ipsec ah esp ike
play

IPsec (AH, ESP), IKE Guevara Noubir CSG254: Network Security - PowerPoint PPT Presentation

Nov 07, 2022 •1.07k likes •1.4k views

IPsec (AH, ESP), IKE Guevara Noubir CSG254: Network Security noubir@ccs.neu.edu Securing Networks Applications Layer Monitoring/Logging/Intrusion Detection Control/Management (configuration) telnet/ftp: ssh, http: https , mail: PGP Network

  1. IPsec (AH, ESP), IKE Guevara Noubir CSG254: Network Security noubir@ccs.neu.edu

  2. Securing Networks Applications Layer Monitoring/Logging/Intrusion Detection Control/Management (configuration) telnet/ftp: ssh, http: https , mail: PGP Network Security Tools: ( SSL/TLS ) Transport Layer (TCP) ( IPSec, IKE ) Network Layer (IP) Link Layer ( IEEE802.1x/IEEE802.10 ) Physical Layer ( spread-Spectrum, quantum crypto, etc. ) CSG254: Network Security IPsec - IKE

  3. SSL vs. IPsec � SSL: � Avoids modifying “TCP stack” and requires minimum changes to the application � Mostly used to authenticate servers � IPsec � Transparent to the application and requires modification of the network stack � Authenticates network nodes and establishes a secure channel between nodes � Application still needs to authenticate the users CSG254: Network Security IPsec - IKE

  4. IPsec Protocol Suite (IETF Standard) � Provides inter-operable crypto-based security services : � Services: confidentiality, authentication, integrity, and key management � Protocols: � Authentication Header (AH): RFC2402 � Encapsulated Security Payload (ESP): 2406 � Internet Key Exchange (IKE) � Environments: IPv4 and IPv6 � Modes: � Transport (between two hosts) � Tunnel (between hosts/firewalls) CSG254: Network Security IPsec - IKE

  5. IPsec � Assumption: � End nodes already established a shared session key: � Manually or IKE � Security Association: � Each secure connection is called a security association (SA) � For each SA: key, end-node, sequence number, services, algorithms � SA is unidirectional and identified by: � (destination-address, SPI = Security Parameter Index) � Protocols: � Authentication Header: integrity protection � Encapsulated Security Payload: encryption and/or integrity CSG254: Network Security IPsec - IKE

  6. IP Packets 0 4 8 16 19 31 Version HLen TOS Length Ident Flags Offset TTL Protocol Checksum SourceAddr DestinationAddr Pad Options (variable) (variable) Data CSG254: Network Security IPsec - IKE

  7. AH Formatting AH Protocol Number = 51 IP hdr TCP Data IP hdr AH TCP Data Transport mode IP hdr TCP Data new IP hdr AH IP hdr TCP Data Tunnel mode Next Header Length (8) Reserved (16) Security Parameters Index (32) SN: for replay detection Sequence Number Field (32) Authentication Data (N*32) CSG254: Network Security IPsec - IKE

  8. ESP Formatting ESP Protocol Number = 50 IP hdr TCP Data ESP Trailer ESP Auth IP hdr ESP TCP Data Encrypted Authenticated Transport mode IP hdr TCP Data new IP hdr ESP IP hdr TCP Data ESP Trailer ESP Auth Encrypted Authenticated Tunnel mode CSG254: Network Security IPsec - IKE

  9. ESP Header Security Parameters Index (32) Auth/Integrity Sequence Number Field (32) coverage Initialization Vector (variable) Payload Data (variable) confidentiality coverage Pad Length (8) Next Header Padding (0-255 bytes) Authentication Data CSG254: Network Security IPsec - IKE

  10. Issues NAT boxes: � IPsec tunnel mode doesn’t easily work � Firewalls � IPsec encrypts information used by firewalls to filter traffic (e.g., port � number) AH mutable/immutable/predictable fields: � Some fields get modified by the intermediate routers and can’t be protected � by the AH Mutable: type of service, flags, fragment offset, TTL, header checksum � Why is PAYLOAD-LENGTH considered immutable (even if packets can be � fragmented)? Why not fragment offset. Inconsistency! Mutable but predictable fields are included in the AH computation using their � expected value at the destination (e.g., destination address even when using source routing) CSG254: Network Security IPsec - IKE

