Upload
jamal-stevens
View
46
Download
4
Tags:
Embed Size (px)
DESCRIPTION
Chapter 11 and 12. VPNs, IPsec, and TLS/SSL. Session 9 – Contents. VPNs Tunneling IPsec Layer 2 Tunneling Protocol (L2TP) TLS/SSL. TCP/IP Stack and Security Related Protocols. S/MIME S-HTTP PGP SET IPsec (ISAKMP). SMTP, Telnet, FTP, Gopher. Application Layer. SOCKS V5 TLS/SSL. - PowerPoint PPT Presentation
Citation preview
Cryptography and Security Services: Mechanisms and Applications
Manuel [email protected]
M. Mogollon – 1
Chapter 11 and 12Chapter 11 and 12VPNs, IPsec, and TLS/SSL
M. Mogollon – 2VPN IPsec IKE v2 TLS
Session 9 – Contents
• VPNs
• Tunneling— IPsec— Layer 2 Tunneling Protocol (L2TP)
• TLS/SSL
M. Mogollon – 3VPN IPsec IKE v2 TLS
TCP/IP Stack and Security Related Protocols
Application Layer
Transport Layer
Network Layer
Data Layer
SMTP, Telnet, FTP, Gopher
TCP UDP
IP
Ethernet, Token-Ring, FDDI, X.25, Wireless, Async, ATM, SNA...Data Layer
ARP RARP
• S/MIME• S-HTTP• PGP• SET
• IPsec (ISAKMP)
• SOCKS V5• TLS/SSL
• IPsec (AH, ESP)
• Packet Filtering• Tunneling Protocols
• PPP-EAP, IEEE 802.1X, CHAP, PAP, MS-CHAP
M. Mogollon – 4VPN IPsec IKE v2 TLS
What is a Virtual Private Network?
VPNs / Private data communication channels that use a public IP network, i.e., Internet, as the basic transport for connecting corporate data centers, remote offices, mobile employees, telecommuters, customers, suppliers, and business partners. The public network is used as a wide area communications network, and it offers the appearance, functionality, and usefulness of a dedicated private network.
M. Mogollon – 5VPN IPsec IKE v2 TLS
E-Commerce, E-Procurement, E-Care
Headquarters
Business Partners
Mobile Workforce
Suppliers Customers
TelecommutersContractors
Internet
But, the Internet is a public network and it doesn’t have any security!
M. Mogollon – 6VPN IPsec IKE v2 TLS
Secure VPNs
• Security is implemented in all products that offer VPNs.
• Secure VPNs are revolutionizing the way the Internet is used.
• IETF has standardized IPsec (IP Security) for secure VPN applications that have the following features:—are transparent to all TCP/IP applications—can be implemented in any LAN/WAN environment using TCP/IP—can secure any business communication over the Internet.
• IPsec is a mandatory part of the forthcoming IPv6 standard.
M. Mogollon – 7VPN IPsec IKE v2 TLS
Implementation of VPNs
• Located at the carrier’s network— In the first scenario, the service provider provides a service similar to
the public switched Frame Relay or ATM service, and the customer trusts that packets will not be misdirected, modified in transit, or subjected to traffic analysis by unauthorized parties.
• On the customer’s premises— In the second scenario, the customer does not trust the service
provider and implements a VPN using CPE equipment that provides firewall functionality and security.
• Any devices with microprocessors, such as routers, servers, firewalls or even PCs, can perform VPN functions, such as creating tunnels and encrypting packets.
M. Mogollon – 8VPN IPsec IKE v2 TLS
Secure VPN
Headquarters
Business Partners
Mobile Workforce
Suppliers Customers
Telecommuters VPNsContractors
Internet
With Secure VPNs,• I am sure to whom I am talking.• I know my message has not been modified.• I know that only authorized persons have seen my message.• I know that the message recipient can’t deny receiving my message.
M. Mogollon – 9VPN IPsec IKE v2 TLS
VPN Applications:Extranets and Remote Access
Internet
Tunnel Mode
Protected Subnet
Security Policy Server
Security Policy Server
Certificate Authority
Gateway
Mobile Workforce withIPsec Client Software
Transport Mode
Protected Subnet
• Tunnel ModeAuthentication is provided between a client and a corporate VPN device, or between two VPN devices.
• Transport ModeAuthentication is provided directly between a client and a server or between two work stations.
Server
M. Mogollon – 10VPN IPsec IKE v2 TLS
Virtual Private Networks (VPN)
• Network of virtual circuits for carrying private traffic.
• VPN Protocols
• PPP and L2TP are aimed at remote access use.
• IPsec is used for connecting LANs.
