Kerberos4(NSchapter13) - - PowerPoint PPT Presentation

5/7/2009shankar

• authenticationslide1
• ComputerandNetworkSecurity

CMSC414

• STANDARDS
• UdayaShankar

shankar@cs.umd.edu

• 5/7/2009shankar
• authenticationslide2
• Kerberos4(NSchapter13)
• RealmhasKDCandprincipals(users)
• Usersarehumansand(distributed)applications(NFS,rsh,etc)
• Humanuserslogintoworkstations,useapplications(apps)
• Appscaninteractwithotherapps(eg,ftpwithNFS)
• KDCauthenticatesloginsessionsandapps
• BasedonNeedham2Schroederauthenticationprotocol.
• Assumesattackercaneavesdropandmodifymessagesintransit.
• AssumesDESandIPv4
• Usestimestamps,sonodesneedtomaintainsynchronizedclocks.
• foreachprincipal
• Humanuser’smasterkeyobtainedfrompassword
• Appshave(high2quality)key
• SecretkeyKKDC(notsharedwithanyotherprincipal)
• forencryptingmasterkeysinlocaldatabase
• forencryptingTGTs
• Read2onlydatabase(exceptwhenprincipalchangesmasterkey)

5/7/2009shankar

• authenticationslide3
• KDCauthenticatesuserbasedonuser’smasterkey.
• KDCprovidesuser(encryptedwithmasterkey)consistingof
• forthatloginsession(usermasterkeyisnotusedafterlogin)
• usedtoobtainfurtherticketsfromKDC

TGTisencryptedbyKKDC

• user’sworkstationpresentsKDCwith[request,TGT,timestamp]

(encryptedwithsessionkey)

• KDCreturns(encryptedwithsessionkey)consistingof
• sessionkey(totalktoapplication)
• ticketforapplication(encryptedwithapplication’smasterkey)
• user’sworkstationpresentsapplicationwith[request,ticket]

5/7/2009shankar

• authenticationslide4
• userA(haspw)

A’sworkstation KDC(hasA:KA) 1startlogin send[A,passwd]

• 2
• 3
• send[A,KDC,AS_REQ]

AS_REQ:“AneedsTGT”

• receivemsg

retrieveKA generatesessionkeySA tgtAKKDC{A,SA} crdAKA{SA,tgtA} send[KDC,A,AS_REP,crdA]

• 4
• receivemsg

constructKAfrompasswd extractSA,tgtAfromcrdA forgetpasswd; shellusesSAhenceforth

• finishlogin

5/7/2009shankar

• authenticationslide5
• !"#$!!"%#
• A

A’sworkstation

• 1 rloginB
• 2

send[A,KDC,TGS_REQ, “AtotalktoB”,tgtA,SA(ts)] ▪ SA(ts):authenticator

• 3
• receivemsg

generatesessionkeyKAB getSAfromtgtA gettsandverify findB’smasterkeyKB tktB←KB{A,KAB} crdB=SA{B,KAB,tktB} //credential send[TGS_REP,crdB]toA

• 4
• receivemsgfromKDC

send[A,B,AP_REQ,tktB,KAB{ts}] B 5

• send[B,A,AP_REP,KAB{ts+1}]

6 receivemsg

• end
• 5/7/2009shankar
• authenticationslide6
• &'
• OnemasterKDCandseveralsecondaryKDCs
• EachsecondaryKDChasread2onlycopyofKDCdatabase
• Additions/deletions/changestomasterkeysalwaysdoneatmasterKDC
• SecondaryKDCscangeneratesessionkeys,TGTs,etc.
• MasterdisseminatesKDCdatabasestosecondaryKDCswithintegrity

protectiononly(butmasterkeysareencryptedwithKKDC)

5/7/2009shankar

• authenticationslide7
• PossibleiftheirKDCsshareakey.
• Principalname=[name,instance,realm],eachstringof40charsmax
• AinrealmX

KDCX KDCY BinrealmY send[A,KDCX,TGS_REQ,A.X,D.Y]

• receivemsg

send[KDCX,A,TGS_REP,credtoKDCY] receivemsg send[A,KDCY,TGS_REQ,A.X,B.Y,cred]

• receivemsg

send[KDCY,A,TGS_REP,credtoB] receivemsg send[A,B,AP_REQ,cred,…]

