Cisco Presentation Guide · 2009-11-03 · •IPSec tunnel between routers connecting secure LANs to unsecure shared infrastructure (IPSec gateways) •no need for IPSec support in

© 2005 Petr Grygarek, Advanced Computer Networks Technologies 1

Virtual Private Networks Virtual Private Networks Petr GrygPetr Grygáárekrek

Agenda:Cryptography basicsVPN principles and usage IPSec

2© 2005 Petr Grygarek, Advanced Computer Networks Technologies

Basic terminology and mechanisms Basic terminology and mechanisms of network security and cryptographyof network security and cryptography


Authentication and encryptionAuthentication and encryption• CConfidentalityonfidentality

• unauthorized listener cannot understand data meaningunauthorized listener cannot understand data meaning• implemented by encryptionimplemented by encryption

• AAuthenticationuthentication • verification of data sender identityverification of data sender identity

• Data Data integrityintegrity• verification that data were not modified during transportverification that data were not modified during transport

• NNon-repudiationon-repudiation• data source cannot repudiate it sent particular piece of datadata source cannot repudiate it sent particular piece of data

• (i.e. it signed it)(i.e. it signed it)


Hashing functionHashing function• one-wayone-way fun function (algorithm)ction (algorithm)

• impossible to guess how to modify hash code such as it impossible to guess how to modify hash code such as it represents false data (i.e. data falsified by attacker)represents false data (i.e. data falsified by attacker)

• converts (long) block of data to (short) hash valueconverts (long) block of data to (short) hash value• often used as Hashed Message Authentication Code often used as Hashed Message Authentication Code

(HMAC)(HMAC)• the hash is computed from [data+secret] blockthe hash is computed from [data+secret] block

• algorithms commonly used as hash function algorithms commonly used as hash function • HMAC-MD5 –– Message Digest 5 HMAC-MD5 –– Message Digest 5

• (128b message digest)(128b message digest)• HMAC-SHA1 – Secure Hash Algorithm HMAC-SHA1 – Secure Hash Algorithm

• (stronger -160b message digest)(stronger -160b message digest)


Cryptographic systemCryptographic system

Implementation options• Conceal encryption/decryption algorithm

• If the algorithm is revealed, implementation is useless

• Conceal keys• Keys used to parametrize (known) algorithm• Enough number of possible keys has to be available

Encryption Decryption

Key

plaintext

plaintext

cypertext

Key


Symmetric cryptosystemSymmetric cryptosystem

• Shared secret keyShared secret key• Effective algorithm implementationsEffective algorithm implementations

• speed, relative simplicityspeed, relative simplicity• possible to implement in hardwarepossible to implement in hardware• DES, 3DES, AES, …DES, 3DES, AES, …

• Problem with secure secret key distributionProblem with secure secret key distribution


Authentication in symmetric Authentication in symmetric cryptosystemcryptosystem

• Sender encrypts uSender encrypts username sername using shared key, using shared key, receiver decrypts using the same key and tests receiver decrypts using the same key and tests username validityusername validity

• Possible validity check implementation:Possible validity check implementation:• Sender appends username hash behind username, Sender appends username hash behind username,

then encrypts whole block with shared keythen encrypts whole block with shared key• Receiver decrypts [username+hash] with shared key, Receiver decrypts [username+hash] with shared key,

computes username hash and compares with computes username hash and compares with received hashreceived hash

• Does not require to maintain username databaseDoes not require to maintain username database


Data integrity check implementationData integrity check implementation

• [[messagemessage++shared secret keyshared secret key]->hash]->hash• messagemessage+hash+hash is sent is sent• receiver appends shared secret key behind receiver appends shared secret key behind

received message, calculates hash by itself and received message, calculates hash by itself and compares with received hashcompares with received hash

Combines origin authentication and data integrity Combines origin authentication and data integrity checkcheck


Asymmetric cryptosystemAsymmetric cryptosystem

• Keys generated as pair – Keys generated as pair – publicpublic and and privateprivate key key• One key of pair used for encryption, second for decryptionOne key of pair used for encryption, second for decryption

• no matter which one for whatno matter which one for what• uses identical or complementary algorithms for encryption and decryptionuses identical or complementary algorithms for encryption and decryption

Encryption Decryption

publickey

KB_PUBLIC

ALICE BOB

privatekey

KB_PRIVATE

KB_PUBLICKB_PRIVATE

KA_PUBLICKA_PRIVATE

Certificationauthority

KA_PUBLICKB_PUBLIC


Features of asymmetric cryptosystemFeatures of asymmetric cryptosystem

• More calculations comparing to symmetric More calculations comparing to symmetric algorithm => sloweralgorithm => slower• RSA, El-GammalRSA, El-Gammal

