Presentation is loading. Please wait.

Presentation is loading. Please wait.

Andreas Steffen, 1.10.2013, 4.6-IKE.pptx 1 Information Security 2 (InfSi2) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications.

Similar presentations


Presentation on theme: "Andreas Steffen, 1.10.2013, 4.6-IKE.pptx 1 Information Security 2 (InfSi2) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications."— Presentation transcript:

1 Andreas Steffen, 1.10.2013, 4.6-IKE.pptx 1 Information Security 2 (InfSi2) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications (ITA) 4.6 Internet Key Exchange IKE

2 Andreas Steffen, 1.10.2013, 4.6-IKE.pptx 2 IPsec – Automatic Key Management The Internet Key Exchange (IKE) Security Association (SA) A Security Association is a contract established between two IPsec endpoints (hosts or security gateways). Negotiation of parameters to be used for the IPsec connection. ISAKMP SA (IKEv1) or IKE SA (IKEv2) protects the IKE negotiation. Separate IPsec SA required for each subnet or single host. Separate IPsec SA required for inbound and outbound connection. IPsec SAs are assigned a unique Security Parameters Index (SPI) and are maintained in a database. Negotiated Parameters Authentication Mechanism (IKEv1 only, pre-shared key or public key) Encryption algorithm, Hash algorithm, PRF Key exchange using Diffie-Hellman groups Key lifetimes (IKEv1 only) for the ISAKMP and IPsec SAs.

3 Andreas Steffen, 1.10.2013, 4.6-IKE.pptx 3 Internet Key Exchange – IKEv1 Main Mode IKE Header DH Key Exchange NrNr NrNr 43 IKE Header DH Key Exchange NiNi NiNi IKE Header ISAKMP SA Proposal 1 IKE Header ISAKMP SA Response 2 5 IKE Header encrypted ID i Cert i Sig i encrypted IKE Header 6 ID r Cert r Sig r IKEv1 Quick Mode – another three messages to negotiate traffic selectors ResponderInitiator UDP/500

4 Andreas Steffen, 1.10.2013, 4.6-IKE.pptx 4 IKE Main Mode using Pre-Shared Keys Pre-shared key is worked into Hash is part of the IKE session key IKE Header DH Key Exchange NrNr NrNr 43 IKE Header DH Key Exchange NiNi NiNi IKE Header ISAKMP SA Proposal 1 IKE Header ISAKMP SA Response 2 5 IKE Header encrypted ID i Hash i encrypted IKE Header 6 ID r Hash r ResponderInitiator UDP/500

5 Andreas Steffen, 1.10.2013, 4.6-IKE.pptx 5 IKE Aggressive Mode using PreShared Keys Unencrypted IKE Aggressive Mode messages carrying cleartext IDs can be easily sniffed by a passive attacker. Pre-Shared Key is worked into Hash r, together with other known parameters, so that an off-line cracking attack becomes possible. Responder Initiator 3 Hash i IKE Header ISAKMP SA Proposal 1 DH Key Exchange NiNi NiNi ID i IKE Header ISAKMP SA Response 2 DH Key Exchange NrNr NrNr ID r Hash r UDP/500

6 Andreas Steffen, 1.10.2013, 4.6-IKE.pptx 6 Man-in-the-Middle Attack possible with IKE Aggressive Mode and XAUTH VPN Gateway WLAN Access Point Attacker Man-in-the- Middle Wireless LAN User VPN Client Username: Password: bodo aznHu4Um XAUTH With IKE Aggressive Mode, use One-Time Password scheme (e.g. SecureID). 1 Group Password 2 bodo aznHu4Um XAUTH Group Password

7 Andreas Steffen, 1.10.2013, 4.6-IKE.pptx 7 ISAKMP and IPsec Security Associations 09:00 #1 ISAKMP SA rightid=@gateway.kool.net 10:50 #6 IPsec SA 11:00 #7 IPsec SA 11:40 #8 ISAKMP SA 9101112 09:00 #2 IPsec SA rightsubnet=10.1.1.0/22 09:10 #3 IPsec SA rightsubnet=10.1.9.0/24 #4 IPsec SA 09:50rightsubnet=10.1.1.0/22 10:05 #5 IPsec SA rightsubnet=10.1.9.0/24 ikelifetime=3h keylife=1h

