Upload
others
View
12
Download
0
Embed Size (px)
Citation preview
© 2005 Petr Grygarek, Advanced Computer Networks Technologies 1
Virtual Private Networks Virtual Private Networks Petr GrygPetr Grygáárekrek
Agenda:Cryptography basicsVPN principles and usage IPSec
2© 2005 Petr Grygarek, Advanced Computer Networks Technologies
Basic terminology and mechanisms Basic terminology and mechanisms of network security and cryptographyof network security and cryptography
3© 2005 Petr Grygarek, Advanced Computer Networks Technologies
Authentication and encryptionAuthentication and encryption• CConfidentalityonfidentality
• unauthorized listener cannot understand data meaningunauthorized listener cannot understand data meaning• implemented by encryptionimplemented by encryption
• AAuthenticationuthentication • verification of data sender identityverification of data sender identity
• Data Data integrityintegrity• verification that data were not modified during transportverification that data were not modified during transport
• NNon-repudiationon-repudiation• data source cannot repudiate it sent particular piece of datadata source cannot repudiate it sent particular piece of data
• (i.e. it signed it)(i.e. it signed it)
4© 2005 Petr Grygarek, Advanced Computer Networks Technologies
Hashing functionHashing function• one-wayone-way fun function (algorithm)ction (algorithm)
• impossible to guess how to modify hash code such as it impossible to guess how to modify hash code such as it represents false data (i.e. data falsified by attacker)represents false data (i.e. data falsified by attacker)
• converts (long) block of data to (short) hash valueconverts (long) block of data to (short) hash value• often used as Hashed Message Authentication Code often used as Hashed Message Authentication Code
(HMAC)(HMAC)• the hash is computed from [data+secret] blockthe hash is computed from [data+secret] block
• algorithms commonly used as hash function algorithms commonly used as hash function • HMAC-MD5 –– Message Digest 5 HMAC-MD5 –– Message Digest 5
• (128b message digest)(128b message digest)• HMAC-SHA1 – Secure Hash Algorithm HMAC-SHA1 – Secure Hash Algorithm
• (stronger -160b message digest)(stronger -160b message digest)
5© 2005 Petr Grygarek, Advanced Computer Networks Technologies
Cryptographic systemCryptographic system
Implementation options• Conceal encryption/decryption algorithm
• If the algorithm is revealed, implementation is useless
• Conceal keys• Keys used to parametrize (known) algorithm• Enough number of possible keys has to be available
Encryption Decryption
Key
plaintext
plaintext
cypertext
Key
6© 2005 Petr Grygarek, Advanced Computer Networks Technologies
Symmetric cryptosystemSymmetric cryptosystem
• Shared secret keyShared secret key• Effective algorithm implementationsEffective algorithm implementations
• speed, relative simplicityspeed, relative simplicity• possible to implement in hardwarepossible to implement in hardware• DES, 3DES, AES, …DES, 3DES, AES, …
• Problem with secure secret key distributionProblem with secure secret key distribution
7© 2005 Petr Grygarek, Advanced Computer Networks Technologies
Authentication in symmetric Authentication in symmetric cryptosystemcryptosystem
• Sender encrypts uSender encrypts username sername using shared key, using shared key, receiver decrypts using the same key and tests receiver decrypts using the same key and tests username validityusername validity
• Possible validity check implementation:Possible validity check implementation:• Sender appends username hash behind username, Sender appends username hash behind username,
then encrypts whole block with shared keythen encrypts whole block with shared key• Receiver decrypts [username+hash] with shared key, Receiver decrypts [username+hash] with shared key,
computes username hash and compares with computes username hash and compares with received hashreceived hash
• Does not require to maintain username databaseDoes not require to maintain username database
8© 2005 Petr Grygarek, Advanced Computer Networks Technologies
Data integrity check implementationData integrity check implementation
• [[messagemessage++shared secret keyshared secret key]->hash]->hash• messagemessage+hash+hash is sent is sent• receiver appends shared secret key behind receiver appends shared secret key behind
received message, calculates hash by itself and received message, calculates hash by itself and compares with received hashcompares with received hash
