Internet Protocol Security IPSec

Integrated Communication Systems Group

Ilmenau University of Technology

Outline

•

Introduction

•

Authentication Header (AH)

•

Encapsulating Security Payload (ESP)

•

Payload Compression Protocol (PCP)

•

Key Management

•

Conclusions

•

Control Questions

•

References

Internet Protocol Security (IPSec)

•

Security framework for IPv4 and IPv6

– Provides security for transmission of sensitive information over

unprotected networks such as the Internet

– Provides network security services

• Data origin authentication

• Data integrity

• Data confidentiality

• Anti-Replay

Overview of IPSec Standardization

Authentication Header (AH)

&

Authentication Header (AH)

IPv4

IPv6

IPv4 Header

Upper Protocol (e. g. TCP, UDP)

IPv4 Header

AH

Upper Protocol

IPv6 Header

Hop-by-Hop/Routing

Dest. opt.

Upper Protocol

IPv6 Header

Hop-by-Hop/Routing

AH

Dest. opt.

Upper Protocol

Before applying AH

After applying AH

Before applying AH

Authentication Header (Details)

Upper Protocol …

… Data (variable)

Security Parameters Index (SPI)

Authentication …

Sequence Number Field

Reserved

Payload

Length

Next

Header

IPv4 header

Identifies Security

Association

Against Replay

Attack

32

protocol: 51

AH Authentication

•

Various authentication methods may be used

– Used method is negotiated

– Keyed MD5 (default)

•

Authentication includes IP header (no variable IP options

supported)

•

No intermediate authentication when fragmented

•

No encryption!

IPv4 Header

Upper Protocol

IPv4 Header

AH

Upper Protocol

HASH

Shared

secret

Encapsulating Security Payload (ESP)

IPv4

IPv6

IPv4 Header

Upper Protocol

(e.g. TCP, UDP)

IPv4 Header

ESP

Hdr

Upper Protocol

ESP

Trailer

ESP

Auth

Before applying ESP

After applying ESP

encrypted

authenticated

IPv6 Header

Hop-by-Hop

/Routing

Dest.

opt.

Upper

Protocol

Before applying ESP

After applying ESP

IPv6 Header

Hop-by-Hop

/Routing

ESP

Hdr

Dest.

opt.

Upper

Protocol

ESP

Trailer

ESP

Auth

encrypted

authenticated

•

Encryption and authentication

Encapsulating Security Payload (Detail)

Next

Header

Pad

Length

Padding(0-255 bytes)

Authentication Data

Sequence Number Field

Upper Protocol (variable)

Security Parameters Index (SPI)

IPv4 header

Identifies Security

Association

Against Replay Attack

32

bit

Tunnel Mode (IPv4)

IPv4

IPv4 Header

Upper Protocol

New IP Header

AH

IPv4 Header

Upper Protocol

Applying AH

(

authentication only

)

authenticated except for mutable fields

New IP Header

ESP

Hdr

IPv4 Header

Upper Protocol

ESP

Trailer

ESP

Auth

Applying ESP

(

authentication and encryption

)

encrypted

authenticated

Tunnel Mode (IPv6)

IPv6

IPv6

Header

Hop-by-Hop

/Routing

Dest.

opt.

Upper

Protocol

New IP

Header

New ext.

Headers

AH

IPv6

Header

Hop-by-Hop

/Routing

Dest.

opt.

Upper

Protocol

authenticated except for mutable fields

New IP

Header

New ext.

Headers

ESP

Hdr

IPv6

Header

Hop-by-Hop

/Routing

Dest.

opt.

Upper

Protocol

ESP

Trailer

ESP

Auth

encrypted

authenticated

After applying AH

(

authentication only

)

After applying ESP

(

authentication and

AH and ESP – Transport Mode

•

Transport mode (protection of payload only)

•

Application of ESP followed by AH

•

Transport mode is used when the “cryptographic endpoints” are

also the “communication endpoints” of the secured IP packets

– Cryptographic endpoints: the entities that generate/process an IPSec

header (AH or ESP)