8 Andreas Steffen, 1.10.2013, 4.6-IKE.pptx 8 IKE Phase 2 – Quick Mode Establish or Renew an IPsec SA Negotiation of IPsec Parameters Phase 2 Quick Mode establishes an IPsec SA using the secure channel created by the phase 1 ISAKMP SA. The specific configuration parameters for the IPsec connection are negotiated (AH, ESP, authentication / encryption methods and parameters). Quick Mode can be used to renew IPSec SAs about to expire. ESP/AH Key Derivation The ESP encryption and ESP/AH authentication keys for the IPsec SAs are derived from the Phase 1 Diffie-Hellman secret. Optional Perfect Forward Secrecy If perfect forward secrecy is required, each consecutive Quick Mode will do a fresh Diffie-Hellmann key-exchange.

9 Andreas Steffen, 1.10.2013, 4.6-IKE.pptx 9 Motivation for a new IKE RFC IKEv1 is spread over three documents (RFCs 2407, 2408, and 2409) Too many messages (6 in Main Mode plus 3 in Quick Mode) Too many variants (AH/ESP, transport/tunnel, authentication modes) Too complex – therefore potentially insecure (Bruce Schneier) Cookies not required when not under DoS attack New features: NAT-T, Dead Peer Detection, etc. IKEv2 Protocol IPsec SA can be established with 2 request/response pairs Additional Child SAs require one request/response pair, each EAP authentication modes supported (e.g. One-Time-Passwords), replaces proprietary XAUTH New IKE configuration payload replaces proprietary Mode Config IKEv2 is not backwards compatible with IKEv1 !!! The New Standard - IKEv2 RFC 4306 (Dec. 2005) / RFC 5996 (Sep. 2010)

10 Andreas Steffen, 1.10.2013, 4.6-IKE.pptx 10 IKEv2 – Authentication and first Child SA IKE_SA_INIT exchange pair IKE_AUTH exchange pair IKE Header 1 SA1 i KE i NiNi NiNi 2 IKE Header SA1 r KE r NrNr NrNr 3 IKE Header encrypted ID i Cert i Auth i ID r SA2 i TS i TS r 4 encrypted IKE Header ID r Cert r Auth r SA2 r TS i TS r ResponderInitiator UDP/500

11 Andreas Steffen, 1.10.2013, 4.6-IKE.pptx 11 Cookie Mechanism against DoS Attacks IKE Header 1 SA1 i KE i NiNi NiNi 2 IKE Header N(COOKIE) ResponderInitiator UDP/500 4 IKE Header SA1 r KE r NrNr NrNr IKE Header 3 N(COOKIE) SA1 i KE i NiNi NiNi # strongswan.conf charon { dos_protection = yes cookie_threshold = 10 block_threshold = 5 } # strongswan.conf charon { dos_protection = yes cookie_threshold = 10 block_threshold = 5 }

12 Andreas Steffen, 1.10.2013, 4.6-IKE.pptx 12 IKEv2 – Additional Child SAs 1 IKE Header encrypted N N SA i NiNi NiNi KE i TS i TS r 2 IKE Header encrypted SA r NrNr NrNr KE r TS i TS r ResponderInitiator UDP/500 CREATE_CHILD_SA exchange pair Rekeying IKE_SA:{ SAi, Ni, KEi } Rekeying CHILD_SA:{ N(REKEY_SA), SAi, Ni, [KEi], TSi, TSr } Reauthentication: Start with IKE_SA from scratch

13 Andreas Steffen, 1.10.2013, 4.6-IKE.pptx 13 IKEv2 Remote Access Scenario #ipsec.conf for roadwarrior carol conn home keyexchange=ikev2 left=%any leftsourceip=%config leftcert=carolCert.pem leftid=carol@strongswan.org leftfirewall=yes right=192.168.0.1 rightid=@moon.strongswan.org rightsubnet=10.1.0.0/16 auto=start #ipsec.secrets for roadwarrior carol : RSA carolKey.pem "nH5ZQEWtku0RJEZ6" #ipsec.secrets for gateway moon : RSA moonKey.pem #ipsec.conf for gateway moon conn rw keyexchange=ikev2 left=%any leftsubnet=10.1.0.0/24 leftcert=moonCert.pem leftid=@moon.strongswan.org leftfirewall=yes right=%any rightsourceip=10.3.0.0/24 auto=add