• receivemsg
• 5/7/2009shankar
• authenticationslide8
• &(

IfAhasatickettoBandBchangesitspassword,thenticketnolongervalid. Tohandlethiscase(withoutAhavingtoaskKDCforanewticket):

• Applicationsrememberoldmasterkeys(uptoexpirytime(approx21hrs)
• Intickets,thekeyissentalongwithversionnumber
• Humanusersneednotrememberoldpasswords
• #
• EverytickethastheIPv4addressoftheprincipalgiventheticket
• Receivedticketisnotacceptedifticketsender’sIPaddressdoesnotmatch
• SoifBistoimpersonateA,itmustalsospooftheIPaddressofA(easytodo)
• Preventsdelegation
• AcannotaskBatanotherIPaddresstodoworkonbehalfofA

(unlessBspoofsIPaddressofA!)

5/7/2009shankar

• authenticationslide9
• !'
• Afterauthentication,dataexchangecanbeinclearorencryptedorintegrity2

protectedorencryptedandintegrity2protected

• Choiceisuptotheapplication(performancevssecurity).
• KerberosV4usessomeadhocencryptiontechniques(notsosafe).

!") Recallthatstandardapproachusestwokeysandtwocryptopasses(expensive). KerberosusesamodifiedCBCcalledPlaintextCBC(PCBC)

• InCBC:cn+1=EK{mn+1⊕

⊕ ⊕ ⊕cn}

• Modifyinganycicausesonlymiandmi+1tobegarbled.
• InPCBC:cn+1=EK{mn+1⊕

⊕ ⊕ ⊕cn⊕ ⊕ ⊕ ⊕mn}

• Modifyinganycicausesallmjforj≥itobegarbled.

Kerberosputsrecognizablelastblock,sotamperingdetected.

• However,swappingciandci+1makesPCBCgetbackinsynchfrommi+2

!'" Computeschecksumon[sessionkey,msg] Probablynotcryptographicallystrong

• Mayallowattackertomodifymsgandpassintegritytest
• Mayallowattackertoobtainsessionkey

5/7/2009shankar

• authenticationslide10
• Kerberos5(NSchapter14)
• *+,
• Messageformats
• DefinedusingASN.1andBER(BasicEncodingRules)
• Automaticallyallowsforaddressesofdifferentformats,etc.
• Occupiesmoreoctets
• Names:[NAME,REALM]
• Arbitrarystringsofarbitrarylength(allows“.”,“@”,“name@org",etc)
• AllowsX.500names(Country/Org/OrgUnit/LName/PName/…)
• Kerberos4nameshavesize/characterlimitations
• Cryptographicalgorithms
• Allowschoiceofcryptoalgorithms(butDESistheonlydeployedversion)
• Usesproperintegrityprotection(ratherthanpseudo2Junemanchecksum)
• 5/7/2009shankar
• authenticationslide11
• Kerberos5

'

• AcanaskKDCforaTGTwith
• networkaddressesdifferentfromA’snetworkaddress

(tobeusedbyprincipalsatotherIPaddressesonbehalfofA)

• nonetworkaddress(canbeusedbyanyprincipalatanynetworkaddress)
• PolicydecisionwhetherKDC/networkissues/acceptssuchtgts
• Havingtgtswithexplicitaddresses:
• KDCtracksdelegationtrail
• AhastointeractwithKDCforeachdelegation
• AcangiveaTGT/ticketstoBwithspecificconstraints
• specificresourcesthatcanbeaccessed.
• TGT/tkthasAUTHORIZATION2DATAfieldthatisapplicationspecific.

KDCcopiesthisfieldfromTGTintoanyderivedticket(usedinOSF,Windows).

• A’sTGTcanbe'(:
• AllowsAtouseTGTtogetaTGT(forB)withdifferentnetworkaddress.
• AalsosayswhetherderivedTGTisitselfforwardable.
• A’sTGTcanbe-(:
• AllowsAtouseTGTtogettickets(forB)withdifferentnetworkaddress.
• Ticketlifetime

5/7/2009shankar

• authenticationslide12
• Kerberos5
• .'
• Fields:
• start2time:whenticketbecomesvalid
• end2time:whenticketexpires(butcanberenewed(seerenew2till)
• authtime:whenAfirstloggedin(copiedfrominitialloginTGT)
• renew2till:latesttimefortickettoberenewed.
• Allowsunlimitedduration(uptoDec31,9999)subjecttorenewing(e.g.,daily)
• exchangetgt/tktatKDCforanew(renewed)tgt/tkt
• tgt/tkthastoberenewedbeforeexpiry(o/wKDCwillnotrenew)
• Allowstickets(e.g,forbatchjobs).

