Upload
kunal-malhotra
View
226
Download
0
Embed Size (px)
Citation preview
8/14/2019 Introduction Aja
http://slidepdf.com/reader/full/introduction-aja 1/36
Internet KeyExchange
8/14/2019 Introduction Aja
http://slidepdf.com/reader/full/introduction-aja 2/36
IPSec – Reminder
SPI
SA1
SA2
SA3
……
SAD
8/14/2019 Introduction Aja
http://slidepdf.com/reader/full/introduction-aja 3/36
IPSec – Reminder
SA• Security Association Database (SAD) holds
SA’s • Security Associations (SA) is a one way ,
cryptographically protected connection between a sender and a receiver that affords
security services to traffic
8/14/2019 Introduction Aja
http://slidepdf.com/reader/full/introduction-aja 4/36
SA’sspi
12
…
Alice to BobBob’s spi: 17
13
… Bob to AliceBob’s spi: 2
21
SA’sspi
1Bob to Alice
Alice’s spi: 212
…
…
Alice to BobAlice’s spi: 13
17
Alice Bob
8/14/2019 Introduction Aja
http://slidepdf.com/reader/full/introduction-aja 5/36
IPSec – Reminder
SASA contains the fields:• protocol identifier (ESP or AH)
• mode (tunnel or transport)• algorithms for encryption/ decryption/
authentication and their respective keys
• lifetime• SPI’s • sequence number
8/14/2019 Introduction Aja
http://slidepdf.com/reader/full/introduction-aja 6/36
IPSec – Reminder
Where does IKE fit in?SA’s building and managing is either: • Static (manual) – keys and other attributes
of SA are manually configured by systemadministrator. Practical for small, relativelystatic environments.
• Dynamic (automated) – On-demandcreation of keys. Handled by IKE protocol
8/14/2019 Introduction Aja
http://slidepdf.com/reader/full/introduction-aja 7/36
IKE
• IKE is a protocol that builds and manages IPSecSA’s between two computers that implement
IPSec.• IKE is the only standard protocol for building
IPSec SA’s (Standard IPSec implementation mustalso implement IKE)
• IKE (like IPSec) is carried out either between a pair of hosts, a pair of security gateways or a hostand a security gateway
8/14/2019 Introduction Aja
http://slidepdf.com/reader/full/introduction-aja 8/36
IKE
• IKE is a protocol that builds and manages IPSecSA’s between two computers that implement
IPSec.• IKE is the only standard protocol for building
IPSec SA’s (Standard IPSec implementation mustalso implement IKE)
• IKE (like IPSec) is carried out either between a pair of hosts, a pair of security gateways or a hostand a security gateway
8/14/2019 Introduction Aja
http://slidepdf.com/reader/full/introduction-aja 9/36
Endpoint to Endpoint Transport
• Both endpoints of the IP connection implementIPsec
• Used with no inner IP header• One of the protected points can be behind a
NAT node
Protected
Endpoint
Protected
EndpointIPsec Tunnel
8/14/2019 Introduction Aja
http://slidepdf.com/reader/full/introduction-aja 10/36
Gateway to Gateway Tunnel
• Neither point of the IP connection implements IPsec, but network nodes between them protect traffic for part of the way
• Protection is transparent to the endpoints• The inner IP header contains the IP addresses of the
actual endpoints
gateway gatewayProtected
Subnet
Protected
Subnet
IPsecTunnel
8/14/2019 Introduction Aja
http://slidepdf.com/reader/full/introduction-aja 11/36
Endpoint to Gateway Transport• A protected endpoint (typically a portable roaming
computer) connects back to its corporate networkthrough an IPsec protected tunnel
• The protected endpoint will want an IP addressassociated with the gateway so that packets returned toit will go to the gateway and be tunneled back
• The protected endpoint may be behind a NAT
Protected
Endpointgateway
Protected
Subnet
and/or
Internet
IPsec Tunnel
8/14/2019 Introduction Aja
http://slidepdf.com/reader/full/introduction-aja 12/36
8/14/2019 Introduction Aja
http://slidepdf.com/reader/full/introduction-aja 13/36
Key Exchange Protocols
• Key exchange protocols goal is to agree on
a shared key for the two participant• Should implement
- authenticity
- secrecy
8/14/2019 Introduction Aja
http://slidepdf.com/reader/full/introduction-aja 14/36
Long and Short Term Keys
• To support authenticity parties shouldknow a mutual secret key. This key is
called long term key.• The keys negotiated in the protocol are
called short term keys.