14 Andreas Steffen, 1.10.2013, 4.6-IKE.pptx 14 Information Security 2 (InfSi2) 4.7 VPN Applications

15 Andreas Steffen, 1.10.2013, 4.6-IKE.pptx 15 Virtual Private Networks Internet Head Quarters Subsidiary Road Warrior VPN Tunnel VPN Gateway 11.22.33.44 VPN Gateway 55.66.77.88 VPN Client 10.1.0.0/1610.2.0.0/16 10.3.0.2 10.1.0.510.2.0.3 55.66.x.x

16 Andreas Steffen, 1.10.2013, 4.6-IKE.pptx 16 Road Warrior sign on to their home network via IKE with varying IP addresses assigned dynamically by the local ISP. The Road Warrior Remote Access Case Internet Home Network IPsec Tunnel VPN Gateway 11.22.33.44 10.1.0.0/16 Road Warrior 55.66.x.x Dynamic IP Virtual IP 10.3.0.2 Authentication is usually based on RSA public keys and X.509 certificates issued by the home network. Virtual IP assigned statically or dynamically by the home network. Remote hosts thus become part of an extruded net.

17 Andreas Steffen, 1.10.2013, 4.6-IKE.pptx 17 Windows 7 Agile VPN Client Gateway certificate must contain host name [or IP address] and the serverAuth extendedKeyUsage flag.

18 Andreas Steffen, 1.10.2013, 4.6-IKE.pptx 18 strongSwan Applet for the Linux Desktop D-Bus based communication between NetworkManager and strongSwan daemon. If a CA root certificate is specified then the hostname [or IP address] of the VPN gateway must be contained as a subjectAltName in the received gateway certificate.

19 Andreas Steffen, 1.10.2013, 4.6-IKE.pptx 19 strongSwan in a Mixed VPN Environment Campus Network strongSwan Linux Client Windows 7/8 Agile VPN Client Linux FreeRadius Server Windows Active Directory Server Internet High-Availability strongSwan VPN Gateway strongswan.hsr.ch

20 Andreas Steffen, 1.10.2013, 4.6-IKE.pptx 20 Information Security 2 (InfSi2) 4.8 VPN Features

21 Andreas Steffen, 1.10.2013, 4.6-IKE.pptx 21 IKEv1 - XAUTH (eXtended AUTHentication) Proprietary extension used by many vendors (Cisco, Checkpoint, etc.) Based on expired draft-beaulieu-ike-xauth-02.txt IKEv2 - EAP (Extensible Authentication Protocol) EAP-AKA, EAP-SIM, EAP-MSCHAPv2, EAP-MD5, EAP-GTC, EAP-TLS, etc. VPN client triggers EAP by omitting AUTH payload VPN gateway must send public key AUTH payload first! VPN gateway relays authentication messages to and from AAA server (RADIUS, DIAMETER or LDAP) Extended Authentication VPN Gateway AAA Server IKE messages VPN Client

22 Andreas Steffen, 1.10.2013, 4.6-IKE.pptx 22 IKEv1 – Mode Config Payload Proprietary extension used by many vendors (Cisco, Checkpoint, etc.) Based on expired draft draft-dukes-ike-mode-cfg-02.txt IKEv2 – Configuration Paiload has official CP payload VPN gateway fetches configuration attributes from AAA server Virtual IPv4 or IPv6 address Internal DNS and WINS servers Proprietary attributes (Cisco Unity, Microsoft, 3GPP, etc.) Configuration Payload IKE messages VPN Client AAA Server