• Problem of secure public key distributionProblem of secure public key distribution• no need to conceal them, but we need secure no need to conceal them, but we need secure

mechanism for public key transportmechanism for public key transport• certification authority digitally signs public keys certification authority digitally signs public keys

packed together with owner information packed together with owner information • (so called “certificates”)(so called “certificates”)


Usages ofUsages of asy asymmmetric sysmetric systemtem

• Digital signaturesDigital signatures• No problem with secret key distributionNo problem with secret key distribution

• Exchange of keys for symmetric systemExchange of keys for symmetric system• Often generated dynamically keys with limited Often generated dynamically keys with limited

lifetimelifetime


CertifiCertification authority (1)cation authority (1)• Trusted entityTrusted entity• Digitally signs public keys packed together with Digitally signs public keys packed together with

owner information - owner information - certificatescertificates• First contact with CA must be personalFirst contact with CA must be personal

• obtaining of private+public key pairobtaining of private+public key pair• there exist ways how to deliver encrypted private key + there exist ways how to deliver encrypted private key +

certificate (containing signed public key) without physical certificate (containing signed public key) without physical contactcontact• need for authenticate certificate requestneed for authenticate certificate request• uses password prenegotiated between user and CA to encrypt private uses password prenegotiated between user and CA to encrypt private

key + certificate before sending it to user key + certificate before sending it to user • usage of LDAP password etc.usage of LDAP password etc.

• private+public key generation may take place at client OSprivate+public key generation may take place at client OS• Client keeps private key and sends public key for signing to CA using Client keeps private key and sends public key for signing to CA using

HTTPSHTTPS


CertifiCertification authority (2)cation authority (2)• Public key of CA needed by Public key of CA needed by

communicating parties to verify certificates communicating parties to verify certificates of other communicating peersof other communicating peers

• Public key of CA has to be inserted into Public key of CA has to be inserted into every system by some trustworthy mannerevery system by some trustworthy manner• built-in into OS/WWW browser installation filesbuilt-in into OS/WWW browser installation files

Advantage: only one public key (CA certificate) Advantage: only one public key (CA certificate) has to be preconfigured manuallyhas to be preconfigured manually


AutAuthhentienticationcation and data integrity and data integrity check incheck in asym asymmmetricetric systsysteemm

Data

KB_PUBLIC

ALICE BOB

KA_PRIVATE

KB_PUBLICKB_PRIVATE

KA_PUBLICKA_PRIVATE

comparison

Hash Data

KB_PRIVATE KA_PUBLIC

Hash

Hash

© 2005 Petr Grygarek, Advanced Computer Networks Technologies 15

Virtual Private Networks Virtual Private Networks (VPN)(VPN)


What is VPN ?What is VPN ?

• VPN VPN allow to build private WANs using public shared allow to build private WANs using public shared infrastructure with the same level of security and configuration infrastructure with the same level of security and configuration options as with private infrastructureoptions as with private infrastructure

• Uses tunneling and encryption methodsUses tunneling and encryption methods• including authenticationincluding authentication


TunnelTunnel• Virtual point-to-point connection over shared Virtual point-to-point connection over shared

infrastructureinfrastructure• often authenticated and encryptedoften authenticated and encrypted

• Carries packets of some protocol encapsulated Carries packets of some protocol encapsulated in another protocol in another protocol • sometimes in the same protocol (sometimes in the same protocol (IP over IPIP over IP))• tunnel can carry layer 2 frames alsotunnel can carry layer 2 frames also• allows other protocols to be carried over IP network allows other protocols to be carried over IP network

• (even nonroutable protocols such as NetBEUI etc.)(even nonroutable protocols such as NetBEUI etc.)