5/7/2009shankar

• authenticationslide13
• Kerberos5
• KDCremembersoldmasterkeysofhumanusers(inadditiontoapplications)
• Neededbecausetgts/ticketsarenowrenewableandcanbepostdated.
• Foreachprincipal,KDCdatabasestores[key,p_kvno,k_kvno]
• key:principal’smasterkeyencrypedwithKKDC(currentorpastversion).
• p_kvno:versionnumberofprincipal’smasterkey.
• k_kvno:versionnumberofKKDCusedtoencrypt
• ……………………..
• max_life:maxlifetimeforticketsissuedtothisprincipal
• max_renewable_life:maxtotallifetimeforticketsissuedtothisprincipal
• expiration:whenthisentryexpires
• mod_date:whenentrylastmodified
• mod_name:principalthatlastmodifiedthisentry
• flags:preauthentication?,forwardable?,proxiable?,etc.
• password_expiration:
• last_pwd_change:
• last_succes:timeoflastsuccessfullogin
• Humanusermasterkeyderivedfrompasswordandrealmname.
• SoevenifAusesthesamepasswordinseveralrealms,compromisingA’s

masterkey(butnotpassword)inonerealmdoesnotcompromiseitinanother realm.

5/7/2009shankar

• authenticationslide14
• Kerberos5

$'

• AllowsKDCchainsofauthentication(unlikeV4)
• SupposeKDCsA,B,C,whereA,Bsharekey,B,Csharekey,butA,Cdonot.

AllowsCtoacceptaticketsentbyAandgeneratedbyB.

• EachticketincluesalltheintermediateKDCs
• receivingKDCcanrejectticketiftickethasasuspectintermediary
• !&'')
• V4allowsoff2linepasswordguessing:
• KDCdoesnotauthenticateTGT_REQbeforeissuingTGT
• SoBcanspoofA,getaTGTforA,dooff2linedictionaryattackonTGT
• InV5
• ReqforTGTforAmustcontainKA{timestamp};soaboveattacknotpossible.
• KDCalsodoesnothonorrequestsforticketstohumanusersbyothers.
• Preventslogged2inBtoaskKDCforaticket(todelegate)forA,
• nwhichitcandooff2linepasswordguessing.

5/7/2009shankar

• authenticationslide15
• Kerberos5
• SupposeAandBshareasessionkeyKABgeneratedbyKDC.
• AandBcanhaveanother(simultaneous)sessionusingadifferentkey.
• ThiscanbedonewithoutinvolvingtheKDC:
• AmakesupakeyforthissecondsessionandgivesthattoBencrypedbyKAB
• (
• AllowsAtoaccessserverBthathassessionkey,saySB,butnotmasterkeyKB
• NeededforXwindows:humanuserrunsremoteappthatcandisplaylocally.
• Xservermanagesdisplayonworkstationscreen
• Xclients(eg,xterm,browser)runonlocalorremoteworkstations
• Xclient(A)needstkttoXserver(B)todisplayonscreen.
• NogoodforAtogetfromKDCa(regular)tktencryptedwithB’smasterkey
• Instead
• AgetsTGTBfromB,sends[“AtotalktoB”,TGTA,TGTB]toKDC
• KDC
• extractsSBfromTGTB(encryptedwithKKDC)
• createssessionkeyKAB,
• generatestktBencryptedwithSB[ie,SB{‘A’,KAB}]andsendstoA

5/7/2009shankar

• authenticationslide16
• /
• B(humanuser)

B’sworkstation C(maybeB’sworkstation)

• Xserver
• logintoXserver

[B,passwd]

• requestTGTBfromKDC
• obtain[SB,TGTB]fromKDC
• forgetB’spasswd
• startservingB(eg,keybd,mouse)
• requestXclientatC

(eg,xterm)