23 Andreas Steffen, 1.10.2013, 4.6-IKE.pptx 23 IPsec Passthrough (Transparent IPsec Connection) ADSL and Cable routers use Network Address Translation (NAT) to connect one or several hosts sitting behind the router access to the Internet. IPsec passthrough forwards ESP und IKE packets to a preconfigured host behind the NAT router. Drawback: Each router model is configured differently, causing exorbitant costs supporting individual users. ESP and IKE from a single VPN client 10.3.0.2 UDP/50055.66.x.x UDP/500 10.3.0.2 ESP55.66.x.x ESP 11.22.33.44 UDP/500 11.22.33.44 ESP

24 Andreas Steffen, 1.10.2013, 4.6-IKE.pptx 24 NAT-Traversal (UDP encapsulation of ESP packets) NAT-Traversal is used if several VPN clients want to set up secure tunnels through a common router doing NAT. Typical Applications: WLAN hotspots, hotels, conferences, mobility via GSM/GPRS. NAT-Traversal facilitates remote access e.g. working at home. ESP and IKE from several VPN clients 10.3.0.3 UDP/450055.66.x.x UDP/1026 10.3.0.2 UDP/450055.66.x.x UDP/1025 11.22.33.44 UDP/4500

25 Andreas Steffen, 1.10.2013, 4.6-IKE.pptx 25 ESP-in-UDP Encapsulation (RFC 3948) Src Port (4500)Dst Port (4500) LengthChecksum Security Parameters Index UDP Header ESP Header Src Port (4500)Dst Port (4500) LengthChecksum 0x00 IKE Header UDP Header IKE Header Non-ESP Marker0x00 Src Port (4500)Dst Port (4500) LengthChecksum 0xFF UDP Header Keepalive Payload NAT-Keepalive Packet Format IKE Header Format for Port 4500 UDP-Encapsulated ESP Header Format

26 Andreas Steffen, 1.10.2013, 4.6-IKE.pptx 26 IKEv2 Dead Peer Detection #ipsec.conf for roadwarrior carol conn %default dpddelay=60 dpdaction=restart #ipsec.conf for gateway moon conn %default dpddelay=60 dpdaction=clear Oct 24 11:45:10 13[IKE] CHILD_SA home{1} established with SPIs c50810d9_i c8485f4a_o Oct 24 11:46:10 16[NET] received packet: from 192.168.0.1[500] to 192.168.0.100[500] Oct 24 11:46:10 16[ENC] parsed INFORMATIONAL request 0 [ ] Oct 24 11:46:10 16[ENC] generating INFORMATIONAL response 0 [ ] Oct 24 11:46:10 16[NET] sending packet: from 192.168.0.100[500] to 192.168.0.1[500] Oct 24 11:47:09 09[IKE] sending DPD request Oct 24 11:47:09 09[ENC] generating INFORMATIONAL request 2 [ ] Oct 24 11:47:09 09[NET] sending packet: from 192.168.0.100[500] to 192.168.0.1[500] Oct 24 11:47:13 03[IKE] retransmit 1 of request with message ID 2 Oct 24 11:47:13 03[NET] sending packet: from 192.168.0.100[500] to 192.168.0.1[500] Oct 24 11:47:20 11[IKE] retransmit 2 of request with message ID 2 Oct 24 11:47:20 11[NET] sending packet: from 192.168.0.100[500] to 192.168.0.1[500] Oct 24 11:47:33 08[IKE] retransmit 3 of request with message ID 2 Oct 24 11:47:33 08[NET] sending packet: from 192.168.0.100[500] to 192.168.0.1[500] Oct 24 11:47:56 12[IKE] retransmit 4 of request with message ID 2 Oct 24 11:47:56 12[NET] sending packet: from 192.168.0.100[500] to 192.168.0.1[500] Oct 24 11:48:38 14[IKE] retransmit 5 of request with message ID 2 Oct 24 11:48:38 14[NET] sending packet: from 192.168.0.100[500] to 192.168.0.1[500] Oct 24 11:49:54 16[IKE] giving up after 5 retransmits Oct 24 11:49:54 16[IKE] restarting CHILD_SA home Oct 24 11:49:54 16[IKE] initiating IKE_SA home[2] to 192.168.0.1


Download ppt "Andreas Steffen, 1.10.2013, 4.6-IKE.pptx 1 Information Security 2 (InfSi2) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications."

Similar presentations


Ads by Google