IKE Tutorial

W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T

IKE Tutorial

©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential

Agenda

Cryptography BasicsCryptography Basics IPSECIPSEC IKEIKE IKE Hybrid ModeIKE Hybrid Mode


Cryptography - BasicsCryptography is used forCryptography is used for

ConfidentialityConfidentiality IntegrityIntegrity Authentication (signature)Authentication (signature)

2 categories2 categories Symetric cryptographySymetric cryptography Asymetric cryptographyAsymetric cryptography


Symetric CryptographySame Key is performing encryption and Same Key is performing encryption and

decryptiondecryption

Hi Bob !Hi Bob !* * ^1 ^1’’’’hh’’Hi Bob !Hi Bob !

ALICEALICE BOBBOB


Symetric CryptographySymetric Encryption Algorythms : Symetric Encryption Algorythms :

DES, 3DESDES, 3DES RC2, RC4, RC5RC2, RC4, RC5 IDEAIDEA BlowFishBlowFish CASTCAST FWZ-1FWZ-1


Symetric CryptographyAdvantages : Advantages :

FastFast Reliable (depends on the Key lenght)Reliable (depends on the Key lenght)

DisadvantagesDisadvantages The Key must remain secretThe Key must remain secret Key ManagementKey Management

Large number of people / sitesLarge number of people / sites Key changesKey changes


Asymetric Cryptography

2 Keys2 Keys 1 Public1 Public 1 Private1 Private Both are linked Both are linked

togethertogetherAlgorytms : Algorytms :

RSA (Rivest Shamir RSA (Rivest Shamir Adleman)Adleman)

Diffie HelmannDiffie Helmann

Public keyPublished

Private keyConfidential


Asymetric Cryptography (RSA)

ConfidentialityConfidentiality

AuthenticationAuthentication

Receiver’s Private key

Decryption

Receiver’s Public key

Encryption

Sender’s Private key Sender’s Public key

Encryption Decryption


Asymetric CryptographyEx. : confidentiality with RSAEx. : confidentiality with RSA

ALICEALICE BOBBOB

Hi Bob !Hi Bob ! *&^1)-h@’

Hi Bob !Hi Bob !

Bob’sprivate key

Bob’spublic key


Asymetric Cryptography : DH

ALICEALICEBOBBOB

DH privatekey

DH privatekey

Alice’s DHpublic key

Bob’s DHpublic key

Bob’s DHpublic key

Alice’s DHpublic key

DH Secret key


Symetric Cryptography

Advantages : Advantages : No need to distribute Secret KeysNo need to distribute Secret Keys

DisadvantagesDisadvantages Slow (100 to 1000 times slower than Slow (100 to 1000 times slower than

Symetric cryptography)Symetric cryptography)


Agenda



IPSEC Tunnel mode : Tunnel mode :

AH (ip protocol 33)AH (ip protocol 33) ESP (ip protocol 32)ESP (ip protocol 32)

Authentication / Integrity

Encrypted

New IPHeader

HeaderESP

OriginalIP Header

Authentication / Integrity

New IPHeader

HeaderAH

OriginalIP Header

ESPESPAHAH


Agenda



IKE TutorialBefore we begin, one necessary term. Before we begin, one necessary term.

HMAC is an “authenticated” hash HMAC is an “authenticated” hash computation. It is a method to digitally computation. It is a method to digitally sign data without using public key sign data without using public key cryptography.cryptography.

HMAC(key, data) = HASH(mix(key,data))HMAC(key, data) = HASH(mix(key,data))


IKE Tutorial Basic concept in IKE: Security Association (SA).Basic concept in IKE: Security Association (SA). An SA contains all information necessary for two An SA contains all information necessary for two

entities to exchange secured messages.entities to exchange secured messages. Each SA has an identifier, sometimes called an SPI.Each SA has an identifier, sometimes called an SPI. Example SA:Example SA:

SPI: 12345Encryption algorithm: DES

HMAC algorithm: MD5Encryption key: 0x65f3dde…HMAC key: 0xa3b443d9…Expiry: 15:06:09 13Oct98


IKE Tutorial In IP security, there are two types of SAs:In IP security, there are two types of SAs:

IKE SA: used for securing key negotiations.IKE SA: used for securing key negotiations. IPSEC SA: used for securing IP data.IPSEC SA: used for securing IP data.

When two IP entities wish to secure IP data When two IP entities wish to secure IP data between them, the following will occur:between them, the following will occur: Negotiate IKE SA.Negotiate IKE SA. Use IKE SA to negotiate IPSEC SA.Use IKE SA to negotiate IPSEC SA. Use IPSEC SA to encrypt IP data.Use IPSEC SA to encrypt IP data.

