Upload
davin
View
15
Download
0
Tags:
Embed Size (px)
DESCRIPTION
ECE 454/599 Computer and Network Security. Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2012. IPsec: IKE. Photuris and SKIP PHASE 1 IKE PHASE 2 IKE. Security Association Issues. How is SA established? - PowerPoint PPT Presentation
Citation preview
ECE 454/599 ECE 454/599 Computer and Network Computer and Network SecuritySecurity
Dr. Jinyuan (Stella) SunDept. of Electrical Engineering and Computer ScienceUniversity of Tennessee Fall 2012
1
IPsec: IKEIPsec: IKE• Photuris and SKIP• PHASE 1 IKE• PHASE 2 IKE
Security Association Security Association IssuesIssuesHow is SA established?
◦ How do parties negotiate a common set of cryptographic algorithms and keys to use?
More than one SA can apply to a packet!◦ E.g., end-to-end authentication (AH) and
additional encryption (ESP) on the public part of the network
IKE: Internet Key IKE: Internet Key ExchangeExchange
Purpose◦ Mutual Authentication◦ Shared Secret Establishment◦ Crypto Algorithms Negotiation◦ Security Association Establishment
IPsec Key ManagementIPsec Key ManagementData transmitted needs to be secured
◦ IPsec SA, session keys, AH or ESPMessages for establishing IPsec SA need
to be secured◦ IKE SA, negotiated secret
Negotiation for establishing IKE SA need to be authenticated◦ Pre-shared secret key◦ Public/private keys
Review: CookiesReview: CookiesClogging attacks
◦ An opponent forges the source address of a legitimate user and send a public Diffie-Hellman key to the victim; The victim then performs a modular exponentiation to compute the secret key; Repeated messages of this type can clog the victim’s system with useless work.
First proposed in Photuris; Cookie◦ A number chosen by responder; When
receiving a request from S, send the cookie to S in clear; start the processing after the cookie comes back from the initiator.
Stateless cookies◦ The responder does not have to remember
(store) the cookies he sent out; The cookie is a function of the IP address and a secret known to the responder
A Stateless Cookie ProtocolA Stateless Cookie Protocol
PhoturisPhoturis
Features of PhoturisFeatures of PhoturisDenial of service protection:
◦ Stateless cookie CB in message 2Signed Diffie-Hellman exchange
◦ Signature on the previous message in message 5 and 6
Identity hiding◦ Anonymous Diffie-Hellman◦ Identities are encrypted in message 5 and
6 (for active man-in-the-middle, the initiator’s identity is revealed, but not the responder)
SKIP uses Diffie-Hellman public keys◦ Alice finds Bob’s public key (gB mod p ) via a
certificate from Bob or a directory. Bob finds Alice’s public key (gA mod p ). Then they will have a common secret (gAB mod p).
Data encryption◦ The D-H common secret should not be used
to encrypt data. Instead each message has a SKIP header where the long term secret is used to encrypt a short-term data encryption key, which is used to encrypt the message.
SKIP: Simple Key Management for Internet Protocols
IKE PhasesIKE PhasesPhase One
◦ Mutual authentication◦ Session key establishment◦ ISAKMP SA/IKE SA
Phase Two◦ Negotiating IPsec SAs (AH, ESP)
Why two phases?Why two phases?ISAKMP would be used by other
protocols to set up SAs, not only to set up IPsec SAs.
Phase 1 exchange is relatively expensive. ISAKMP/IKE SA has a longer timeout period. It can be used to negotiate multiple phase 2 IPsec SAs, which reduces the usage of pre-shared secret or private key.
Phase 1 IKEPhase 1 IKETwo modesAggressive mode
◦ 3 messages◦ Mutual authentication◦ Session key establishment
Main Mode◦ 6 messages◦ Mutual authentication◦ Session key establishment◦ Hiding endpoint identity◦ Negotiating cryptographic algorithms
Phase 1: Aggressive ModePhase 1: Aggressive Mode
Phase 1: Main Mode Phase 1: Main Mode
Negotiating Cryptographic Negotiating Cryptographic ParametersParametersEncryption algorithm (e.g., DES, 3DES,
IDEA)Hash algorithm (e.g., MD5, SHA)Authentication method (e.g., pre-
shared keys, RSA public key signature, DSS, RSA public key encryption)
Diffie-Hellman group (e.g., g and p)
Crypto ProposalsCrypto ProposalsAlice sends Bob a list of proposals, each
consisting of an encryption algorithm, a hash algorithm, authentication method, and a Diffie-Hellman group.