PPP L2TP IPsec
Mode Client-server Client-server Host-to-Host
Purpose Remote access Remote access Intranets, extranets,via tunneling via tunneling remote access via
tunnelingOSI layer Layer 2 Layer 2 Layer 3
TCP/IP Layer Data Data Network
Protocol IP, IPX, IP, IPX, IPAppleTalk, etc AppleTalk, etc
M. Mogollon – 11VPN IPsec IKE v2 TLS
VPN Benefits
• Ease of use – Facilitating electronic communications makes corporations more efficient and productive.
• Cost — Eliminating long-haul leased lines, 800 numbers or long distance fees,
modem banks, and multiple access connections results in significant savings.— Voice over IP reduces long distance phone call expenses.— Savings of up to 65% on monthly circuit costs by moving from a FR and ATM
environment to an IP VPN— Teleworker lower connection costs by 20%-25% per month over traditional
dial up & ISDN.
• Use of Standard Protocols – Internet Protocol IP and IPsec provide needed standardization.
• Simplification of Maintenance and Support – Reducing scalability issues and management complexity simplifies network operation.
M. Mogollon – 12VPN IPsec IKE v2 TLS
What is IPsec?
IPsec / (1) A suit of security protocols standardized by the Internet Engineering Task Force (IETF) that address data privacy, integrity, authentication, and key management, as well as, tunneling to TCP/IP networks. (2) A secure architecture that supports several applications that encrypt and/or authenticate all traffic at the IP level.
M. Mogollon – 13VPN IPsec IKE v2 TLS
Why IPsec
• IPsec-compliant products allow secure Virtual Private Networks in any existing IP-based network.
• IPsec is based on several strong encryption standards.
• IPsec provides security services such as: data origin authentication, access control, confidentiality (encryption), connectionless integrity, rejection of replayed packets (a form of partial sequence integrity), and limited traffic flow confidentiality.
• IPsec has government and industry support.
• IPsec allows corporations to select security services according to internal security policies.
M. Mogollon – 14VPN IPsec IKE v2 TLS
Internet Protocol (IP) – Security Threats
• The Internet protocol has no security.— Source/destination address &
port
Various IP Header Fields
Source IP Address
Destination IP Address
Upper Protocol Header (i.e., TCP,
UDP, ICMP)Data
DataIP Header TCP
IP Packet
• Attacks include:— IP Spoofing— Packet Sniffing— Session Hijacking— Man-in-the-Middle
IP Header Payload Data
M. Mogollon – 15VPN IPsec IKE v2 TLS
IPsec Interlocking Technologies
Cryptographic Security Mechanisms for IP• Authentication Header (AH)
— Provides integrity and authentication without confidentiality to IP datagrams.
— Available even in locations where the export, import or use of encryption to provide confidentiality is regulated.
• Encapsulation Security Payload (ESP)— Provides integrity, authentication, and confidentiality to IP datagrams.
Key Management• Internet Key Exchange IKEv2
— Allows users to agree on authentication methods, encryption methods, keys to use, and key duration.
— Key exchange could be manual or automated.
M. Mogollon – 16VPN IPsec IKE v2 TLS
IP Security Architecture
• IPsec Databases— Security Policy Database (SPD)— Security Association Database (SAD)— Peer Authorization Database (PAD)
• Security Associations— Information shared between two
Gateways on how to secure communications.
IP Packets
ESP/AH Engine
IPsec Databases (SPD, SAD, PAD)
Authentication Header Protocol
Encapsulation Security
Payload Protocol
EncryptionAlgorithm
Authentication& IntegrityAlgorithms
Key Management
• Security Protocols— AH is used to authenticate.— ESP is used to encrypt and to
authenticate.
• Algorithms for encryption and authentication
— Symmetric encryption algorithms.— Keyed hash algorithms.
• Key Management Protocols— Manual and Automated
M. Mogollon – 17VPN IPsec IKE v2 TLS
Security Protocols
• IPsec provides mechanisms to provide security services to IP and upper layer protocols (e.g., UDP or TCP).
• IPsec protect IP datagrams by defining a method in a SA.
• The SA associated with a connection could be Encapsulating Security Payload (ESP), or Authentication Header (AH), but not both.
• If both AH and ESP protection are applied to a connection, then two (or more) SAs are created to provide protection to the connection.
• To secure typical, bi-directional communication between two hosts, or between two security gateways, two Security Associations (one in each direction) are required.
• Both ESP and AH security protocols support two modes of operation: transport or tunnel mode.