  11. IPsec: Internet Key Exchange � Goal: � Mutual authentication and establishment of a shared secret session key using: � Pre-shared secret key or public signature-only key, or public encryption key � Negotiation of features and cryptographic algorithms � Specification documents: � ISAKMP (Internet Security Association and Key Management Protocol): RFC 2408 � IKE: RFC 2409 � DOI (Domain Of Interpretation): RFC 2407 CSG254: Network Security IPsec - IKE

  12. Photuris Photuris goal: signed Diffie-Hellman exchange � A -> B : C A 1. B -> A : C A , C B , crypto offered 2. A -> B : C A , C B , g a mod p , crypto selected 3. B -> A : C A , C B , , g b mod p 4. A -> B : C A , C B , g ab mod p { A, signature on previous messages} 5. B -> A : C A , C B , , g ab mod p { B, signature on previous messages} 6. Role of C A , C B , and messages � Additional features: SPI selection � Why not sign messages 3 & 4…? � CSG254: Network Security IPsec - IKE

  13. Simple Key-Management for Internet Protocol (SKIP) � Uses long term Diffie-Hellman keys � Parties assumed to know each other public keys (i.e., g a mod p ) or exchange certificates � Session key X = g ab mod p is established in 0 messages � Each packet is encrypted using data key S and each packet contains: X { S} � Same S can be used for several packets � Later on PFS was added by periodically forgetting the keys and doing a new DH CSG254: Network Security IPsec - IKE

  14. ISAKMP (RFC2408) Proposed by NSA as a framework and accepted by IETF � Runs over UDP and allows to exchange fields to create a protocol � IKE (RFC2409) based on OAKLEY & SKEME using ISAKMP syntax � IKE phases: � Mutual authentication and session key establishment (also called ISAKMP 1. SA or IKE SA) AH/ESP SAs establishment 2. Each source/destination/port has its own SA/keys otherwise ESP – traffic not using integrity could be decrypted… CSG254: Network Security IPsec - IKE

  15. Phase 1 IKE � Two modes: � Aggressive mode: mutual authentication and session key establishment in three messages � A -> B : g a mod p , A , crypto proposal � B -> A : g b mod p , crypto choice, proof I’m B � A -> B : proof I’m A � Main: additional features such as hiding end-points identities and negotiating crypto DH algorithm � A -> B : crypto suite I support � B -> A : crypto suite I choose � A -> B : g a mod p � B -> A : g b mod p � A -> B : g ab mod p { A, proof I’m A} � B -> A : g ab mod p { B, proof I’m B} CSG254: Network Security IPsec - IKE

  16. Phase 1 IKE Key types: � Pre-shared secret key � Public encryption key: fields are separately encrypted using the public key � Optimized public encryption key: used to encrypt a random symmetric key, � and then data is encrypted using the symmetric key Public signature key: used only for signature purpose � 8 variants of IKE phase 1: 2 modes x 4 key types ⇒ Proof of Identity: � Required in messages 2-3 aggressive mode and 5-6 main mode � Proves the sender knows the key associated with the identity � Depends on the key type � Hash of identity key, DH values, nonces, crypto choices, cookies � Alternative: MAC of previous messages � CSG254: Network Security IPsec - IKE

  17. Phase 1 IKE Negotiating cryptographic parameters � A specifies suites of acceptable algorithms: � { (3DES, MD5, RSA public key encryption, DH), � (AES, SHA-1, pre-shared key, elliptic curve), …} The standard specifies a MUST be implemented set of algorithms: � Encryption= DES, hash= MD5/SHA-1, authentication= pre-shared key/DH � The lifetime of the SA can also be negotiated � Session keys: � Key seed: SKEYID � Signature public keys: SKEYID = prf(nonces, g xy mod p ) � Encryption public keys: prf(hash(nonces), cookies) � Pre-shared secret key: prf(pre-shared secret key, nonces) � Secret to generate other keys: SKEYID_d = prf(SKEYID, (g xy , cookies, 0)) � Integrity key: SKEYID_a = prf(SKEYID, (SKEYID_d, (g xy , cookies, 1))) � Encryption key: SKEYID_e = prf(SKEYID, (SKEYID_a, (g xy , cookies, 2)) � Message IDs: � Random 32-bits serves the purpose of a SN but in an inefficient manner because they have to � be remembered CSG254: Network Security IPsec - IKE