• Xclientstarts
• hasinfotodisplayatB’sscreen
• getTGTBfromXserver
• askKDCfortktencryptedbySB
• presenttkttoXserver

andinfotodisplay

• Xserverdisplaysclient’sinfo

5/7/2009shankar

• authenticationslide17
• PKI:Public2KeyInfrastructure(NSChapter15)
• 0"1infrastructureforobtainingpublickeysofprincipals
• examples:S/MIME,PGP,SSL,LotusNotes,…
• '
• Principalnamespace
• usuallyhierarchical:usr@cs.umd.edu;www.cs.umd.edu/usr;
• Certificationauthorities(CAs):subsetoftheprincipals
• RepositoryforcertificatesandCRLs:(e.g.,DNS,directoryserver)
• searchedbyprincipals
• updatedbyCAs
• Methodforsearchingrepositoryfora''given
• startingCA:ofthechain
• endingsubject:ofthechain

5/7/2009shankar

• authenticationslide18
• Recallcertificates,CRLs,certificatechains
• ':
• issuerC;

//nameofCA(principal)issuingthecertificate

• subjectX;

//nameofprincipalwhosepublickeyisbeingcertified

• subjectpublickeyJ;//certifiedpublickeyofX
• expirytimeT;

//date/timewhenthiscertificateexpires

• serialnumber;
• //usedinCRL
• principalsthatsubjectcancertify;//optional
• signature;
• //C’ssignatureonalltheabove
• :
• issuerC;
• //nameofCAissuringtheCRL
• listofserialnumbersofrevokedcertificates;
• issuetimeT;
• //date/timewhenthisCRLwasissued
• signature;
• //C’ssignatureonalltheabove
• '1

//below,‘cft’isshortfor‘certificate’

• sequence<(cft1,crl1),…,(cftn,crln)>suchthatcftisubject=cfti+1issuer
• cft1issuer:ofthechain
• cftnsubject:ofthechain
• chainis&(myterminology)ifforeveryiin1,...,n:

cftiisunexpired crliisrecentenoughanddoesnotincludecfti

5/7/2009shankar

• authenticationslide19
• UpdatesinPKI
• "'(2'/:
• requesteveryCAthatcancertifyXtoissueacertificatefor[X,J]

(online/offline?)

• eachsuchCAcheckstherequest(online/offline?)
• iftherequestpassestheCA’schecks

thengenerateacertificatefor[X,J]andaddtotherepository

• ifXisalsoatrustanchortoasetofprincipals
• informeveryprincipalinthesetof[X,J](online/offline?)
• Isthisnecessary?

&'(2'/1

• requesteveryCAthathascertified[X,J]torevokeitintheCA’snextCRL
• ifrequestpassestheCA’schecks,itincludes[X,J]initsnextCRL
• ifXisalsoatrustanchortoasetofprincipals
• informeveryprincipalinthesetthat[X,J]isnottobeused
• Isthisnecessary?

30"shouldpreservethefollowingdesiredproperty:

• ForeveryvalidcertificatechainCCintherepository

ifXisthesubjectandJthepublickeyofacftinCC thenJisX’spublickeyatissuetimeofearliestCRLinCCprefixuptocft.

5/7/2009shankar

• authenticationslide20
• &
• Onlinerevocationservice(OLRS)
• DeltaCRLs
• Firstvalidcertificate
• Good2listsvsbad2lists
• Boring…
• 0"//4567

X.509certificatesusedinInternetPKIs

5/7/2009shankar

• authenticationslide21
• PKItrustmodel
• '
• *:
• OneCA,sayR,trustedbyorganizationsandcountries.
• PublickeyofRisthesingletrustanchorembeddedinallsoftware/hardware.
• everycertificateissignedbyR
• Advantages:
• simplicity:verificationinvolvescheckingonecertificate
• Disadvantages:
• infeasibletochangeR’spublickeyifitgetscompromised
• Rcanchargewhateveritwants
• SecurityofentireworldrestsonR
• Bottleneckinobtainingcertificates
• BottleneckinissuingCRLs

5/7/2009shankar

• authenticationslide22
• PKItrustmodel(cont)
• *8
• Likemonopolyexcept
• CAchoosesotherorganizations(RAs)tointeractwithworld
• CAinteractsonlywithRAs
• HasallthedisadvantagesofmonopolyexceptCAisnotabottleneck.
• MaybelesssecurebecauseRAsmaynotbeascarefulasCA.
• *8
• TreeofCAswithoneCA
• UserscanobtaincertificatesfromadelegatedCAratherthanrootCA.
• VerificationinvovleschainofcertificateswithrootCAastrustanchor