M. Mogollon – 18VPN IPsec IKE v2 TLS
IPsec Negotiation
1
2
3
4
5
6
Applications
TCP/IP
NegotiatorEngine
Unprotect-Protect EngineSecurity Policy
Database
Outbound IPsec Packet
Applications
TCP/IP
Unprotect-Protect Engine
1
2
SPI
SA Attributes
Inbound IPsec Packet
IPsec Databases(SAD, PAD)
IPsec Databases (SAD, PAD)
NegotiatorEngine
Security Policy Database
M. Mogollon – 19VPN IPsec IKE v2 TLS
IP Security ArchitectureRFC 4301
AH ProtocolRFC 4302
Encryption AlgorithmsRPC 3602 (AES-CBC (128-Bit)RFC 3686 (AES-CTR)RFC 2451 (Triple DES-CBC)
Authentication AlgorithmsRFC 3566 (AES-XCBC-MAC-96)RFC 2404 (HMAC-SHA1-96)RFC 2403 (HMAC-MD5-96)
IKE v2RFC 4306
Key ManagementRFC 4120 (Kerberos)RFC 2093 (GKMP)RFC 2412 (OAKLEY)
ESP ProtocolRFC 4303
IPsec Document Roadmap
M. Mogollon – 20VPN IPsec IKE v2 TLS
AH and ESP Modes of Operation
TunnelMode
Authentication / Integrity
Confidentiality
New IPHeader
HeaderESP
OriginalIP Header
Authentication / Integrity
Confidentiality
OriginalIP Header
HeaderESP
Authentication / Integrity
New IPHeader
HeaderAH
OriginalIP Header
OriginalIP Header
HeaderAH
Authentication / Integrity
TransportMode
ESPAH
PayloadData
PayloadData
PayloadData
PayloadData
Outer IP Header
Inner IP Header
Inner IP Header
Inner IP Header
Outer IP Header
VPN Device VPN DeviceServer Client
TunnelTransport
M. Mogollon – 21VPN IPsec IKE v2 TLS
Authentication Header (AH)• Data Integrity: Undetected modification to a
packet’s content in transit is not possible• Authentication: Enables a network device to
authenticate a user.• Anti-replay service (optional)
Authentication Data Algorithms• HMAC-SHA-1-96 (Must be supported)• AES-XCBC-MAC-96 (Should be
supported)• HMAC-MD5-96 (May be supported)
Security Parameters Index (SPI)
Next Header ReservedAH Payload Length
Sequence Number
Payload DataIP Header
32 bits
AH
Authentication
Integrity Check Value –ICV (variable)
8 bits
Word 1
Word 2
Word 3
Word 4 -
16 bits8 bits
M. Mogollon – 22VPN IPsec IKE v2 TLS
Encapsulation Security Payload (ESP)• Data Integrity + Authentication (optional)• Anti-replay Service (optional)• Confidentiality (optional)
8 bits
Security Parameters Index (SPI)
Sequence Number
32 bits
Integrity Check Value –ICV (variable)
Original IP Header ESP Header
Authentication
Encryption
ESP ICVESP TrailerPayload Data
Payload Data (variable)
Next HeaderPad Length
Padding (0 – 255 bytes)
8 bits
M. Mogollon – 23VPN IPsec IKE v2 TLS
Internet Key Exchange (IKE v2)
• IPsec security services use symmetric encryption.— Source and destination need to agree to the mechanisms used to
share the secret keys and the keys that are used for authentication/integrity and encryption services.
• IPsec supports both manual and automatic distribution of keys.
• Public Key is used for automatic key management, but other automated key distribution techniques may be used.
• IKE v2 defines procedures and packet formats to establish, negotiate, modify, and delete Security Associations (SA).
M. Mogollon – 24VPN IPsec IKE v2 TLS
Negotiating a Security Association using IKE
IKE Security Association (IKE SA) proposes the following:
• Type of protection to use, either ESP or AH.
• Authentication algorithms and keys for signing data.
• Encryption algorithms and keys to protect data.
• Hash algorithms to reduce data for signing.
• Information about a group over which to do a Diffie-Hellman exchange.
• A pseudo-random function (prf) to hash certain values during the key exchange.
M. Mogollon – 25VPN IPsec IKE v2 TLS
Security Association
Security Parameters• Encryption and authentication
algorithms— Encapsulation Security Payload (ESP)— Authentication Header (AH)
• Crypto keys• Initialization values• Protocol mode• Source and destination IP addresses• Source and destination IDs• Key lifetimes
I would like to establish a secure IP communication, and since we haven’t talked before, let’s agree on all the security parameters we need by creating an
SA.
Source DestinationOnce we finish, let’s assign an index to the SA, (Security Parameter Index) and store the
information in our Security Policy Databases. By doing this, we will not have to create another SA
when we communicate again.
M. Mogollon – 26VPN IPsec IKE v2 TLS
Internet Key Exchange (IKE)
• First Message Exchange— IKE Security Association
– In IKE_SA_INIT, the initiator and responder negotiate the use of encryption algorithms by establishing an IKE_SA. The agreed keys are used to protect the IKE_AUTH exchange.
– In IKE_AUTH, the initiator and responder authenticate each other using authentication mechanisms such as digital signatures (exchanging certificates), Extensible Authentication Protocol (EAP), or pre-shared keys.
— Child Security Association– In IKE_AUTH, the first IKE_SA and associated IPsec SA, called child SA,
are created.