  18. IKE Phase 1: Public Signature Keys, Main Mode Description: � Both parties have public keys for signatures � Hidden endpoint identity (except for …?) � Protocol: � A -> B : CP � B -> A : CPA � A -> B : g a mod p , nonce A � B -> A : g b mod p , nonce B � K = f ( g ab mod p , nonce A , nonce B ) A -> B : K { A , proof I’m A , [certificate]} � B -> A : K{ B , proof I’m B , [certificate]} � Questions: � What is the purpose of the nonces? � Can we make to protocol shorter (5 messages)? At what expense? � CSG254: Network Security IPsec - IKE

  19. IKE Phase 1: Public Signature Keys, Aggressive Mode � Protocol: � A -> B : CP, g a mod p , nonce A , A � B -> A : CPA, g b mod p , nonce B , B , proof I’m B , [certificate] � A -> B : proof I’m A , [certificate] CSG254: Network Security IPsec - IKE

  20. IKE Phase 1: Public Encryption Keys, Main Mode, Original � Protocol: � A -> B : CP � B -> A : CPA � A -> B : g a mod p , { nonce A } B , { A } B � B -> A : g b mod p , { nonce B } A , { B } A K = f ( g ab mod p , nonce A , nonce B ) � A -> B : K { proof I’m A } � B -> A : K { proof I’m B } CSG254: Network Security IPsec - IKE

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Uses of IPSEC with VPNs VPNs Uses of IPSEC with Purpose Outline some scenarios where IPSEC

Uses of IPSEC with VPNs VPNs Uses of IPSEC with Purpose Outline some scenarios where IPSEC

Uses of IPSEC with VPNs VPNs Uses of IPSEC with Purpose Outline some scenarios where IPSEC can be used with VPNs Identify areas where extensions to IPSEC could be useful Bryan Gleeson, Page-1 VPN Reference Model CE CE PE

352 views • 9 slides
IPSEC VPN overview IPSEC VPN overview Basic VPN Architecture CPE/CLE CPE/CLE PE

IPSEC VPN overview IPSEC VPN overview Basic VPN Architecture CPE/CLE CPE/CLE PE

IPSEC VPN overview IPSEC VPN overview Basic VPN Architecture CPE/CLE CPE/CLE PE PE CPE/CLE Host PE CPE to CPE IPSEC can be used for : PE to PE PE to CPE Bryan Gleeson, Page-1 CPE to CPE IPSEC tunnels

680 views • 8 slides
Labeled IPsec draft-jml-ipsec-ikev1-security-context-00.txt

Labeled IPsec draft-jml-ipsec-ikev1-security-context-00.txt

Labeled IPsec draft-jml-ipsec-ikev1-security-context-00.txt draft-jml-ipsec-ikev2-security-context-00.txt Presented by: Joy Latten Document authors: Serge Hallyn, Trent Jaeger, Joy Latten, and George Wilson Problem Description Mandatory

295 views • 6 slides
Ipsec unter Linux 2.6 Einleitung: Die native IPsec Implementierung im Linux Kernel ab

Ipsec unter Linux 2.6 Einleitung: Die native IPsec Implementierung im Linux Kernel ab

Ipsec unter Linux 2.6 Einleitung: Die native IPsec Implementierung im Linux Kernel ab Version 2.5.47 basiert auf dem USAGI Projekt. Hierbei handelt es sich um eine alternative Implementierung des IPsec Stacks zum FreeS/WAN Projekt.

610 views • 8 slides
THE LIBRESWAN PROJECT An Internet Key Exchange (IKE) daemon for IPsec Enterprise IPsec

THE LIBRESWAN PROJECT An Internet Key Exchange (IKE) daemon for IPsec Enterprise IPsec

THE LIBRESWAN PROJECT An Internet Key Exchange (IKE) daemon for IPsec Enterprise IPsec based VPN solution Make encryption the default mode of communication Certifjcations (FIPS, Common Criteria, USGv6, etc.)