The IKE SA is long term. It will typically be The IKE SA is long term. It will typically be used to secure many IPSEC SA negotiations.used to secure many IPSEC SA negotiations.


IKE Tutorial The negotiation of IKE SAs is called “Phase 1”. The negotiation of IKE SAs is called “Phase 1”.

Phase 1 is authenticated using either PKI, or pre-Phase 1 is authenticated using either PKI, or pre-shared secrets.shared secrets.

There are two types of Phase 1 negotiations: “Main There are two types of Phase 1 negotiations: “Main Mode” and “Aggressive Mode”. Mode” and “Aggressive Mode”.

Aggressive Mode is more efficient (shorter Aggressive Mode is more efficient (shorter negotiation), but does not provide identity protection.negotiation), but does not provide identity protection.

Negotiating IPSEC SAs is called “Phase 2”.Negotiating IPSEC SAs is called “Phase 2”. There is only one type of Phase 2 negotiation, called There is only one type of Phase 2 negotiation, called

“Quick Mode”.“Quick Mode”.


IKE TutorialPhase 1: First Message Pair Phase 1, Main Mode consists of three pairs of Phase 1, Main Mode consists of three pairs of

messages. Remember: goal is to establish an messages. Remember: goal is to establish an IKE SA.IKE SA.

First pair: negotiation of parameters for the First pair: negotiation of parameters for the IKE SA: algorithms, authentication type, IKE SA: algorithms, authentication type, expiry. Simplified example:expiry. Simplified example:

Alice Bob

“We can do 3DES and SHA1, or DES and MD5”

“Let’s do 3DES and SHA1”


IKE TutorialPhase 1: Second Message Pair Second pair: exchange of cryptographic data. Goal Second pair: exchange of cryptographic data. Goal

is to establish a shared secret between two entities:is to establish a shared secret between two entities:

Note: the DH key is used only for this exchange, Note: the DH key is used only for this exchange, and then thrown away.and then thrown away.

Alice Bob

“Here’s a DH public key, and some random data”

“Here’s a DH public key, and some random data”

Alice and Bob both compute a shared secret which is a function of the DH keys and the random data.


IKE TutorialPhase 1 Some notes before the third pair of Some notes before the third pair of

messages:messages: Alice and Bob now have a shared secret, and they Alice and Bob now have a shared secret, and they

can use it to encrypt the third pair of messages.can use it to encrypt the third pair of messages. First and second pairs do not provide any First and second pairs do not provide any

authentication. Alice and Bob could be authentication. Alice and Bob could be masquerading, or Eve could be attacking using the masquerading, or Eve could be attacking using the “man-in-the-middle” technique.“man-in-the-middle” technique.

Furthermore, Alice and Bob do not know who they Furthermore, Alice and Bob do not know who they are negotiating with. All they know is an IP are negotiating with. All they know is an IP address from which the messages are arriving.address from which the messages are arriving.


IKE TutorialPhase 1: Third Message Pair Third pair of messages is encrypted. The goal is to Third pair of messages is encrypted. The goal is to

exchange identities, prove the identities, and exchange identities, prove the identities, and retroactively authenticate all the previous messages. retroactively authenticate all the previous messages. The authentication can be based on either pre-The authentication can be based on either pre-shared secrets, or on PKI. Example:shared secrets, or on PKI. Example:

Alice Bob

I’m [email protected]. Here’s an HMAC overall the data we exchanged, using our pre-shared secret.

I’m 204.53.10.4. Here’s an HMAC over all the data we exchanged, using our pre-shared secret.


IKE TutorialPhase 1 Some remarks:Some remarks:

How does this work with PKI? Addressed in PKI How does this work with PKI? Addressed in PKI presentation.presentation.

Identity types include X.500 Distinguished Names, Identity types include X.500 Distinguished Names, E-mail addresses, IP addresses and more.E-mail addresses, IP addresses and more.

Result of negotiation is a single, bi-directional IKE Result of negotiation is a single, bi-directional IKE SA.SA.

Authentication with pre-shared secrets allows Authentication with pre-shared secrets allows dictionary attacks on the pre-shared secret.dictionary attacks on the pre-shared secret.


IKE TutorialPhase 2

Phase 2 is always secured by an IKE SA. The IKE Phase 2 is always secured by an IKE SA. The IKE SA provides secrecy, authentication, and data SA provides secrecy, authentication, and data integrity.integrity.

Remember: the goal is to establish an IPSEC SA.Remember: the goal is to establish an IPSEC SA. Three messages in Phase 2:Three messages in Phase 2:

Message 1: Suggestion of parameters, and identities for Message 1: Suggestion of parameters, and identities for whom we’re negotiating.whom we’re negotiating.