Advantages of VPNs over physical Advantages of VPNs over physical private WAN infrastructureprivate WAN infrastructure

• Lower costLower cost• Flexibility of (virtual) topologyFlexibility of (virtual) topology

• topology defined purely by configurationtopology defined purely by configuration• No WAN link maintenance and management neededNo WAN link maintenance and management needed

• provider (ISP) takes responsibility of infrastructureprovider (ISP) takes responsibility of infrastructure

No special contract with infrastructure provider is neededNo special contract with infrastructure provider is needed(we only need ISP does not filter tunneling protocols)(we only need ISP does not filter tunneling protocols)


Common VPN applications (1)Common VPN applications (1)• Site-to-site VPNsSite-to-site VPNs

• RRouterouter to to router router ((firewall to firewallfirewall to firewall))

• secure interconnection of (multiple) distant LANssecure interconnection of (multiple) distant LANs• analogy with classical WAN networksanalogy with classical WAN networks

Secure intranet (2)

Unsecure publicinfrastructure

(Internet)

Secure intranet (1)

Encryption,Decryption

Site-to-site tunnel

Encryption,Decryption


Common VPN applications (2/1)Common VPN applications (2/1)• Remote access VPNsRemote access VPNs

• Client-initiatedClient-initiated• Remote user to Remote user to VPN VPN cconcentroncentraatortor• user has special encryption software installed (user has special encryption software installed (VPN VPN cclientlient))

• NAS-initiatedNAS-initiated• Remote user dials-in to service provider’s NAS using Remote user dials-in to service provider’s NAS using

some connection-oriented telecommunication networksome connection-oriented telecommunication network• PSTN, ISDNPSTN, ISDN

• NAS initiates secure tunnel to secure corporate networkNAS initiates secure tunnel to secure corporate network


Common VPN applications (2/2)Common VPN applications (2/2)

Secure intranet

Unsecure publicinfrastructure

(Internet)

VPNconcentrator

PSTN

modem

User without any special

software

ISPNAS

Encryption

Encryption

Decryption

tunnels

User with VPNclient software

Client-initiatedVPN tunnel

NAS-initiated VPNtunnel


On which layer should VPNs On which layer should VPNs be implemented ?be implemented ?

Internetwork-wide VPNs => at or above layer 3Internetwork-wide VPNs => at or above layer 3

• Layer 3 VPN – IPSecLayer 3 VPN – IPSec• media independent (above hop-by-hop L2 security)media independent (above hop-by-hop L2 security)• application independentapplication independent• connectionless securityconnectionless security

• Layer 4 VPN – commonly uses SSLLayer 4 VPN – commonly uses SSL• but what to do with connectionless service (UDP) ?but what to do with connectionless service (UDP) ?

• Layer 7 VPN – application level (WWW)Layer 7 VPN – application level (WWW)


IPSec IPSec ((VPN VPN implementation using IP)implementation using IP)


IPSecIPSec (RFC 2401) (RFC 2401)IPSec IPSec = suite of protocols and algorithms used for data = suite of protocols and algorithms used for data

security implementation at network layersecurity implementation at network layer

• Open standards Open standards frameworkframework• GeneralGeneral, , independent to actual algorithms usedindependent to actual algorithms used

• flexible and stable – no need for change when particular algorithm is flexible and stable – no need for change when particular algorithm is compromisedcompromised

• ProvidesProvides aut authhentienticationcation, , data data integritintegrity and confidentalityy and confidentality• using particular preconfigured or negotiated algorithms, not by itselfusing particular preconfigured or negotiated algorithms, not by itself

• Only for unicast Only for unicast IPIP traffic traffic• but other protocols including IP broadcasts/multicasts can be but other protocols including IP broadcasts/multicasts can be

encapsulated into tunnel before transportation over IPSec mechanismencapsulated into tunnel before transportation over IPSec mechanism• Implemented as additional mechanism for IPv4, natively built-in Implemented as additional mechanism for IPv4, natively built-in

into IPv6into IPv6


Basic IPSec terminologyBasic IPSec terminology• Security AssociationSecurity Association

• Set of policies and keys for data protectionSet of policies and keys for data protection• Shared by (two) communicating partnersShared by (two) communicating partners

• Authentication HeaderAuthentication Header• Header appended to every packet to carry Header appended to every packet to carry

authentication system information (HMAC etc.)authentication system information (HMAC etc.)• Encapsulating Security Payload HeaderEncapsulating Security Payload Header

• Header appended to every packet to carry security Header appended to every packet to carry security system information (authentication, confidenitality)system information (authentication, confidenitality)


Security AssociationSecurity Association (1) (1)• Defines encryption and authentication Defines encryption and authentication

parameters used between two partners parameters used between two partners communicating over IPSec tunnel communicating over IPSec tunnel • encryption and authentication algorithm,encryption and authentication algorithm, key size, key size,

key lifetimekey lifetime• encryption and authentication key (symmetric)encryption and authentication key (symmetric)• IPSec mode (tunnel/transport)IPSec mode (tunnel/transport)• encapsulation protocol (AH/ESP)encapsulation protocol (AH/ESP)• specification of traffic to be encrypted (/decrypted)specification of traffic to be encrypted (/decrypted)