• Second Message Exchange— CREATE_CHILD_SA exchange is used to create new CHILD_SAs and to
rekey IKE_SAs and CHILD_SAs.— All messages are cryptographically protected using the encryption
algorithms and keys negotiated in IKE_SA_INIT and IKE_SA_AUTH.
M. Mogollon – 27VPN IPsec IKE v2 TLS
IKE First Message Exchange
AUTH – Authentication CERT – Certificate CERTREQ – Certificate RequestHDR – IKE Header i, r – Initiator, Responder IDi - Initiator IdentificationIDr – Responder Identification KEi – Initiator DH gi KEr – Responder DH gi Ni, Nr – Nonce SA - Security Association TSi, TSr – Traffic SelectorSAi1 , SAr1 – Used to create IKE_SASAi2, SAr2 – Used to create the first CHILD_SASK{….} – Payload is encrypted and integrity protected using SK_e and SK_a.
SAi1 HDR
SAr1HDR
1
2
3
4
I would like to establish an IKE security association and a child security association.
InitiatorNetworking Device with
IPsecEnd -system or Gateway
environment
Responder Networking Device with
IPsecEnd -system or Gateway
environment KEiNi
[CERTREQ]NrKEr
SK{IDi, [CERT], [CERTREQ], [IDr], AUTH, SAi2, TSi, TSr}
HDR
SK{IDr, [CERT], AUTH, SAr2, TSi, TSr}
HDR
M. Mogollon – 28VPN IPsec IKE v2 TLS
IKE Second Message Exchange
HDR – IKE Header i, r – Initiator, Responder[KE] – Optional Key Exchange [N+] – Optional Notify Ni, Nr – Nonce SA - Security AssociationTSi, TSr – Traffic SelectorSK{….} – Payload is encrypted and integrity protected using SK_e and SK_a.
5
6
I would like to generate a new Child_SA or rekey IKE SA and/or a previous Child_SA.
InitiatorNetworking Device with
IPsecEnd -system or Gateway
environment
Responder Networking Device with
IPsecEnd -system or Gateway
environment SK{ [N+], SA, Ni, [KEi], TSi, TSr} HDR
SK{ [N+], SA, Nr, [KEr], TSi, TSr} HDR
M. Mogollon – 29VPN IPsec IKE v2 TLS
IKE v2 Header
• Initiator’s SPI (8 Octets) – A value selected by the initiator to identify a unique IKE security association.• Responder’s SPI (8 Octets) – A value selected by the responder initiator to identify a unique IKE security
association. This value is zero in the first message of the IKE_INIT.• Next Payload (1 Octet) – the type of payload that follows the header.• Major Version (4 bits) – The major version of the IKE protocol used.• Minor Version (4 bits) – The minor version of the IKE protocol used.• Exchange Type (1 Octet) – The type of exchange being use, IKE_INIT, IKE_AUTH, CREATE_CHILD_SA, or
INFOTMATIONAL.• Flags (1 Octet) – Indicates specific options that are set for the message.• Message ID (4 Octets) – Message identifier used to control retransmision of lost packets. It is used to prevent
message replay attacks.• Length (4 Octets) – Length of total message (header and payload)
IKE_SA Initiator’s Security Parameters Index (SPI)
IKE_SA Responder’s Security Parameter Index (SPI)
Next Payload FlagsExchange TypeMjVer MjVer
Message ID
Length
M. Mogollon – 30VPN IPsec IKE v2 TLS
Generating Key Material in IKE_SA
• In IKEv2, Diffie-Hellman is the only key exchange algorithm used.
• Key material for all of the cryptographic algorithms used in both IKE_SA and CHILD_SA is always derived as the output of a prf algorithm.
• Diffie-Hellman exchange has the following three components: a generator g, the modulo p, and a secret that in IKEv2 terminology is called i or r.
• During IKE_INIT, in KEi and KEr, the Initiator and Responder exchange Diffie-Hellman information, gi and gr, as well as nonces Ni and Nr
• The shared key, SKEYSEED, is calculated by both the Initiator and Responder from the nonces exchanged and the Diffie-Hellman shared secret key generated, gi and gr, according to the following formula: ),|( irgNrNiprfSKEYSEED
M. Mogollon – 31VPN IPsec IKE v2 TLS
IKE v2 DH Key Agreement
g =12 p = 47I Secret = i = 3
Nonce = Ni = 11
g = 12 p = 47R Secret = r =5Nonce = Nr = 7
18 18
36, 11 14, 7
g and p do not need to be secret
Both ends use 11, 7, and 18, as the secret and seed to calculate SKEYSEED
In the security association, the initiator and responder agreed on the same group or pair of g and p.