• There are two types of long term keys:1. Pre-shared secret2. Public/private keys
8/14/2019 Introduction Aja
http://slidepdf.com/reader/full/introduction-aja 15/36
Long and Short Term Keys
Why the need for short term keys?• It is not advisable to encrypt a lot of data with the
same key• It is advisable to separate between encryption keysand authentication keys
Why not sending the new key encrypted using thelong term key?
• PFS
8/14/2019 Introduction Aja
http://slidepdf.com/reader/full/introduction-aja 16/36
PFS
Perfect Forward Secrecy• Exposure of long term keys will not entail
exposure of short term keys that are created
in the current execution of the protocol
• PFS is optionally provided in IKE (detailedlater)
8/14/2019 Introduction Aja
http://slidepdf.com/reader/full/introduction-aja 17/36
IKE version 1
• IKE version 1 is a hybrid of three protocols(actually a framework and two protocols)
• Version 1 grew out of ISAKMP frameworkand OAKLEY and SKEME protocols thatwork within that framework.
8/14/2019 Introduction Aja
http://slidepdf.com/reader/full/introduction-aja 18/36
ISAKMP (IKE version 1)
• Stands for “Internet Security Associationand Key Management” Protocol
• Created by NSA (National SecurityAgency)
• Framework (not really a protocol) forauthentication and key exchange.
• This framework decides on the SA’sattributes the parties will use.
8/14/2019 Introduction Aja
http://slidepdf.com/reader/full/introduction-aja 19/36
ISAKMP (IKE version 1)
• Designed to be key exchange independent(supports many different key exchanges)
• In IKE version 1 ISAKMP uses part ofOAKLEY and part of SKEME.
8/14/2019 Introduction Aja
http://slidepdf.com/reader/full/introduction-aja 20/36
SKEME (IKE version 1)
• Describes a versatile key exchangetechnique
Provides:• anonymity• repudiability• quick key refreshment
8/14/2019 Introduction Aja
http://slidepdf.com/reader/full/introduction-aja 21/36
OAKLEY (IKE version 1)
• Describes a series of key exchanges anddetails the services provided by each
• Based on Diffie-Hellman algorithm but providing added security
• Generic in that it does not dictate specificformats
8/14/2019 Introduction Aja
http://slidepdf.com/reader/full/introduction-aja 22/36
OAKLEY (IKE version 1)
Characterized by five important features:1. Cookies to prevent clogging attacks2. Negotiation of a group (specifying global
parameters of DH)3. Use of nonces to ensure against replayattacks
4. Exchange of public key values5. Authentication of DH to prevent man-in-
the-middle attacks
8/14/2019 Introduction Aja
http://slidepdf.com/reader/full/introduction-aja 23/36
Diffie-Hellman Groups
• A group for the DH key exchange specifiesthe global parameters of DH.
• Each group includes the definition of 2global parameters and the identity of thealgorithm
• Three of these groups are classic DHalgorithm using modular exponentiation
8/14/2019 Introduction Aja
http://slidepdf.com/reader/full/introduction-aja 24/36
Diffie-Hellman – groups id=1,2,5All these three groups (id=1,2,5) have:• Generator = 2For group id=1:
• Prime = 2^768 - 2^704 – 1 + 2^64 * { [2^638 pi]+ 149686}
For group id=2:• Prime = 2^1024 - 2^960 – 1 + 2^64 * { [2^894 pi]
+ 129093}For group id=5:• Prime = 2^1536 - 2^1472 – 1 + 2^64 * { [2^1406
pi] + 741804}
8/14/2019 Introduction Aja
http://slidepdf.com/reader/full/introduction-aja 25/36
Diffie-Hellman – groups id=3,4
• Over galois fields using elliptic curves.