Message 2: Choice of parameters, and HMAC signature on Message 2: Choice of parameters, and HMAC signature on first message.first message.

Message 3: HMAC signature on previous messages.Message 3: HMAC signature on previous messages. HMAC signatures use a key from the IKE SA.HMAC signatures use a key from the IKE SA.


IKE TutorialPhase 2Example Phase 2 (simplified) exchange:Example Phase 2 (simplified) exchange:

Alice Bob

Let’s do either ESP DES/MD5, or AH SHA1. I’m negotiating on behalf of subnets 189.63.71.0 and 204.53.10.0. Here’s some random data.

Let’s use AH SHA1. Here’s an HMAC of the previous message using our IKE SA HMAC key. Here’s some random data

Here’s an HMAC of the previous messages using our IKE SA HMAC key.


IKE TutorialPhase 2 Remarks:Remarks:

The keys in the resulting IPSEC SA are a function The keys in the resulting IPSEC SA are a function of the IKE SA key and the random data.of the IKE SA key and the random data.

The result of the negotiation are two uni-directional The result of the negotiation are two uni-directional IPSEC SAs, each with a distinct SPI (SPI are also IPSEC SAs, each with a distinct SPI (SPI are also part of the negotiation).part of the negotiation).

The SAs can only be used to encrypt IPSEC traffic The SAs can only be used to encrypt IPSEC traffic between the negotiated identities. between the negotiated identities.

Identity types are IP addresses, IP ranges, IP Identity types are IP addresses, IP ranges, IP subnets.subnets.


IKE TutorialPhase 2 More Remarks:More Remarks:

Perfect Forward Secrecy (PFS) can be turned on Perfect Forward Secrecy (PFS) can be turned on to provide additional security. It includes an to provide additional security. It includes an additional exchange of DH keys.additional exchange of DH keys.

When an SA is about to expire, the entities can When an SA is about to expire, the entities can start a new negotiation. If the IKE SA is valid, only start a new negotiation. If the IKE SA is valid, only Phase 2 is required. Otherwise, both Phase 1 and Phase 2 is required. Otherwise, both Phase 1 and Phase 2 are required.Phase 2 are required.

One other types of IKE message: One other types of IKE message: “informational”. Examples: error messages, “informational”. Examples: error messages, requests to delete Sas.requests to delete Sas.


Agenda



Hybrid Mode IKE - What is it? A method of using Authentication Schemes A method of using Authentication Schemes

other than a Pre-shared Secret, or a Digital other than a Pre-shared Secret, or a Digital Certificate with IKECertificate with IKE

IKE Standard did not originally allow for IKE Standard did not originally allow for authentication schemes like:authentication schemes like: Token Cards - SecurID, etc. Token Cards - SecurID, etc. LDAPLDAP RADIUSRADIUS NT DomainNT Domain Firewall-1 PasswordFirewall-1 Password etcetc


Hybrid Mode Challenge: integrate all FW-1 authentication Challenge: integrate all FW-1 authentication

schemes with IKEschemes with IKE Standards based solution does not existStandards based solution does not exist

Requirements:Requirements: Open: integrates well with all authentication schemesOpen: integrates well with all authentication schemes Secure: mutual (user vs. gateway) authenticationSecure: mutual (user vs. gateway) authentication Standards based: suggest solution to IETF (draft-ietf-Standards based: suggest solution to IETF (draft-ietf-

ipsec-isakmp-hybrid-auth-03)ipsec-isakmp-hybrid-auth-03) Existing solutions are:Existing solutions are:

Proprietary (hard to determine their security)Proprietary (hard to determine their security) Or, insecure suggested standards (XAUTH)Or, insecure suggested standards (XAUTH)


Hybrid ModeSolution:Solution:

Gateway cannot use an “interactive” Gateway cannot use an “interactive” authentication scheme, unlike a user:authentication scheme, unlike a user:

Gateway uses PKIGateway uses PKI User uses of the FW-1 authentication schemesUser uses of the FW-1 authentication schemes

FW-1 Password, LDAP, TACACS+, RADIUS, etc.FW-1 Password, LDAP, TACACS+, RADIUS, etc.

CP management station includes simple CP management station includes simple PKI abilitiesPKI abilities Sufficient to deploy certificates to the Sufficient to deploy certificates to the

gatewaysgateways NOT a full blown PKI for usersNOT a full blown PKI for users


Hybrid Mode Example (Radius)

GW User

A’s certificate + A’s signature over previous data

User identity, hash of previous

data

Check identity in certificate and validate

Check identity

SA Negotiation

Radius challenge (“enter password”)

Password 1232456

Validate password

Establish encrypted channel

Establish encrypted channel

Documents

IKE Tutorial