ICF 58 Iwi Chairs

1.39k views • 27 slides
Derived equivalence induced by infinitely generated n -tilting modules Silvana Bazzoni (Joint

Derived equivalence induced by infinitely generated n -tilting modules Silvana Bazzoni (Joint

Derived equivalence induced by infinitely generated n -tilting modules Silvana Bazzoni (Joint work with Francesca Mantese and Alberto Tonolo) Universit` a di Padova Trieste, February 1-5, 2010 Silvana Bazzoni Derived equivalence induced by n

380 views • 17 slides
Tomoya Takiwaki (RIKEN Kei Kotake(Fukuoka) Yudai Suwa(Kyoto/MPA) 1 Supernovae: the death of

Tomoya Takiwaki (RIKEN Kei Kotake(Fukuoka) Yudai Suwa(Kyoto/MPA) 1 Supernovae: the death of

2015/08/18 MICRA2015 How supernova simulations are affected by input physics Tomoya Takiwaki (RIKEN Kei Kotake(Fukuoka) Yudai Suwa(Kyoto/MPA) 1 Supernovae: the death of the star ? Q:How does the explosion occur? 2 Important gradients

740 views • 44 slides

More recommend