– Communication endpoints: source and destination of an IP packet

IPv4 Header

AH

ESP

Hdr

Upper Protocol

ESP

Trailer

ESP

Auth

AH and ESP – Hierarchies

•

2 different sequences for authentication and encryption

– Authentication first, encryption second

– Encryption first, authentication second

Internet

Internet

AH and ESP – Scenarios

•

Tunnel mode

– Used

when

at

least

one

“cryptographic

endpoint”

is

not

a

“communication endpoint” of the secured IP packets

– Corporate user works outside corporate network

– Connecting two sites to a corporate network

Internet

AH and ESP – Discussion

•

AH causes smaller CPU overhead than bulk encryption

•

Non-reputation not provided

– Signing necessary

•

ESP not always necessary

– Sometimes only packet integrity is need

– Strong authentication mechanisms are export restricted

Payload Compression Protocol

(PCP)

Payload Compression Protocol (PCP)

•

Problem: encrypted data cannot be compressed efficiently

– Encryption introduces randomness

•

PCP reduces IP data size before encryption

– Hence must be a component of IPSec

Overview of Algorithms

AH

ESP

Encryption

ESP Auth.

PCP

MD5

NULL

MD5

PCP-LZS

SHA

DES

SHA

…

3DES

…

AES

Key Management

(credits to the Network Security Group @ Institute of

Telematics, Karlsruhe Institute of Technology)

Internet Key Exchange (IKE)

•

Secure negotiation of IPsec parameters

– IKEv1 was specified by three standard track RFCs

– IKEv2 is specified by RFC 4306 (Dec. 2005)

• Goal of Internet Key Exchange

– Establishing a secure channel

• ISAKMP (Internet Security Association and Key Management

Protocol)

– Protocol framework for parameter negotiation

– Defines packet formats

• Mutual authentication, Diffie-Hellman-Exchange

• Establishment of IKE-SA (or ISAKMP-SA)

(SA = Security Association)

– Negotiation of IPsec keys

• Selection of policies and algorithms

– e.g., “authenticate everything and if possible encrypt it, and if

possible also compress it”, multiple algorithms for each operation

• Key generation

IKEv2 Overview

• IKEv2 is a replacement for IKEv1

– IKEv1 very complex and has been discussed controversially

– IKEv1 provided authentication only based on public key or

pre-shared secret

• Result: (in-secure) extensions for password authentication

– E.g., Cisco VPN’s XAUTH

• Improvements in IKEv2

– Lower complexity

• Only one mode compared to 8 modes in IKEv1

– Low latency for connection establishment

(2x RTT)

– Modular Authentication

using

EAP

– Protection against Denial-of-Service (DoS) attacks by cookies

– Tunneling of configuration data (no DHCP necessary)

Definitions

• Security Association

(SA)

– A contract established between two (IPSec) endpoints

– Represents connection and state

– Cryptographic material

– Selection based on SPI

• SPI: Security Parameter Index

• Index into table with multiple entries

• Traffic Selector

(TS)

– New in IKEv2

– Describes which traffic should be protected

– Required to relate traffic to SA

• E.g.: TCP / IP1:Port1 Æ IP2:Port2

• E.g.: UDP / IP-Range:* Æ IP-Range:*

Initial Exchange

• IKE_SA_INIT

– Messages 1 and 2

– Selection of algorithms (

SA

)

– Diffie-Hellman-Exchange (

KEY

)

– Subsequently, “IKE-SA” is established

• Encryption and integrity protection now possible

• IKE_AUTH

– Messages 3 and 4

– Validation of identities (

ID

)

– Authentication of DH-Exchange (

AUTH

)

– Negotiation of “Child-SA” (

SA

/

SA

)

– Exchange of traffic selectors (

TS

,

TS

)

– Exchange of certificates (

CERTREQ

,

CERT

)

• ISAKMP payloads

contain

SA

:

Proposed / selected algorithms

KEY

:

Diffie-Hellmann Value (DH)

Nonce

:

Random number

ID

:

Identity of opposite side

CERT

:

Used certificate

CERTREQ

:

Request for client certificate

AUTH

:

Signed hash of authentication

messages

TS

:

Traffic selector

[…]

means optional payload …

Initiator

_Responder

SA

, KEY

, Nonce

SA

, KEY

, Nonce

SK{ID

, AUTH, [CERT],

[CERTREQ],SA

,TS

TS

}

SK{ID

, [CERT], AUTH,

SA

,TS

TS

}

Shared secret generated! Encryption &

integrity protection possible: SK{}

Negotiation of Child-SAs

• If

IKE-SA

has been already established, a

Child-SA

can be directly negotiated

– for Re-keying or further SAs

– Formerly known as “Phase 2” (“Quick

Mode”) in IKEv1

• CREATE_CHILD_SA – Messages 1 & 2

– Optional: additional DH-Exchange

– Negotiation of “Child-SA“ (

SA

_i2

/

SA

_r2

)