18)47(mod143 rig 18)47(mod365 rig
Initiator Responder
),|( irgNrNiprfSKEYSEED )( seed secret,prfSKEYSEED
36)47(mod123 ig 14)47(mod125 rg
M. Mogollon – 32VPN IPsec IKE v2 TLS
Diffie-Hellman Groups in IKE
• Three distinct group representations can be used with IKE. — Modular Exponentiation Groups (named MODP)— Elliptic Curve Groups over the field GF [2n] (named EC2N)— Elliptic Curve Groups over GF [P] (named ECP).
• Groups Identifiers supported in IKE— Group 0: No group (used as a placeholder and for non-DH
exchanges)— Group 1: A modular exponentiation group with a 768 bit modulus— Group 2: A modular exponentiation group with a 1024 bit modulus— Group 4: An elliptic curve group over GF [2^155]— Group 5: A modular exponentiation group with a 1536 bit modulus— Group 14: A modular exponentiation group with a 2048 bit modulus— Group 15 A modular exponentiation group with a 3072 bit modulus.— Group 16 A modular exponentiation group with a 4096 bit modulus.— Group 17 A modular exponentiation group with a 6144 bit modulus.— Group 18 A modular exponentiation group with a 8192 bit modulus.
M. Mogollon – 33VPN IPsec IKE v2 TLS
TCP/IP Stack and Security Related Protocols
Application Layer
Transport Layer
Network Layer
Data Layer
SMTP, Telnet, FTP, Gopher
TCP UDP
IP
Ethernet, Token-Ring, FDDI, X.25, Wireless, Async, ATM, SNA...Data Layer
ARP RARP
• S/MIME• S-HTTP• PGP• IPsec (ISAKMP)
• SOCKS V5• TLS/SSL
• IPsec (AH, ESP)• Packet Filtering• Tunneling Protocols
• PPP-EAP, IEEE 802.1X, CHAP, PAP, MS-CHAP
M. Mogollon – 34VPN IPsec IKE v2 TLS
TLS and SSL
• TLS and SSL protocols are used to secure the communication between a client (Web browser) and a server (Web Server) over the Internet.
• TLS versions 1.1, 1.0, and SSL 3.1 and 3.0 are very similar. TLS and SSL clients are built into all web browsers.
• TLS and SSL provide mutual authentication (digital signature), confidentiality (data encryption), and data integrity (hash algorithms).
• A secure client-server communication requires:— Which protocol and version (TLS 1.0, 1,1, SSL2 or SSL3) to use and which
cryptographic algorithm will be used.— Whether or not to authenticate each other. Server and client authentication.— The type of cryptographic key exchange where both parties agree on a pre-master
secret key — The creation of session keys to encipher the message. — The encryption technique to the enciphering of data using keys generated from the pre-
master key.
M. Mogollon – 35VPN IPsec IKE v2 TLS
TLS Architecture
• Session— A TLS session is an association between a client and a server.
Sessions are created by the handshake protocol.— Sessions define a set of cryptographic security parameters, which
can be shared among multiple connections.— Sessions are used to avoid the negotiation of new security
parameters for each connection.
• Connection— A connection is a transport (in the OSI layering model definition) that
provides a suitable type of service.— For TLS, such connections are peer-to-peer relationships.— A connections is transient. Every connection is associated with one
session.
M. Mogollon – 36VPN IPsec IKE v2 TLS
Session Parameters
• Session identifier— An arbitrary byte sequence chosen by the server to identify an active or resumable
session state.
• Peer certificate— An X509.v3 certificate of the peer. This element of the state may be null.
• Compression method— The algorithm used to compress data prior to encryption.
• Cipher spec— Specifies the data symmetric encryption algorithm (such as null, DES, etc.) and a MAC
algorithm (such as MD5 or SHA). It also defines cryptographic attributes such as the hash_size.
• Master secret— A 48-byte secret shared between the client and server.
• Is Resumable— A flag indicating whether the session can be used to initiate new connections.
M. Mogollon – 37VPN IPsec IKE v2 TLS
Connection Parameters
• Server and client random— Byte sequences that are chosen by the server and client for each connection.
• Server write MAC secret— The secret key used in MAC operations on data written by the server.
• Client write MAC secret— The secret key used in MAC operations on data written by the client.
• Server write key— The symmetric cipher key used by the server to encipher data and by the client to
decipher it.
• Client write key— The symmetric cipher key used by the client to encipher data and by the server to
decipher it.
• Initialization vectors— When a block cipher in CBC mode is used, an initialization vector (IV) is maintained for
each key.
• Sequence numbers— Sequence numbers maintained by each party for transmitted and received messages.
M. Mogollon – 38VPN IPsec IKE v2 TLS
TLS Record Protocol
• The TLS Record Protocol provides connection security that has four basic properties: — The connection is private. Symmetric encryption (e.g., AES, DES, RC4, etc.)
is used for data encryption, after an initial handshake in which a pre-master secret key is defined.
— The negotiation of a shared secret is secure.– No attacker can modify the negotiation communication without being
detected by the parties to the communication.— The peer's identity can be authenticated using asymmetric or public key
cryptography (e.g., RSA, DSS, etc.).— The connection is reliable.