Combines origin authentication and data integrity Combines origin authentication and data integrity checkcheck
9© 2005 Petr Grygarek, Advanced Computer Networks Technologies
Asymmetric cryptosystemAsymmetric cryptosystem
• Keys generated as pair – Keys generated as pair – publicpublic and and privateprivate key key• One key of pair used for encryption, second for decryptionOne key of pair used for encryption, second for decryption
• no matter which one for whatno matter which one for what• uses identical or complementary algorithms for encryption and decryptionuses identical or complementary algorithms for encryption and decryption
Encryption Decryption
publickey
KB_PUBLIC
ALICE BOB
privatekey
KB_PRIVATE
KB_PUBLICKB_PRIVATE
KA_PUBLICKA_PRIVATE
Certificationauthority
KA_PUBLICKB_PUBLIC
10© 2005 Petr Grygarek, Advanced Computer Networks Technologies
Features of asymmetric cryptosystemFeatures of asymmetric cryptosystem
• More calculations comparing to symmetric More calculations comparing to symmetric algorithm => sloweralgorithm => slower• RSA, El-GammalRSA, El-Gammal
• Problem of secure public key distributionProblem of secure public key distribution• no need to conceal them, but we need secure no need to conceal them, but we need secure
mechanism for public key transportmechanism for public key transport• certification authority digitally signs public keys certification authority digitally signs public keys
packed together with owner information packed together with owner information • (so called “certificates”)(so called “certificates”)
11© 2005 Petr Grygarek, Advanced Computer Networks Technologies
Usages ofUsages of asy asymmmetric sysmetric systemtem
• Digital signaturesDigital signatures• No problem with secret key distributionNo problem with secret key distribution
• Exchange of keys for symmetric systemExchange of keys for symmetric system• Often generated dynamically keys with limited Often generated dynamically keys with limited
lifetimelifetime
12© 2005 Petr Grygarek, Advanced Computer Networks Technologies
CertifiCertification authority (1)cation authority (1)• Trusted entityTrusted entity• Digitally signs public keys packed together with Digitally signs public keys packed together with
owner information - owner information - certificatescertificates• First contact with CA must be personalFirst contact with CA must be personal
• obtaining of private+public key pairobtaining of private+public key pair• there exist ways how to deliver encrypted private key + there exist ways how to deliver encrypted private key +
certificate (containing signed public key) without physical certificate (containing signed public key) without physical contactcontact• need for authenticate certificate requestneed for authenticate certificate request• uses password prenegotiated between user and CA to encrypt private uses password prenegotiated between user and CA to encrypt private
key + certificate before sending it to user key + certificate before sending it to user • usage of LDAP password etc.usage of LDAP password etc.
• private+public key generation may take place at client OSprivate+public key generation may take place at client OS• Client keeps private key and sends public key for signing to CA using Client keeps private key and sends public key for signing to CA using
HTTPSHTTPS
13© 2005 Petr Grygarek, Advanced Computer Networks Technologies
CertifiCertification authority (2)cation authority (2)• Public key of CA needed by Public key of CA needed by
communicating parties to verify certificates communicating parties to verify certificates of other communicating peersof other communicating peers
• Public key of CA has to be inserted into Public key of CA has to be inserted into every system by some trustworthy mannerevery system by some trustworthy manner• built-in into OS/WWW browser installation filesbuilt-in into OS/WWW browser installation files
Advantage: only one public key (CA certificate) Advantage: only one public key (CA certificate) has to be preconfigured manuallyhas to be preconfigured manually
14© 2005 Petr Grygarek, Advanced Computer Networks Technologies
AutAuthhentienticationcation and data integrity and data integrity check incheck in asym asymmmetricetric systsysteemm
Data
KB_PUBLIC
ALICE BOB
KA_PRIVATE
KB_PUBLICKB_PRIVATE
KA_PUBLICKA_PRIVATE
comparison
Hash Data
KB_PRIVATE KA_PUBLIC
Hash
Hash
© 2005 Petr Grygarek, Advanced Computer Networks Technologies 15
Virtual Private Networks Virtual Private Networks (VPN)(VPN)
16© 2005 Petr Grygarek, Advanced Computer Networks Technologies
What is VPN ?What is VPN ?