5/7/2009shankar

• authenticationslide23
• PKItrustmodel(cont)
• %
• MultiplerootCAs(trustanchors)
• Advantage:monopolypricingisnotpossible
• Disadvantage:
• MoreCAstogowrong.
• Choice/controlovertheCAspre2installedinyourprogram/hardware.
• Addingnewtrustanchorspossible,hencevulnerableto

addingmaliciousCA modifyinganexistingtrustanchor’spublickey

• Eachuserindependentlychoosessometrustanchors.
• Advantage:notdependentonotherorganizations.
• Disadvantage:
• unorganizedcertificatespace
• noteasytofindcertificationchainsthatareacceptabletouser.
• 5/7/2009shankar
• authenticationslide24
• PKItrustmodel(cont)

#

• EachCAistrustedforcertifyingonlyasubsetoftheprincipalnamespace.
• Usuallyhierarchical:i.e.,CAx.yistrustedtocertifyx.y.*,butnotx.z.
• Subsetcanbeafunctionoftheuser(seebelow)

)

• MonopolywithdelegatedCAsexcept
• eachCAcanonlycertifyprincipalsinitssubtree(excludingitself).

9)

• Hierarchicalnamespace
• Down2links(asusual):
• x.ycertifiesx.y.z
• Up2link(unusual!):
• x.y.zcertifiesx.y
• Allowsx.y.z.atousex.y.zastrustanchorforusersoutsidex.y.z:

e.g.,chain[x.y.z,x.y,x,x.p,x.p.q]

• Cross2link:x.ycertifiesp.q,

wherex.yandp.qareCAsoftwointeractingorganizations

• Improvesperformance.Canalsoimprovesecurity...?
• AllowsPKItobedeployedincrementallyin(real2world)situation

5/7/2009shankar

• authenticationslide25
• PKItrustmodel(cont)
• '&
• Canofworms
• 0'
• WhichCAsareacceptableastrustanchors
• WhichCAsarenotacceptableinchains
• etc
• 5/7/2009shankar
• authenticationslide26
• InternetSecurityArchitecture(NS16.1)
• 0."0
• apps
• apps

TCP UDP …

• TCP

UDP … IP LRDchannel IP

• 0&
• connectionestablishment
• reliabledatatransfer
• -
• networkattackers:passive/active
• endpointattackers:sendmessageswitharbitraryfields
• 1(extendsconnectionestablishment)
• ':1(extendsreliabledatatransfer)

5/7/2009shankar

• authenticationslide27
• NaturalsolutiontoTCP/IPstackwithsecurity
• apps
• apps

TCP STCP UDP …

• TCP STCP UDP

… IP LRD/attackerchannel IP

• STCP(SecureTCP)likeTCPexcept
• clientapp’sconnreqincludesclient/serverid,authenticationsecret(K)
• serverapp’sconnacceptincludesclient/serverid,authenticationsecret(K)
• stcpconnestdoes

tcp2like32wayconnestusingInternetids,then authhandshakeinvolvingclient/serverids,challenges/responses abovetwocanoverlap

• stcpdatatransferistcp2likeexcept

ipheaderisinclearbutstcpheaderandpayloadencrypted

5/7/2009shankar

• authenticationslide28
• STCPhandshake

serverB,porty stcp stcp [x,y,A,B,K,open] clientA,portx [x,y,A,B,K,open] ←[y,B,attach] ←[y,x,B,accept.K]

• pen
• pen[x,y,A,B]→
• [x,y,A,B]
• authhandshakeusingK

establishsessionkey(s) uingK ←authenticated authenticated→ stcpmsgswithip headerinclear plaintext plaintext

• disconnect

5/7/2009shankar

• authenticationslide29
• Reality
• Implementorsdidnotwant
• modificationstoTCP(whichisimplementedinOSkernel)
• anotherprotocollikeTCPinOSkernel
• anotherprotocollikeTCPinapplicationspace(e.g.,aboveUDP)
• Approach1:SSL
• Approach2:IPsec

apps apps SSL

• SSL
• TCP

UDP …

• TCP

UDP … IP LRD/attackerchannel IP apps

• apps

TCP UDP …

• TCP

UDP … IPsec

• IPsec

IP LRD/attackerchannel IP

5/7/2009shankar

• authenticationslide30
• Approach1:SSL
• tcphdrinclear=>easydenial2of2serviceattack(roguepacketattack)
• option1:restartuserorsslconnection
• option2:havessldoretransmissionsandacks(i.e.implementtcp)

clientA,portx ssl ssl serverB,porty tcp tcp [y,B,attach] [x,y,A,B,K] tcpconnest handshake authhandshakeusingK establishsessionkey(s) uingK