– Message transport includes a message integrity check using a keyed MAC (HMAC).
– HMAC can be used with a variety of different hash algorithms, but TLS uses MD5 and SHA-1, denoting these as HMAC_MD5(secret, data) and HMAC_SHA(secret, data).
M. Mogollon – 39VPN IPsec IKE v2 TLS
TLS Record Protocol
Compression (Optional)
HMAC
HMAC
Compressed Cleartext Message
Stream Cipher
Enciphered [Compressed
Cleartex Message ║
HMAC]Block CipherPadding
SSL Header
Message Block Mn
Blocks of equal size such that the final SSL Record is not bigger
than 214 bytes.
M1M2 … Mn .. Key
Key
Key Exchange
Key Exchange
HMAC-SHA-1HMAC-RSA
Data Encryption
Stream Ciphers: RC4 40-bit or 128-bit key.Block Ciphers: DES 56-bit, 3DES 168-bit, or AES-128
The Record Protocol is responsible for coordinating the client and server sessions.
M. Mogollon – 40VPN IPsec IKE v2 TLS
Handshake Protocol (Session State)
Client Web Server
Exchange client and server security capabilities:secure ID, compression method, and initial random number.
Client_Hello
Server_hello
Phase 1 Establishing Security Capabilities
Phase 2 and 3 Server & Client Authentication and Key Exchange
Server_Key_Exchange
Server and client exchange authentication, type of key exchange,
and public-key parameters.
Client_Key_Exchange
Server-Shared Master Key
Server and client create the shared master key and the cryptographic parameters.
Client-Shared Master Key
Generating the Master Secret Keys
Server Finish
Client and server exchange Finish Message and a hash of the
Finish Message
Client FinishPhase 4 Finish Message
M. Mogollon – 41VPN IPsec IKE v2 TLS
Phase 1 Handshake Protocol
ClientWeb Server
Client_Hello
Server_hello
Phase 1 Establishing Security Capabilities
1. A ClientHello.random number (28 bytes), which is used later in the protocol;
2. A CipherSuite list containing the combinations of cryptographic algorithms supported by the client (in order of the client's preference, first choice first);
3. A list of the compression methods supported by the client, sorted by client preference.
When the client sends a client_hello message, the server must respond with a server_hello message, or else a fatal error will occur
and the connection will fail.
When the client sends a client_hello message, the server must respond with a server_hello message, or else a fatal error will occur
and the connection will fail.
1. A ServerHello.random number (28 bytes), different from the one sent by the client;
2. A CipherSuite list containing the combinations of cryptographic algorithms supported by the server (in order of the server's preference, first choice first);
3. A list of the compression methods supported by the server, sorted by the server.
M. Mogollon – 42VPN IPsec IKE v2 TLS
Phase 2 Handshake Protocol
ClientWeb ServerServer Authentication and Key Exchange
1. Server sends its authentication certificate, using a X.509.v3 certificate.
2. Information about the type of key exchange the server is proposing. — RSA: The secret key is encrypted with the server’s private key.— Fixed Diffie-Hellman: The server’s certificate has the Diffie-Hellman
parameters, signed by a Certificate Authority (CA).— Ephemeral Diffie-Hellman: The Diffie-Hellman parameters are signed using the
server’s RSA or DSA.— Anonymous Diffie-Hellman: The Diffie-Hellman parameters are not signed.
Key Exchange Parameters for RSA or Diffie-Hellman— RSA: The modulo of the server's temporary RSA key and the public exponent
of the server's temporary RSA key.— Diffie-Helman:
– The prime modulus p used for the Diffie-Hellman operation.– The generator g used for the Diffie-Hellman operation.– The server's Diffie-Hellman public value y (y = gx mod p).
3. A message requesting a client certification (optional);
4. A message indicating that the handshake of phase 2 is complete.
Key Exchange Parameters Signing =ESPriv
[Hash(ClientHello.random ║ ServerHello.random ║ ServerParams)]
M. Mogollon – 43VPN IPsec IKE v2 TLS
Phase 3 Handshake Protocol
ClientWeb Server
Client Authentication and Key Exchange
1. Client verifies whether or not the server’s certificate is valid.
2. Client sends certificate, if the server has requested it. — Client must send either the certificate message or a no_certificate alert; this
alert is only a warning. If client authentication is required, the server may respond with a fatal handshake failure alert.
3. Pre-master key exchange— RSA: A 48-byte pre-master secret key, encrypted with the server’s RSA public
key.— Diffie-Helman: Both client and server perform the Diffie-Hellman calculation to
create a pre-master key.