• Again proposal & selection

– Traffic selectors if new SA

• Not necessary for re-keying

• ISAKMP-Payloads

contain

SA

:

Proposed / selected algorithms

KEY

:

Diffie-Hellmann value (DH)

Nonce

: Random number

N

:

Notify payload

TS

:

Traffic selector

Initiator

Responder

These messages are

always secured by

IKE-SA channel

SK{[N], SA

, Nonce

,

[KEY

], [TS

, TS

]}

SK{SA

, Nonce

,

[KEY

], [TS

,TS

]}

Initial Exchange and EAP

• Messages 1-3 as described above

– Different starting from message 4

• Messages 4-7 comprise modular

EAP authentication

• Message 8 finalizes negotiation of

client SA

• Motivation

– Extensible Authentication Protocol

(EAP)

allows for (almost) arbitrary

protocols

Æ “Plug-and-Play“ authentication

Initiator

Responder

SA

, KEY

, Nonce

SA

, KEY

, Nonce

SK{ID

, AUTH, [CERT],

[CERTREQ], SA

,TS

TS

}

SK{AUTH, SA

,TS

TS

}

SK{ID

,[CERT],AUTH,EAP}

SK{EAP (success)}

SK{EAP}

SK{AUTH}

Shared secret generated! Encryption &

integrity protection possible: SK{}

IKE Summary

•

Summary of phases

–

IKE-SA secures negotiation of additional keys

–

Child-SA provides keys for application (e.g., IPsec)

–

Application (e.g., IPsec) secures data exchange

Secure channel 2

Sets keys

for…

Sets keys

for…

Secure channel 1

Negotiation for channel 2

Negotiation for channel 1

IKE

IKE

IPsec

IPsec

Conclusions

•

Security architecture for the Internet Protocol

•

Provides the following security services to IP packets:

– Data origin authentication

– Confidentiality

– Replay protection

•

Can be implemented in end systems or intermediate systems

•

Two fundamental security protocols have been defined:

– Authentication header (AH)

– Encapsulating security payload (ESP)

•

SA negotiation and key management is realized by

– Internet security association key management protocol (ISAKMP)

– Internet key exchange (IKE)

Control Questions

•

What does IPSec provide?

•

Compare between AH and ESP? Propose applications suitable for each?

•

How can AH and ESP be used in tunnel mode? What are main differences

between using each of them in this mode?

•

When should transport mode and tunnel mode be used?

•

Explain briefly the operation of ISAKMP? What are the main advantages when

using public key cryptographic with ISAKMP?

•

What are the tasks achieved in phase one of IKE? What is the purpose of phase

two?

References

Books (related to RFC240x-IPsec from 1998)

•

S. Frankel; Demystifying the IPsec Puzzle; Artech House, 2001

– good IPsec-Book (still IKEv1)

•

C. Kaufmann, R. Perlman, M. Speciner; Network Security – Private

Communication in a public world; Prentice Hall; 2003

– more general book

Standards und Papers

•

RFC4301 – RFC4308 Dez. 2005 IPsec Standards, IETF

– recent standards

•

Ferguson, N und Scheier, B.; A Cryptographic Evaluation of IPsec,

http://www.counterpane.com/ipsec.html

, Feb. 1999

•

Simpson, W.; IKE/ISAKMP Considered Dangerous; Draft; Jun. 1999

•

RFC 2401 – RFC 2409 1998 IPsec Standards, IETF

Integrated Communication Systems Group

Ilmenau University of Technology

Visitors address:

Technische Universität Ilmenau

Gustav-Kirchhoff-Str. 1

(Informatikgebäude, Room 210)

D-98693 Ilmenau

fon: +49

(0)3677

69

2819

(2788)

fax: +49

(0)3677

69

1226

e-mail: [email protected]

[email protected]

www.tu-ilmenau.de/ics

Integrated Communication Systems Group

Ilmenau University of Technology

Univ.-Prof. Dr.-Ing. Andreas Mitschele-Thiel

Dr. rer. nat. habil. Oliver Waldhorst