Bob replies one as the accepted proposal.
The parameters in the proposal are used in Phase 1 and Phase 2 (IKE SA), with hash algorithm used for various purposes.
Key TypesKey TypesMutual authentication based on
◦Pre-shared secret key◦Public encryption key
Original protocol design Improved Protocol design
◦Public signature key
Cookie IssuesCookie Issues
IKE is stateful, starting from the first message.◦Alice’s crypto proposal is in the identity
proof◦ISAKMP requires randomly chosen
cookiesIdentifier: <initiator cookie,
responder cookie>
Session KeysSession KeysAfter Diffie-Hellman key exchange,
each side knows gxy mod p
Encryption key and Integrity key for the rest of IKE SA
Keys for IPSec SAs
Session KeysSession KeysPseudo Random function – prf(key, data), e.g.,
CBC residue, HMACSKEYID
◦ For signature public keys, prf(nonces, gxy)◦ For encryption public keys, prf(hash(nonces), cookies)◦ For pre-shared secret keys, prf(pre-shared secret key,
nonces)SKEYID_d: secret bits used to create other keys
◦ prf(SKEYID, gxy | cookies | 0)SKEYID_a: the integrity protection key
◦ prf(SKEYID, SKEYID_d | gxy | cookies | 1)SKEYID_e: the encryption key
◦ prf(SKEYID, SKEYID_d | gxy | cookies | 2)
Proof of IdentityProof of Identity
Proof of the key associated with the identity ◦ pre-shared secret key◦ private encryption key◦ private signature key
Integrity-check on the previous messages, such as identity, Diffie-Hellman values, nonce, Alice’s crypto proposal, and the cookies.
Proof of Identity (ContProof of Identity (Cont’’d)d)Alice’s proof of identity
◦prf ( SKEYID, gx | gy | cookies | Alice’s initial proposals | Alice’s identity )
Bob’s proof of identity◦prf ( SKEYID, gx | gy | cookies | Alice’s
initial proposal | Bob’s identity )
IKE phase 1 protocolsIKE phase 1 protocols8 phase-1 protocols
◦2 modes◦4 types of keys
Common features◦Message 1 starts with Alice’s cookie◦All other messages start with
(initiator cookie, responder cookie), which serves as the IKE connection identifier
Phase 1: Public Signature Keys, Main Phase 1: Public Signature Keys, Main ModeMode
Phase 1: Public Signature Keys, Phase 1: Public Signature Keys, Aggressive ModeAggressive Mode
Phase 1: Public Encryption Keys, Phase 1: Public Encryption Keys, Main Mode, OriginalMain Mode, Original
Phase 1: Public Encryption Keys, Phase 1: Public Encryption Keys, Aggressive Mode, OriginalAggressive Mode, Original
Phase 1: Public Encryption Keys, Phase 1: Public Encryption Keys, Main Mode, RevisedMain Mode, Revised
Phase 1: Public Encryption Keys, Phase 1: Public Encryption Keys, Aggressive Mode, RevisedAggressive Mode, Revised
Phase 1: Pre-Shared Secret Keys, Phase 1: Pre-Shared Secret Keys, Main ModeMain Mode
Phase 1: Pre-Shared Secret Keys, Phase 1: Pre-Shared Secret Keys, Aggressive ModeAggressive Mode
Phase 2, Quick ModePhase 2, Quick ModeEstablish IPSec SAs (e.g., ESP and/or AH)
◦ Crypto parameters◦ Diffie-Hellman numbers (optional)◦ Traffic type (optional)
All messages (except X,Y) encrypted and integrity protected
Reading AssignmentReading Assignment
[Kaufman] Chapter 18