• VPN VPN allow to build private WANs using public shared allow to build private WANs using public shared infrastructure with the same level of security and configuration infrastructure with the same level of security and configuration options as with private infrastructureoptions as with private infrastructure
• Uses tunneling and encryption methodsUses tunneling and encryption methods• including authenticationincluding authentication
17© 2005 Petr Grygarek, Advanced Computer Networks Technologies
TunnelTunnel• Virtual point-to-point connection over shared Virtual point-to-point connection over shared
infrastructureinfrastructure• often authenticated and encryptedoften authenticated and encrypted
• Carries packets of some protocol encapsulated Carries packets of some protocol encapsulated in another protocol in another protocol • sometimes in the same protocol (sometimes in the same protocol (IP over IPIP over IP))• tunnel can carry layer 2 frames alsotunnel can carry layer 2 frames also• allows other protocols to be carried over IP network allows other protocols to be carried over IP network
• (even nonroutable protocols such as NetBEUI etc.)(even nonroutable protocols such as NetBEUI etc.)
18© 2005 Petr Grygarek, Advanced Computer Networks Technologies
Advantages of VPNs over physical Advantages of VPNs over physical private WAN infrastructureprivate WAN infrastructure
• Lower costLower cost• Flexibility of (virtual) topologyFlexibility of (virtual) topology
• topology defined purely by configurationtopology defined purely by configuration• No WAN link maintenance and management neededNo WAN link maintenance and management needed
• provider (ISP) takes responsibility of infrastructureprovider (ISP) takes responsibility of infrastructure
No special contract with infrastructure provider is neededNo special contract with infrastructure provider is needed(we only need ISP does not filter tunneling protocols)(we only need ISP does not filter tunneling protocols)
19© 2005 Petr Grygarek, Advanced Computer Networks Technologies
Common VPN applications (1)Common VPN applications (1)• Site-to-site VPNsSite-to-site VPNs
• RRouterouter to to router router ((firewall to firewallfirewall to firewall))
• secure interconnection of (multiple) distant LANssecure interconnection of (multiple) distant LANs• analogy with classical WAN networksanalogy with classical WAN networks
Secure intranet (2)
Unsecure publicinfrastructure
(Internet)
Secure intranet (1)
Encryption,Decryption
Site-to-site tunnel
Encryption,Decryption
20© 2005 Petr Grygarek, Advanced Computer Networks Technologies
Common VPN applications (2/1)Common VPN applications (2/1)• Remote access VPNsRemote access VPNs
• Client-initiatedClient-initiated• Remote user to Remote user to VPN VPN cconcentroncentraatortor• user has special encryption software installed (user has special encryption software installed (VPN VPN cclientlient))
• NAS-initiatedNAS-initiated• Remote user dials-in to service provider’s NAS using Remote user dials-in to service provider’s NAS using
some connection-oriented telecommunication networksome connection-oriented telecommunication network• PSTN, ISDNPSTN, ISDN
• NAS initiates secure tunnel to secure corporate networkNAS initiates secure tunnel to secure corporate network
21© 2005 Petr Grygarek, Advanced Computer Networks Technologies
Common VPN applications (2/2)Common VPN applications (2/2)
Secure intranet
Unsecure publicinfrastructure
(Internet)
VPNconcentrator
PSTN
modem
User without any special
software
ISPNAS
Encryption
Encryption
Decryption
tunnels
User with VPNclient software
Client-initiatedVPN tunnel
NAS-initiated VPNtunnel
22© 2005 Petr Grygarek, Advanced Computer Networks Technologies
On which layer should VPNs On which layer should VPNs be implemented ?be implemented ?
Internetwork-wide VPNs => at or above layer 3Internetwork-wide VPNs => at or above layer 3
• Layer 3 VPN – IPSecLayer 3 VPN – IPSec• media independent (above hop-by-hop L2 security)media independent (above hop-by-hop L2 security)• application independentapplication independent• connectionless securityconnectionless security
• Layer 4 VPN – commonly uses SSLLayer 4 VPN – commonly uses SSL• but what to do with connectionless service (UDP) ?but what to do with connectionless service (UDP) ?