917 views • 25 slides
Yasser F. O. Mohammad REMIDER 1: IPSec Uses REMINDER 2: IPSec Services Access control

Yasser F. O. Mohammad REMIDER 1: IPSec Uses REMINDER 2: IPSec Services Access control

Yasser F. O. Mohammad REMIDER 1: IPSec Uses REMINDER 2: IPSec Services Access control Connectionless integrity Data origin authentication Rejection of replayed packets a form of partial sequence integrity Confidentiality

818 views • 37 slides
Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and

Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and

Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and Linux Contents Introduction Highly Scalable Linux Network Stack Netfilter Hooks Packet selection based on IP Tables The Connection Tracking

444 views • 9 slides
OPPORTUNISTIC ENCRYPTION USING IPSEC Linux Security Summit, Toronto August 2016 Presented by

OPPORTUNISTIC ENCRYPTION USING IPSEC Linux Security Summit, Toronto August 2016 Presented by

OPPORTUNISTIC ENCRYPTION USING IPSEC Linux Security Summit, Toronto August 2016 Presented by Paul Wouters, RHEL Security THE LIBRESWAN PROJECT An Internet Key Exchange (IKE) daemon for IPsec Enterprise IPsec based VPN solution

736 views • 32 slides
Requirements for IPsec Negotiation in the SIP Framework

Requirements for IPsec Negotiation in the SIP Framework

Requirements for IPsec Negotiation in the SIP Framework draft-saito-mmusic-ipsec-negotiation-req-00.txt August 1, 2005 Makoto Saito (ma.saito@ntt.com) Shingo Fujimoto (shingo_fujimoto@jp.fujitsu.com) 1 Motivation To secure communication

83 views • 6 slides
Introduction to IPsec Charlie Kaufman charliek@microsoft.com 1 IP Security (IPsec) IETF

Introduction to IPsec Charlie Kaufman charliek@microsoft.com 1 IP Security (IPsec) IETF

Introduction to IPsec Charlie Kaufman charliek@microsoft.com 1 IP Security (IPsec) IETF standard for Network Layer security Popular for creating trusted link (VPN), either firewall-firewall, or machine to firewall Done at

868 views • 51 slides
IKEv2: IPSec Key Management Protocol Lecture 20 Acknowledgement: Slides from Vincent Luk, revised

IKEv2: IPSec Key Management Protocol Lecture 20 Acknowledgement: Slides from Vincent Luk, revised

IKEv2: IPSec Key Management Protocol Lecture 20 Acknowledgement: Slides from Vincent Luk, revised by Cunsheng Ding IP Security Architecture IPSec module 1 IPSec module 2 SPD SPD IKE IKE AH/ESP AH/ESP SAD SAD SA IKE: Internet Key

702 views • 26 slides
iLab IPsec Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de Chair of

iLab IPsec Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de Chair of

iLab IPsec Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de Chair of Network Architectures and Services Department of Informatics Technical University of Munich Lab 8 18ss 1 / 29 Outline Overview IPsec databases

563 views • 29 slides
IP IPSec ( ) 13 Network

IP IPSec ( ) 13 Network

IP IPSec ( ) 13 Network Security, Principles and Practice,2nd Ed. : http://www.fata.ir

567 views • 23 slides
IPsec encapsulation over TCP Sabrina Dubroca sd@queasysnail.net Red Hat netdev 0x13, 2019-03-22

IPsec encapsulation over TCP Sabrina Dubroca sd@queasysnail.net Red Hat netdev 0x13, 2019-03-22

IPsec encapsulation over TCP Sabrina Dubroca sd@queasysnail.net Red Hat netdev 0x13, 2019-03-22 1 / 22 Introduction 2 / 22 ESP and IKE Components of the IPsec protocol suite ESP Encapsulating Security Payload AH Authentication Header IKE

478 views • 22 slides
Why IPsec and BGP dont play well together in real networks Brian Weis Overview Of

Why IPsec and BGP dont play well together in real networks Brian Weis Overview Of

Why IPsec and BGP dont play well together in real networks Brian Weis Overview Of course IKE/IPsec can be configured on routers to provide transport security for BGP and other similar control plane protocols. And certainly