4. Master Key generation— Once the pre-master key has been created, either from RSA or from Diffie-
Hellman, the master key is computed as follows:
Master_Key = PRF(pre_master_secret, "master secret", ClientHello.random + ServerHello.random)Master_Key = PRF(pre_master_secret, "master secret", ClientHello.random + ServerHello.random)
PRF = Pseudo Random Function. See slide 20
M. Mogollon – 44VPN IPsec IKE v2 TLS
Phase 4 Handshake Protocol
ClientWeb Server
Finish
1. Client and server update the cipher_spec with the new, agreed-upon encryption algorithms, keys, and hash functions.
2. Client sends a “finished message” using the just negotiated encryption algorithms, hash functions, and symmetric encrypting keys to verify that the key exchange and authentication processes were successful.
3. The finished message is hashed as follows:— MD5[master_secret ║ pad2 ║ MD5(handshake_messages
║ Sender ║ master_secret ║ pad1)]— SHA[master_secret ║ pad2 ║ SHA(handshake_messages
║ Sender ║ master_secret ║ pad1)] Pad1 and pad 2 are the values defined in the MAC Handshake refers to all handshake messages exchanged Sender is a code that identifies that the sender is a client
(0x434C4E54) or a server (0x53525652).
Client and server may begin sending confidential data immediately after sending the Finish message. The master secret is used as an entropy
source to generate random values for the export and non-export MACS, secret keys, and initialization values (IV) required to encipher the data.
Client and server may begin sending confidential data immediately after sending the Finish message. The master secret is used as an entropy
source to generate random values for the export and non-export MACS, secret keys, and initialization values (IV) required to encipher the data.
M. Mogollon – 45VPN IPsec IKE v2 TLS
TLS Alert Protocol
• Alert messages convey information about the status of the connection.• There are two types of alerts: Fatal and Warning.
Fatal Alert: Indicates that the connection is so bad that it needs to be terminated immediately.
Warning Alert: Indicates that there are some problems in the connection.
• Error Alerts unexpected_message: An inappropriate message was received. Fatal. bad_record_mac: This alert is returned if a record is received with an incorrect MAC. Fatal. decompression_failure: The decompression function received improper input. Fatal. handshake_failure: Reception of a handshake_failure alert message indicates that the sender
was unable to negotiate an acceptable set of security parameters given the options available. Fatal. illegal_parameter: A field in the handshake was out of range or inconsistent with other fields.
Fatal. no_certificate: A no_certificate alert message may be sent in response to a certification request if
no appropriate certificate is available. bad_certificate: A certificate was corrupt, contained signatures were not verifiable. unsupported_certificate: A certificate was of an unsupported type. certificate_revoked: A certificate was revoked by its signer. certificate_expired: A certificate has expired or is not currently valid. certificate_unknown: Some other (unspecified) issue arose in processing the certificate,
rendering it unacceptable.
M. Mogollon – 46VPN IPsec IKE v2 TLS
Key Calculation - Pre Master Key Generation
Method 1 RSA – 48-byte Generated by the Client
Encipher RSA
Decipher RSA
Server’sSecret Key
Method 2: Diffe-Hellman
Diffie-Hellman Key Exchange
Server’s Certificate
Server’s Public Key
PreMaster Key
PreMaster Key
Diffie-Hellman Key Exchange
PreMaster Key
PreMaster Key
Web ServerClient
M. Mogollon – 47VPN IPsec IKE v2 TLS
Key Calculation – Key and MAC Secrets
Exchange (wrap / transport ) or agree on (Diffie-Hellman) a pre-master key.
Encipher Decipher
Client Web Server
Master_Key Generation
Pre_Master_Key
Pre_Master_Key
Client MACServer MAC
Key_Block prf Expansion
Client Key, IVServer Key, IV
Symmetric Block
Encryption
Master_Key Generation
Client MACServer MAC
Client Key, IVServer Key, IV
Symmetric Block
Encryption
Integrity
Confidentiality
Key_Block prf Expansion
M. Mogollon – 48VPN IPsec IKE v2 TLS
TLS – Pseudo Random Function
The PRF is created by splitting the secret key into two and using one half to generate data with P_MD5 and the other half to generate data with P_SHA-1. Then, the outputs of these two expansion functions together are XORed.
• The label is an ASCII string. For example, the label "plano tx" would be processed by hashing the following bytes (hex): 70 6C 61 6E 6F 20 74 78.
• The P_Hash data expansion function is used to create a pseudo random function (PRF).
Secret Label (Password)
S1 S2
PRF(secret, label, seed) = P_MD5 (S1, label ║ seed) XOR P_SHA-1 (S2, label ║ seed)
M. Mogollon – 49VPN IPsec IKE v2 TLS
TLS – P_hash (secret, seed)
P_hash(secret, seed) = HMAC_hash (secret, A(1) ║ seed) ║
HMAC_hash (secret, A(2) ║ seed) ║
HMAC_hash (secret, A(3) ║ seed) ║ ...