8/14/2019 Introduction Aja
http://slidepdf.com/reader/full/introduction-aja 26/36
8/14/2019 Introduction Aja
http://slidepdf.com/reader/full/introduction-aja 27/36
Main benefits of IKE Version 2
over Version 1IKEv2 preserves most of the features of IKEv1. The
idea behind IKEv2 was to make it as easy as possible for IKEv1 implementations to bemodified for IKEv2.
• Later we will see that IKE is a two-phase protocol.Version 2 greatly simplified IKE by replacing the8 possible phase 1 exchanges with a single exchange.
• This single exchange provides identity hiding in 2 round trips rather than 3 in version 1
8/14/2019 Introduction Aja
http://slidepdf.com/reader/full/introduction-aja 28/36
Main benefits of IKE Version 2
over Version 1• Version 2 decreased latency by allowing
setup of SA to be piggybacked on the initial
exchange• Version 2 increased security by allowing
responder to be stateless until initiator can
receive at claimed IP address
8/14/2019 Introduction Aja
http://slidepdf.com/reader/full/introduction-aja 29/36
Side benefits of IKE Version 2
over Version 1• cryptographic syntax replaced with one
simplified syntax
• a few fields were removed (ex: DOI, SIT)
• possible error states reduced
8/14/2019 Introduction Aja
http://slidepdf.com/reader/full/introduction-aja 30/36
Details and variations
• IKE normally listens on UDP port 500,though may also be received on port 4500
with a slightly different format
8/14/2019 Introduction Aja
http://slidepdf.com/reader/full/introduction-aja 31/36
ReliabilityIKE is a reliable protocol.• Initiator responsible for retransmission in the
event of timeout, therefore must remember eachrequest until it receives the corresponding
response• Responder retransmits a response only when it
receives retransmission , therefore must remembereach response until it receives a request with a
larger sequence number plus window size• On failure all states associated with SA are
discarded
8/14/2019 Introduction Aja
http://slidepdf.com/reader/full/introduction-aja 32/36
Reliability
• IKE definition includes recovery fromtransmission error: packet loss, packet
replay, packet forgery
8/14/2019 Introduction Aja
http://slidepdf.com/reader/full/introduction-aja 33/36
Functionality
• IKE is designed to function so long as:1. at least one of a series of retransmitted packets
reaches its destination before timing out2. channel not full of forged or replayed packets
(exhausting network or CPU)• Even if these two minimum requirements are
absent, IKE fails cleanly as though the networkwas broken
8/14/2019 Introduction Aja
http://slidepdf.com/reader/full/introduction-aja 34/36
NAT Traversal
• IPsec through a NAT introduces problems.• protocols which include IP addresses of endpoint
within the payload (like IPSec) necessitate that NAT understands the protocol and modify theinternal references and those in the headers
• In transport mode changing IP address will causechecksums to fail. In tunnel mode there arerouting problems.
8/14/2019 Introduction Aja
http://slidepdf.com/reader/full/introduction-aja 35/36
NAT Traversal
• For that reason, IKE supports UDPencoding that is easier for NATs to process
• It is less efficient but is easier for NAT to process• This is where port 4500 comes in. When
working through a NAT it is better to passIKE packets over port 4500 which runs the
NAT-friendly protocol.
8/14/2019 Introduction Aja
http://slidepdf.com/reader/full/introduction-aja 36/36
To Sum Up OverviewWe talked about:• IPSec SAs• what roles IKE play• Design issues• Key exchange protocols: long/short terms keys, pfs• version 1: structure and features• version 2
• Reliability• Terms of functionality• NAT friendly protocol