• Pre-configured or negotiated between partners Pre-configured or negotiated between partners during IPSec tunnel establishmentduring IPSec tunnel establishment


Security AssociationSecurity Association (2) (2)• Independent for both traffic directionsIndependent for both traffic directions• Independent SAs for individual security protocolsIndependent SAs for individual security protocols

• i.e. AH, ESP, IKE i.e. AH, ESP, IKE • Internet Key Exchange (IKE) provides secure tunnel for Internet Key Exchange (IKE) provides secure tunnel for

dynamic SA negotiationdynamic SA negotiation

• Limited lifetimeLimited lifetime• time/bytes transferredtime/bytes transferred• new SA is negotiated before lifetime expirationnew SA is negotiated before lifetime expiration

• Stored in Security Association Database (SADB) Stored in Security Association Database (SADB) • Security Parameter Index (SPI) + SA valuesSecurity Parameter Index (SPI) + SA values


IPSec modes: Tunnel and TransportIPSec modes: Tunnel and Transport

Transport Mode

Tunnel modeTunnel mode


Transport ModeTransport Mode• End-to-end securityEnd-to-end security

• IPSec IPSec support in end-user station operating system neededsupport in end-user station operating system needed

• AH and ESP inserted between AH and ESP inserted between L3 aL3 andnd L4 L4 headers headers• Impossible to filter traffic according to Impossible to filter traffic according to L4 L4 header in the header in the

network (L4 header is encrypted)network (L4 header is encrypted)• Next-header field of AH/ESP header identifies L4 header Next-header field of AH/ESP header identifies L4 header

(protocol)(protocol)

• OriginalOriginal IP IP headerheader unencryptedunencrypted• But protected by But protected by autauthhentientication/data integrity => cation/data integrity =>

incompatible withincompatible with NAT NAT


Tunnel ModeTunnel Mode• IPSec tunnel between routers connecting secure LANs IPSec tunnel between routers connecting secure LANs

to unsecure shared infrastructure (IPSec gateways)to unsecure shared infrastructure (IPSec gateways)• no need for IPSec support in user’s station operating systemsno need for IPSec support in user’s station operating systems

• IP packets encapsulated by another IP packets (tunnel)IP packets encapsulated by another IP packets (tunnel) • AH and ESP inserted at the beginning of encapsulating AH and ESP inserted at the beginning of encapsulating

packet data field, original unchanged (tunneled) packet packet data field, original unchanged (tunneled) packet followsfollows

• Packets encrypted including their IP headers – spy in Packets encrypted including their IP headers – spy in insecure network cannot even determine which stations insecure network cannot even determine which stations of secure networks speak togetherof secure networks speak together


Transfer of control information forTransfer of control information for IPSecIPSec

• AuthentiAuthenticcation Headeration Header• Information for authentication and data integrityInformation for authentication and data integrity

• Encapsulating Security PayloadEncapsulating Security Payload• Information for encryption, authentication and data Information for encryption, authentication and data

integrityintegrity• and optionally anti-replayand optionally anti-replay

• May completely supersede authentication headerMay completely supersede authentication header• AH defined earlier, still maintained for compatibility with AH defined earlier, still maintained for compatibility with

older implementationsolder implementations


Authentication headerAuthentication header• Assures authentication and (connectionless) data Assures authentication and (connectionless) data

integrity integrity • Protects Protects IP hIP headereader ( (unchanging fieldsunchanging fields) ) andand IP IP packet packet

datdataa• carries authentication information (HMAC)carries authentication information (HMAC)• carries Security Parameters Index (SPI) to identify particular carries Security Parameters Index (SPI) to identify particular

security association security association used for current packetused for current packet• if multiple SAs used concurrentlyif multiple SAs used concurrently

• Optional support forOptional support for anti-replay anti-replay• Sender inserts sequence numbers into packets, receiver may Sender inserts sequence numbers into packets, receiver may

optionally verify themoptionally verify them• Protects IP header Protects IP header ==> incompatible with NAT> incompatible with NAT


AH – transport modeAH – transport mode


AH – tunnel modeAH – tunnel mode


Encapsulating Security Payload-ESPEncapsulating Security Payload-ESP

• Carries control information for data encryption Carries control information for data encryption (and authentication)(and authentication)• encapsulates protected dataencapsulates protected data

• Optional data authentication and integrity check Optional data authentication and integrity check (only user data)(only user data)