• Layer 7 VPN – application level (WWW)Layer 7 VPN – application level (WWW)
23© 2005 Petr Grygarek, Advanced Computer Networks Technologies
IPSec IPSec ((VPN VPN implementation using IP)implementation using IP)
24© 2005 Petr Grygarek, Advanced Computer Networks Technologies
IPSecIPSec (RFC 2401) (RFC 2401)IPSec IPSec = suite of protocols and algorithms used for data = suite of protocols and algorithms used for data
security implementation at network layersecurity implementation at network layer
• Open standards Open standards frameworkframework• GeneralGeneral, , independent to actual algorithms usedindependent to actual algorithms used
• flexible and stable – no need for change when particular algorithm is flexible and stable – no need for change when particular algorithm is compromisedcompromised
• ProvidesProvides aut authhentienticationcation, , data data integritintegrity and confidentalityy and confidentality• using particular preconfigured or negotiated algorithms, not by itselfusing particular preconfigured or negotiated algorithms, not by itself
• Only for unicast Only for unicast IPIP traffic traffic• but other protocols including IP broadcasts/multicasts can be but other protocols including IP broadcasts/multicasts can be
encapsulated into tunnel before transportation over IPSec mechanismencapsulated into tunnel before transportation over IPSec mechanism• Implemented as additional mechanism for IPv4, natively built-in Implemented as additional mechanism for IPv4, natively built-in
into IPv6into IPv6
25© 2005 Petr Grygarek, Advanced Computer Networks Technologies
Basic IPSec terminologyBasic IPSec terminology• Security AssociationSecurity Association
• Set of policies and keys for data protectionSet of policies and keys for data protection• Shared by (two) communicating partnersShared by (two) communicating partners
• Authentication HeaderAuthentication Header• Header appended to every packet to carry Header appended to every packet to carry
authentication system information (HMAC etc.)authentication system information (HMAC etc.)• Encapsulating Security Payload HeaderEncapsulating Security Payload Header
• Header appended to every packet to carry security Header appended to every packet to carry security system information (authentication, confidenitality)system information (authentication, confidenitality)
26© 2005 Petr Grygarek, Advanced Computer Networks Technologies
Security AssociationSecurity Association (1) (1)• Defines encryption and authentication Defines encryption and authentication
parameters used between two partners parameters used between two partners communicating over IPSec tunnel communicating over IPSec tunnel • encryption and authentication algorithm,encryption and authentication algorithm, key size, key size,
key lifetimekey lifetime• encryption and authentication key (symmetric)encryption and authentication key (symmetric)• IPSec mode (tunnel/transport)IPSec mode (tunnel/transport)• encapsulation protocol (AH/ESP)encapsulation protocol (AH/ESP)• specification of traffic to be encrypted (/decrypted)specification of traffic to be encrypted (/decrypted)
• Pre-configured or negotiated between partners Pre-configured or negotiated between partners during IPSec tunnel establishmentduring IPSec tunnel establishment
27© 2005 Petr Grygarek, Advanced Computer Networks Technologies
Security AssociationSecurity Association (2) (2)• Independent for both traffic directionsIndependent for both traffic directions• Independent SAs for individual security protocolsIndependent SAs for individual security protocols
• i.e. AH, ESP, IKE i.e. AH, ESP, IKE • Internet Key Exchange (IKE) provides secure tunnel for Internet Key Exchange (IKE) provides secure tunnel for
dynamic SA negotiationdynamic SA negotiation
• Limited lifetimeLimited lifetime• time/bytes transferredtime/bytes transferred• new SA is negotiated before lifetime expirationnew SA is negotiated before lifetime expiration
• Stored in Security Association Database (SADB) Stored in Security Association Database (SADB) • Security Parameter Index (SPI) + SA valuesSecurity Parameter Index (SPI) + SA values
28© 2005 Petr Grygarek, Advanced Computer Networks Technologies
IPSec modes: Tunnel and TransportIPSec modes: Tunnel and Transport
Transport Mode
Tunnel modeTunnel mode
29© 2005 Petr Grygarek, Advanced Computer Networks Technologies
Transport ModeTransport Mode• End-to-end securityEnd-to-end security
• IPSec IPSec support in end-user station operating system neededsupport in end-user station operating system needed
• AH and ESP inserted between AH and ESP inserted between L3 aL3 andnd L4 L4 headers headers• Impossible to filter traffic according to Impossible to filter traffic according to L4 L4 header in the header in the
network (L4 header is encrypted)network (L4 header is encrypted)• Next-header field of AH/ESP header identifies L4 header Next-header field of AH/ESP header identifies L4 header
(protocol)(protocol)
• OriginalOriginal IP IP headerheader unencryptedunencrypted• But protected by But protected by autauthhentientication/data integrity => cation/data integrity =>