• pen[x,y,A,B]→
• ←[y,x,B.A,K]

tcpmsgswith tcphdrinclear plaintext plaintext disconnect

• 5/7/2009shankar
• authenticationslide31
• SSL(NSchapter19)

SSL(cont)

• [y,B,attach]

clientA sslx tcpx tcpy ssly serverB [x,y,A,B,K] [x,y] tcpconnest handshake [y,B,] [x,y,B,cipherssupported,RA] RA [y,x,B,cipherchosen,certB,RB] S K=f(S,RA,RB) [x,y,{S}B,K{keyedhashofhndshk)] [y,x,K{anotherkeyedhashofhndshk] AauthB passwdhandshake encryptedbyK2derivedkeys BauthA

5/7/2009shankar

• authenticationslide32
• AauthenticatesBusingcertificateB
• BauthenticatesAusingpassword(usualcase)

CanalsousecertificateaforauthenticatingA

• S:pre2mastersecret
• K:mastersecret
• K=f(S,RA,RB)
• keysfordataencryption/integrityobtainedfromK,RA,RB
• A’swrite(transmit)key=B’sread(receive)key
• B’swrite(transmit)key=A’sread(receive)key
• Adoestwopublic2keycryptooperations
• verifyingcertB
• calcluating{S}B
• Tominimizethis,Scanbereusedacrossdifferentsessions
• motivatedbyhttp1.0(whichopensmanytcpsessionsbetweensameA,B)
• sessionid

5/7/2009shankar

• authenticationslide33
• SSL(cont)
• sslA

[x,y,B,ciphers,RA]→ sslA ←[y,x,B,session2id=X,certB,cipher,RB] initialsession

newsessionlateron

[x,y,B,session2id=X,ciphers,RA]→ ←[y,x,B,session2id=X,certB,cipher,RA, keyedhashofhandshake] ifsslAstillhasX:S canreuseit [x,y,keyedhashofhandshake]→

5/7/2009shankar

• authenticationslide34
• IPsec:AHandESP(NSchapter17)
• IPsecsitsaboveIPandbelowTP(transportprotocol:TCP,UDP,IP,…
• IPpacket:[IPhdr,IPsechdr,TPhdr,TPpayload]

←−−−−2IPpayload−−−−−−−→ ←−IPsecpayload→

• TPisIP:
• “tunnel”mode,becauseoftenusedtotunnelIPtraffic

TPisnotIP:“transport”mode

• IPhdr:
• senderipaddr,rcvripaddr
• hopcount//mutable
• nextprotocolid:TCP,UDP,IP,IPsec(AHorESP),…
• IPsecheader():
• SPI(securityparameterindex):identiifiesIPsecconnection(SA)
• sequencenumber:ofIPsecpacket(forreplayattacks)
• IV(forencryption/integrity)
• authenticationdata(integritycheck)
• nextprotocolid:(TCP,UDP,IP,…)

5/7/2009shankar

• authenticationslide35
• IPsec:AHandESP(cont)
• IPsecconnectionreferredtoasIPsecSA()
• AnSAisone2way,soneedtwoSAsforbi2directionalpacketflow.
• IPsecentityinanodehas
• ((controlpath)

for<ipaddr,port,etc>:cryptoornot?type?integrity/encryp,…

• ((datapath)
• utgoing:forremoteipaddr:SPI,cryptokey/alg,sequencenumber

incoming:forSPI:cryptokey/algo,expectedseqnumber,…

• IPsecheadersareintwoflavors:
• AHhdr:SPI,sequencenumber,authdata,nextprotocolid

integrityonlybutonenclosingIP<payload+“immutable”header> notcompatiblewithNAT,firewalls

• ESPhdr:SPI,seqnumber,IV,authdata,nextprotocolid

integrityand/orencryptiononenclosingIPpayload compatiblewithNAT,firewalls

5/7/2009shankar

• authenticationslide36
• IPsec:IKE(NSchapter18)
• InorderforanIPsecSAtooperate,itsparameters(integrity/encryp,key,…)

mustbesetinthe(SAdatabaseofthe)end2pointsoftheSA

• Canbedonemanuallybyend2pointadministratorsordynamicallyusingIKE
• IKErunsoverUDP
• IKEhastwophases:
• Phase1:

end2pointsdomutualauthenticationandestablishphase21sessionkeys 3waystoproveid:

• publicsignaturekey,publicencryptionkey,orsecretkey

twokindsofhandshakes,eachinvolvingDiffie2Helman

• aggressivemode:3msgs,lessoptions
• mainmode:6msgs,moreoptions

sototalof6typesofhandshakes(actually8)

• Phase2:establishoneormoreIPsecSAs

EachSA: 3msgs.allencryptedwithphase21keys sessionkeysgeneratedusingphase21sessionkeyasseed public2keycrypto(e.g.,Diffie2Hellman)isoptional

5/7/2009shankar

• authenticationslide37
• IPsecIKE:Phase1
• CA,CB(cookies):distinguishdifferentphase1connectionsbetweenA,B.

Mustbedifferentforeachconnectionattempt.

• K=f(gabmodp,nonceA,nonceB)

clientA(atudpx) serverB(atudpy) * [CA(cookie),CP(cryptosupported)]→ ←[CA,CB,CPA(cryptoaccepted)] [CA,CB,gamodp,nonceA]→ ←[CA,CB,gbmodp,nonceB] [CA,CB,K{A,proofI’mA}]→ ←[CA,CB,K{B,proofI’mB}]

5/7/2009shankar

• authenticationslide38
• IPsecIKE:Phase1(cont)
• Ifaggressivemodeisrejected(perhapsbecauseCPnotacceptabletoB),

Ashouldusemainmode(ratherthanaggressivewithdifferentCP). clientA(atudpx) serverB(atudpy) & [CA,gamodp,A,nonceA,CP]→ ←[CA,CB,gbmodp,nonceB,CPA,proofI’mB)] [CA,CB,A,proofI’mA}]→

5/7/2009shankar

• authenticationslide39
• IPsecIKE:Phase1(cont)
• #
• Algorithms
• encryption:DES,3DES,...
• hash:MD5,SHA21,...
• authenticationmethod:

pre2sharedkeys RSAsignature DSS RSAencryption(original) RSAencryption(improved) ...

• Diffie2Hellmangroup

modularexponentiation,choiceofgandp ellicpticcurve,choiceofparameters ... #(inaggressivemode

• LifetimeofSA
• durationand/orquantityofdatatransferred
• *)'

5/7/2009shankar

• authenticationslide40
• IPsecIKE:Phase1(cont)
• Integrityandencryptionkeys
• usedonlastofphase21msgsandallphase22handshakemsgs
• Seedforphase22SAkeys
• Keysobtainedfromhashing('quantitiesofhandshake
• e.g.,DESCBCresidue,HMAC,…
• !;"(keyseed)

=prf(nonces,gabmodp)

• ifpublicsignaturekeyusedforauth

=prf(hash(nonces),cookies)

• ifpublicencryptionkeyusedforauth

=prf(pre2sharedsecretkey,nonces)ifpre2sharedsecretusedforauth

• !;"<(seed)
• = prf(SKEYID,gabmodp,cookies,0)
• !;"<(integritykey)

= prf(SKEYID,SKEYID_d,gabmodp,cookies,1)

• !;"<(encrypkey)

= prf(SKEYID,SKEYID_a,gabmodp,cookies,2)

• ProofofidforA
• =

prf(SKEYID,ga,gb,cookies,A'sCP,A) Accompaniedbycertificate(ifused)

• ProofofidforB
• =

prf(SKEYID,gb,ga,cookies,A'sCP,B) Accompaniedbycertificate(ifused)

5/7/2009shankar

• authenticationslide41
• IPsecIKE:Phase2
• Phase22initiatorneednotbesameasphase21initiator
• CA,CB:fromphase1
• Y:322bitidofthisphase22SA
• msgsafter“CA,CB,Y”underphase21keys(SKEYID_e,SKEYID_a)
• IVformsg1isfinalciphertextblockoflastphase21msghashedwithY

IVforlatermsgsisfinalciphertextblockofpreviousmsghasedwithY

• trafficdescriptor[optional]
• DH[optional]

clientA(atudpx) serverB(atudpy) phase21handshake [CA,CB,Y,CP,SPIA,nonceA,[gamodp],[traffic]]→ ←[CA,CB,Y,CPA,SPIB,nonceB,[gbmodp],[traffic]] [CA,CB,Y,ack]→ 0)=