• Optional Optional anti-replayanti-replay check check• May provide all functions of authentication May provide all functions of authentication

headerheader


ESP – transport modeESP – transport mode


ESP – tunnel modeESP – tunnel mode


Dynamic SA negotiationDynamic SA negotiation

• Manual configuration of SAs at multiple stations is Manual configuration of SAs at multiple stations is tedious and error-prone tasktedious and error-prone task

• Need for reoccurring reconfiguration - periodic change Need for reoccurring reconfiguration - periodic change of authentication/encryption keysof authentication/encryption keys


Dynamic SA negotiation frameworksDynamic SA negotiation frameworks• Internet Security Association and Key Management Protocol Internet Security Association and Key Management Protocol

(ISAKMP)(ISAKMP)• framework for secure (dynamic) key exchange and security association framework for secure (dynamic) key exchange and security association

negotiationnegotiation• does not define any particular algorithms, provides only mechanics of does not define any particular algorithms, provides only mechanics of

parameter negotiation and key exchange protocolsparameter negotiation and key exchange protocols• payload formats etc.payload formats etc.

• Internet Key Interchange (IKE)Internet Key Interchange (IKE)• operates within ISAKMP frameworkoperates within ISAKMP framework• key exchange protocol (Oakley Key Exchange + Skeme Key Exchange)key exchange protocol (Oakley Key Exchange + Skeme Key Exchange)

• used to negotiate IPSec SAsused to negotiate IPSec SAs• SA negotiation protected by tunnel encrypted with dynamically negotiated SA negotiation protected by tunnel encrypted with dynamically negotiated

keys (keys (Diffie-HellmaDiffie-Hellmall algorit algorithhmm))


Diffie-Hellman algorithmDiffie-Hellman algorithm• Used to negotiate shared secret key between Used to negotiate shared secret key between

two parties over unsecure channeltwo parties over unsecure channel• Key value never sent over unsecure channelKey value never sent over unsecure channel• Based on public/private key pair generation on Based on public/private key pair generation on

both sides, public key interchange and calculations both sides, public key interchange and calculations with big prime numberswith big prime numbers

• communicating parties have to be communicating parties have to be authenticated by some external mechanism authenticated by some external mechanism

• prevents man-in-the-middle attackprevents man-in-the-middle attack• (pre-shared key, certificates + CA)(pre-shared key, certificates + CA)


IPSec operation on routersIPSec operation on routers1.1. Interesting traffic detectedInteresting traffic detected

• i.e. traffic whose encrytion is requiredi.e. traffic whose encrytion is required

2.2. IKE Phase 1IKE Phase 1• IPSec peer authentication (pre-shared keys, RSA signatures (X.509))IPSec peer authentication (pre-shared keys, RSA signatures (X.509))• Negotiation of IKE SAs (Diffie-Hellman)Negotiation of IKE SAs (Diffie-Hellman)

• Encryption algorithm, hash algorithm, keys, key lifetime, …Encryption algorithm, hash algorithm, keys, key lifetime, …• Establishes secure channel for IPSec SA negotiationEstablishes secure channel for IPSec SA negotiation

3.3. IKE Phase 2IKE Phase 2• Negotiation of IPSec SAs (for both directions)Negotiation of IPSec SAs (for both directions)• According to policies supported by peersAccording to policies supported by peers

• Multiple priorized policies may be definedMultiple priorized policies may be defined

4.4. Secure data exchange using IPSecSecure data exchange using IPSec• SAs renegotiated by IKE if lifetime expiresSAs renegotiated by IKE if lifetime expires

5.5. After inactivity timeout, IPSec tunnel closed (SAs discarded) After inactivity timeout, IPSec tunnel closed (SAs discarded)


Which traffic to encrypt ?Which traffic to encrypt ?

Crypto Access ListsCrypto Access Lists

• OutboundOutbound - - indicate which data have to be protected by indicate which data have to be protected by IPSecIPSec

• InboundInbound - - filter out and discard traffic that should have filter out and discard traffic that should have been protected by IPSec (but is not)been protected by IPSec (but is not)


Needed ACL modification for IPSec Needed ACL modification for IPSec operationoperation

• ISAKMP – UDP port 500ISAKMP – UDP port 500• ESP – IP protocol 50ESP – IP protocol 50• AH – IP protocol 51AH – IP protocol 51

Documents

Cisco Presentation Guide · 2009-11-03 · •IPSec tunnel between routers connecting secure LANs to unsecure shared infrastructure (IPSec gateways) •no need for IPSec support in