incompatible withincompatible with NAT NAT
30© 2005 Petr Grygarek, Advanced Computer Networks Technologies
Tunnel ModeTunnel Mode• IPSec tunnel between routers connecting secure LANs IPSec tunnel between routers connecting secure LANs
to unsecure shared infrastructure (IPSec gateways)to unsecure shared infrastructure (IPSec gateways)• no need for IPSec support in user’s station operating systemsno need for IPSec support in user’s station operating systems
• IP packets encapsulated by another IP packets (tunnel)IP packets encapsulated by another IP packets (tunnel) • AH and ESP inserted at the beginning of encapsulating AH and ESP inserted at the beginning of encapsulating
packet data field, original unchanged (tunneled) packet packet data field, original unchanged (tunneled) packet followsfollows
• Packets encrypted including their IP headers – spy in Packets encrypted including their IP headers – spy in insecure network cannot even determine which stations insecure network cannot even determine which stations of secure networks speak togetherof secure networks speak together
31© 2005 Petr Grygarek, Advanced Computer Networks Technologies
Transfer of control information forTransfer of control information for IPSecIPSec
• AuthentiAuthenticcation Headeration Header• Information for authentication and data integrityInformation for authentication and data integrity
• Encapsulating Security PayloadEncapsulating Security Payload• Information for encryption, authentication and data Information for encryption, authentication and data
integrityintegrity• and optionally anti-replayand optionally anti-replay
• May completely supersede authentication headerMay completely supersede authentication header• AH defined earlier, still maintained for compatibility with AH defined earlier, still maintained for compatibility with
older implementationsolder implementations
32© 2005 Petr Grygarek, Advanced Computer Networks Technologies
Authentication headerAuthentication header• Assures authentication and (connectionless) data Assures authentication and (connectionless) data
integrity integrity • Protects Protects IP hIP headereader ( (unchanging fieldsunchanging fields) ) andand IP IP packet packet
datdataa• carries authentication information (HMAC)carries authentication information (HMAC)• carries Security Parameters Index (SPI) to identify particular carries Security Parameters Index (SPI) to identify particular
security association security association used for current packetused for current packet• if multiple SAs used concurrentlyif multiple SAs used concurrently
• Optional support forOptional support for anti-replay anti-replay• Sender inserts sequence numbers into packets, receiver may Sender inserts sequence numbers into packets, receiver may
optionally verify themoptionally verify them• Protects IP header Protects IP header ==> incompatible with NAT> incompatible with NAT
33© 2005 Petr Grygarek, Advanced Computer Networks Technologies
AH – transport modeAH – transport mode
34© 2005 Petr Grygarek, Advanced Computer Networks Technologies
AH – tunnel modeAH – tunnel mode
35© 2005 Petr Grygarek, Advanced Computer Networks Technologies
Encapsulating Security Payload-ESPEncapsulating Security Payload-ESP
• Carries control information for data encryption Carries control information for data encryption (and authentication)(and authentication)• encapsulates protected dataencapsulates protected data
• Optional data authentication and integrity check Optional data authentication and integrity check (only user data)(only user data)
• Optional Optional anti-replayanti-replay check check• May provide all functions of authentication May provide all functions of authentication
headerheader
36© 2005 Petr Grygarek, Advanced Computer Networks Technologies
ESP – transport modeESP – transport mode
37© 2005 Petr Grygarek, Advanced Computer Networks Technologies
ESP – tunnel modeESP – tunnel mode
38© 2005 Petr Grygarek, Advanced Computer Networks Technologies
Dynamic SA negotiationDynamic SA negotiation
• Manual configuration of SAs at multiple stations is Manual configuration of SAs at multiple stations is tedious and error-prone tasktedious and error-prone task
• Need for reoccurring reconfiguration - periodic change Need for reoccurring reconfiguration - periodic change of authentication/encryption keysof authentication/encryption keys
39© 2005 Petr Grygarek, Advanced Computer Networks Technologies
Dynamic SA negotiation frameworksDynamic SA negotiation frameworks• Internet Security Association and Key Management Protocol Internet Security Association and Key Management Protocol
(ISAKMP)(ISAKMP)• framework for secure (dynamic) key exchange and security association framework for secure (dynamic) key exchange and security association
negotiationnegotiation• does not define any particular algorithms, provides only mechanics of does not define any particular algorithms, provides only mechanics of
parameter negotiation and key exchange protocolsparameter negotiation and key exchange protocols• payload formats etc.payload formats etc.