HMAC
HMAC
HMAC
║
║
HMAC
║
Seed
Secret
Secret
Secret
Secret
A1
A2
A3
HMAC(secret, A(1) ║ seed) HMAC(secret, A(2) ║ seed) HMAC(secret, A(3) ║ seed)
M. Mogollon – 50VPN IPsec IKE v2 TLS
SSL VPN
• Provides secure remote access to corporate applications. • Uses SSL & TTL as the underlying transport to establish a secure session
between any web browser and the proxy server in the SSL VPN Gateway.• Presents users with a web portal containing links to applications.• Functions as a proxy for both client (web browser) and server (web server) –
there is never a direct connection to the private network.• Ensures that authorized users have access only to specific resources as
allowed by the company security policy implemented by the proxy server and integrated traffic management.
ProxySocks
Address Translation
Applications
Internet
Kiosk
• Web Applications
• Client/Server• Telnet• SSH• Email• File Transfer
SSL (TLS) Secure ConnectionSSL
SSL VPN Gateway
M. Mogollon – 51VPN IPsec IKE v2 TLS
SSL VPN Threats
• User passwords may remain on public-computers after users log off.—User passwords are stored by the browser.
• Sensitive data, such as browser cache entries, URL entries, cookies, and any historical information created during the session, may remain on public computers after users complete their SSL VPN sessions.
• Downloaded files are stored in the public computer’s “Temporary Folder.”
• Users forget to logout.—Next public computer user may have access to applications.
• Worms and viruses may be transferred from the public computers to the corporate internal network.
M. Mogollon – 52VPN IPsec IKE v2 TLS
IPsec and TLS: Complementary Solutions
Solutions SSL IP Sec Comments
TelecommuterEg. Employee working from Home Office
IPsec provides secure access to all network resources and applications.SSL requires legacy applications to be first ‘translated’ into HTTP or will give access to SSL-enabled apps only.
Site-to-Site VPNEg. Remote branch office requires connectivity to corporate WAN
IPsec provides a secure tunnel between permanent locations
Remote Webmail Eg. Outlook Web Access, Lotus iNotes
SSL allows secure access from any web browser.
Internal Application SecurityEg. HR Self-service
SSL provides application layer security within VPNs
Partner ExtranetEg. Supplier access to inventory system
SSL doesn’t require installation of software on partner’s equipment but no control on workstation securityIPsec might require firewall reconfiguration – need to police access but closer control on workstation security
Web Application PortalsEg. iPlanet, web-enabled enterprise apps, custom web apps.
SSL is simplest choice for native web apps.IPsec is overkill
VOIP securityEg. Either site-to-site or telecommuter VOIP security.
VOIP can’t be carried by SSLIPsec is the solution for VOIP encryption
Wireless LAN securityEg. Securing WLAN access to the network by using stronger authentication and encryption.
IPsec provides secure access to all network resources and applications.SSL requires legacy applications to be first ‘translated’ into HTTP or will give access to web apps only
Ideal InappropriateOverkill / ComplexAppropriate
M. Mogollon – 53VPN IPsec IKE v2 TLS
To Probe Further
• Atkinson, R. (1995). IP Encapsulating Security Payload (ESP). RFC 1827.
• Gleeson B., Lin A., Heinanen J, Armitage G., Malis A. (2000). A Framework for IP Based Virtual Private Networks. RFC 2764.
• C. Kaufman, Ed. (2005). The Internet Key Exchange (IKEv2). RFC 4306.
• Kent, S., Seo K. (2005). Security Architecture for the Internet Protocol. RFC 4301.
• Kent, S. (2005). IP Authentication Header. RFC 4302.• Kent, S. (2005). IP Encapsulating Security Payload (ESP). RFC 4303.• Madson, C., Glenn, R. (1998). The Use of HMAC-SHA-1-96 within
ESP and AH. RFC 2404.• Orman, H. (1998). The OAKLEY Key Determination Protocol. RFC
2412.
M. Mogollon – 54VPN IPsec IKE v2 TLS
To Probe Further
• Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., & Wright, T. (2006). Transport Layer Security (TLS) Extensions. RFC 4366, IETF. http://www.ietf.org/rfc/rfc4366.txt?number=4366
• Dierks, T., Rescorla, E. (2006). 4346 The Transport Layer Security (TLS) Protocol Version 1.1. RFC 4346, IETF. http://www.ietf.org/rfc/rfc4346.txt?number=4346
• Freier, A., Karlton, P., & Kocher, P. The SSL Protocol Version 3.0. Internet-Draft, November 1996.
• Santesson, S. (2006). TLS Handshake Message for Supplemental Data. RFC 4680, IETF. http://www.ietf.org/rfc/rfc4680.txt?number=4680
• Santesson, S., Medvinsky, A., & Ball, J. (2006). TLS User Mapping Extension. RFC 4681, IETF. http://www.ietf.org/rfc/rfc4681.txt?number=4681