480 views • 16 slides
for Constrained Environments dra%-raza-6lo-ipsec-02 {shahid.raza, simon.duquennoy}@sics.se

for Constrained Environments dra%-raza-6lo-ipsec-02 {shahid.raza, simon.duquennoy}@sics.se

Compression of IPsec AH and ESP Headers for Constrained Environments dra%-raza-6lo-ipsec-02 {shahid.raza, simon.duquennoy}@sics.se goran.selandaer@ericsson.com 1 Status of the Document First submi<ed as a posi=on paper to the Smart

209 views • 18 slides
Identifying Impacts of Protocol and Internet Development on the Bitcoin Network Ryunosuke

Identifying Impacts of Protocol and Internet Development on the Bitcoin Network Ryunosuke

Tokyo Institute of Technology Identifying Impacts of Protocol and Internet Development on the Bitcoin Network Ryunosuke Nagayama, Ryohei Banno, Kazuyuki Shudo Tokyo Tech Blockchain A distributed ledger on P2P network A node generates a

439 views • 19 slides
ZKPs as a Solution 2nd ZKProof Workshop, 2019 Andrew Poelstra Director of Research, Blockstream

ZKPs as a Solution 2nd ZKProof Workshop, 2019 Andrew Poelstra Director of Research, Blockstream

Fragile Nonce Selection and ZKPs as a Solution 2nd ZKProof Workshop, 2019 Andrew Poelstra Director of Research, Blockstream 1 / 11 Schnorr Signatures P = xG k $ R = kG e = H ( P , R , m ) s = k + ex In practice $ is by far the most

378 views • 11 slides
T1 T in: (T1,1); (T2,3) wit: sig 1 ; sig 2 out: 1 BTC: fun(x) . e1 2 BTC: fun(y) . e2

T1 T in: (T1,1); (T2,3) wit: sig 1 ; sig 2 out: 1 BTC: fun(x) . e1 2 BTC: fun(y) . e2

T1 T in: (T1,1); (T2,3) wit: sig 1 ; sig 2 out: 1 BTC: fun(x) . e1 2 BTC: fun(y) . e2 absLock: after 2018.12.17 T2 relLock: 2 days after T1 Block n-2 Block n-1 Block n Transactions: T1 Transactions: Transactions: T2

764 views • 47 slides
Expressing Type-Flaw Attacks in a Strongly Typed Language Iliano Cervesato

Expressing Type-Flaw Attacks in a Strongly Typed Language Iliano Cervesato

Expressing Type-Flaw Attacks in a Strongly Typed Language Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ 2 nd International Workshop on Foundations for

891 views • 45 slides
the Blockchain Krishnendu Chatterjee*, Amir Goharshady *, Arash Pourdamghani** *IST Austria,

the Blockchain Krishnendu Chatterjee*, Amir Goharshady *, Arash Pourdamghani** *IST Austria,

Probabilistic Smart Contracts: Secure Randomness on the Blockchain Krishnendu Chatterjee*, Amir Goharshady *, Arash Pourdamghani** *IST Austria, **Sharif University of Technology Random Numbers on the Blockchain Current programmable

502 views • 18 slides
Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits

Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits

Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits Damien Vergnaud cole normale suprieure CHES September, 15th 2015 (with Aurlie Bauer) Damien Vergnaud (ENS) Key Recovery from Random

766 views • 48 slides
Stronger Security Variants of GCMSIV Kazuhiko Minematsu (NEC Corporation) Joint work with

Stronger Security Variants of GCMSIV Kazuhiko Minematsu (NEC Corporation) Joint work with

Stronger Security Variants of GCMSIV Kazuhiko Minematsu (NEC Corporation) Joint work with Tetsu Iwata (Nagoya University) To appear at FSE 2017 Recent Advances in Authenticated Encryption 2016 Kolkata, India 1 NonceBased AE

617 views • 44 slides
Bitcoin What We Know So Far Consensus Cryptographic Primitives Today Putting It All

Bitcoin What We Know So Far Consensus Cryptographic Primitives Today Putting It All

Bitcoin What We Know So Far Consensus Cryptographic Primitives Today Putting It All Together The Bitcoin System The First Primitive Data Structure Reference Reference Header Header Header Transactions Transactions

1k views • 57 slides

More recommend