• Internet Key Interchange (IKE)Internet Key Interchange (IKE)• operates within ISAKMP frameworkoperates within ISAKMP framework• key exchange protocol (Oakley Key Exchange + Skeme Key Exchange)key exchange protocol (Oakley Key Exchange + Skeme Key Exchange)
• used to negotiate IPSec SAsused to negotiate IPSec SAs• SA negotiation protected by tunnel encrypted with dynamically negotiated SA negotiation protected by tunnel encrypted with dynamically negotiated
keys (keys (Diffie-HellmaDiffie-Hellmall algorit algorithhmm))
40© 2005 Petr Grygarek, Advanced Computer Networks Technologies
Diffie-Hellman algorithmDiffie-Hellman algorithm• Used to negotiate shared secret key between Used to negotiate shared secret key between
two parties over unsecure channeltwo parties over unsecure channel• Key value never sent over unsecure channelKey value never sent over unsecure channel• Based on public/private key pair generation on Based on public/private key pair generation on
both sides, public key interchange and calculations both sides, public key interchange and calculations with big prime numberswith big prime numbers
• communicating parties have to be communicating parties have to be authenticated by some external mechanism authenticated by some external mechanism
• prevents man-in-the-middle attackprevents man-in-the-middle attack• (pre-shared key, certificates + CA)(pre-shared key, certificates + CA)
41© 2005 Petr Grygarek, Advanced Computer Networks Technologies
IPSec operation on routersIPSec operation on routers1.1. Interesting traffic detectedInteresting traffic detected
• i.e. traffic whose encrytion is requiredi.e. traffic whose encrytion is required
2.2. IKE Phase 1IKE Phase 1• IPSec peer authentication (pre-shared keys, RSA signatures (X.509))IPSec peer authentication (pre-shared keys, RSA signatures (X.509))• Negotiation of IKE SAs (Diffie-Hellman)Negotiation of IKE SAs (Diffie-Hellman)
• Encryption algorithm, hash algorithm, keys, key lifetime, …Encryption algorithm, hash algorithm, keys, key lifetime, …• Establishes secure channel for IPSec SA negotiationEstablishes secure channel for IPSec SA negotiation
3.3. IKE Phase 2IKE Phase 2• Negotiation of IPSec SAs (for both directions)Negotiation of IPSec SAs (for both directions)• According to policies supported by peersAccording to policies supported by peers
• Multiple priorized policies may be definedMultiple priorized policies may be defined
4.4. Secure data exchange using IPSecSecure data exchange using IPSec• SAs renegotiated by IKE if lifetime expiresSAs renegotiated by IKE if lifetime expires
5.5. After inactivity timeout, IPSec tunnel closed (SAs discarded) After inactivity timeout, IPSec tunnel closed (SAs discarded)
42© 2005 Petr Grygarek, Advanced Computer Networks Technologies
Which traffic to encrypt ?Which traffic to encrypt ?
Crypto Access ListsCrypto Access Lists
• OutboundOutbound - - indicate which data have to be protected by indicate which data have to be protected by IPSecIPSec
• InboundInbound - - filter out and discard traffic that should have filter out and discard traffic that should have been protected by IPSec (but is not)been protected by IPSec (but is not)
43© 2005 Petr Grygarek, Advanced Computer Networks Technologies
Needed ACL modification for IPSec Needed ACL modification for IPSec operationoperation
• ISAKMP – UDP port 500ISAKMP – UDP port 500• ESP – IP protocol 50ESP – IP protocol 50• AH – IP protocol 51AH – IP protocol 51