Presentation is loading. Please wait.

Presentation is loading. Please wait.

IPSec: Internet Key Exchange

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "IPSec: Internet Key Exchange"— Presentation transcript:

1 IPSec: Internet Key Exchange
CS 378 IPSec: Internet Key Exchange Vitaly Shmatikov

2 Secure Key Establishment
Goal: generate and agree on a session key using some public initial information What properties are needed? Authentication (know identity of other party) Secrecy (generated key not known to any others) Forward secrecy (compromise of one session key does not compromise keys in other sessions) Prevent replay of old key material Prevent denial of service Protect identities from eavesdroppers Other properties you can think of???

3 Key Management in IPSec
Manual key management Keys and parameters of crypto algorithms exchanged offline (e.g, by phone), security associations established by hand Pre-shared symmetric keys New session key derived for each session by hashing pre-shared key with session-specific nonces Standard symmetric-key authentication and encryption Online key establishment Internet Key Exchange (IKE) protocol Use Diffie-Hellman to derive shared symmetric key

4 Diffie-Hellman Key Exchange
Assume finite group G = S,  Choose generator g so every xS is x = gn for some n Example: integers modulo prime p Protocol ga mod p gb mod p A B Alice, Bob share gab mod p not known to anyone else

5 Diffie-Hellman Key Exchange
ga mod p gb mod p A B Authentication? Secrecy? Replay attack? Forward secrecy? Denial of service? Identity protection? No Only against passive attacker Vulnerable Yes Vulnerable Participants can’t tell gx mod p from a random number: send them garbage and they’ll do expensive exponentiations Yes

6 IKE Genealogy Diffie-Hellman Station-to-Station ISAKMP Photuris Oakley
1976 + authentication, identity protection Diffie, van Oorschot, Wiener 1992 + defense against denial of service ISAKMP NSA 1998 Photuris “generic” protocol for establishing security associations + defense against replay Karn, Simpson + compatibility with ISAKMP Oakley IKE Orman 1998 Cisco 1998 IKEv2 IETF draft September 23, 2004

7 Design Objectives for Key Exchange
Shared secret Create and agree on a secret which is known only to protocol participants Authentication Participants need to verify each other’s identity Identity protection Eavesdropper should not be able to infer participants’ identities by observing protocol execution Protection against denial of service Malicious participant should not be able to exploit the protocol to cause the other party to waste resources

8 Ingredient 1: Diffie-Hellman
A  B: ga B  A: gb Shared secret is gab, compute key as k=hash(gab) Diffie-Hellman guarantees perfect forward secrecy Authentication Identity protection DoS protection

9 Ingredient 2: Challenge-Response
A  B: m, A B  A: n, sigB(m, n, A) A  B: sigA(m, n, B) Shared secret Authentication A receives his own number m signed by B’s private key and deduces that B is on the other end; similar for B Identity protection DoS protection

10 DH + Challenge-Response
ISO protocol: A  B: ga, A B  A: gb, sigB(ga, gb, A) A  B: sigA(ga, gb, B) Shared secret: gab Authentication Identity protection DoS protection m := ga n := gb Obtained by substituting Diffie-Hellman exponentials for the fresh terms m and n in the challenge-response protocol.

11 Ingredient 3: Encryption
Encrypt signatures to protect identities: A  B: ga, A B  A: gb, EncK(sigB(ga, gb, A)) A  B: EncK(sigA(ga, gb, B)) Shared secret: gab Authentication Identity protection (for responder only!) DoS protection k=hash(gab) B’s identity is protected against passive adversaries.

12 Refresher: DoS Prevention
Denial of service is often caused by malicious resource clogging If responder opens a state for each connection attempt, attacker can initiate thousands of connections from bogus or forged IP addresses Cookies ensure that the responder is stateless until initiator produced at least 2 messages Responder’s state (IP addresses and ports) is stored in an unforgeable cookie and sent to initiator After initiator responds, cookie is regenerated and compared with the cookie returned by the initiator The cost is 2 extra messages in each execution

13 Refresher: Anti-DoS Cookie
Typical protocol: Client sends request (message #1) to server Server sets up connection, responds with message #2 Client may complete session or not (potential DoS) Cookie version: Client sends request to server Server sends hashed connection data back Send message #2 later, after client confirms his address Client confirms by returning hashed data Need an extra step to send postponed message

14 Ingredient 4: Anti-DoS Cookie
“Almost-IKE” protocol: A  B: ga, A B  A: gb, hashKb(gb, ga) A  B: ga, gb, hashKb(gb, ga) EncK(sigA(ga, gb, B)) B  A: gb, EncK(sigB(ga, gb, A)) Shared secret: gab Authentication Identity protection DoS protection? Doesn’t quite work: B must remember his DH exponential b for every connection A cookie mechanism is a standard way of preventing blind denial-of-service attacks. B returns a keyed hash of the Diffie-Hellman exponential that he receives in the first message from A. Only after A returns the cookie in the third message does B create state and perform expensive public key operations. k=hash(gab)

15 Medium-Term Secrets and Nonces
Idea: use the same Diffie-Hellman value gab for every session, update every 10 minutes or so Helps against denial of service To make sure keys are different for each session, derive them from gab and session-specific nonces Nonces guarantee freshness of keys for each session Re-computing ga, gb, gab is costly, generating nonces (fresh random numbers) is cheap This is more efficient and helps with DoS, but no longer guarantees forward secrecy (why?)

16 (Simplified) Photuris
[Karn and Simpson] Random number (identifies connection) Hash(source & dest IP addrs, CookieI, ports, R’s local secret) CookieI I R CookieI, CookieR, offer crypto CookieI, CookieR, ga mod p, select crypto CookieI, CookieR, gb mod p switch to K=h(gab mod p) Alice is called “Initiator” for consistency with IKE terminology Bob is called “Responder” CookieI, CookieR, EncK(“I”, sigI(previous msgs)) CookieI, CookieR, EncK(“R”, sigR(previous msgs))

17 IKE Genealogy Redux Diffie-Hellman Station-to-Station ISAKMP Photuris
1976 + authentication, identity protection Diffie, van Oorschot, Wiener 1992 + defense against denial of service ISAKMP NSA 1998 Photuris “generic” protocol for establishing security associations + defense against replay Karn, Simpson + compatibility with ISAKMP Oakley IKE Orman 1998 Cisco 1998 IKEv2 IETF draft September 23, 2004

18 Cookies in Photuris and ISAKMP
Photuris cookies are derived from local secret, IP addresses and ports, counter, crypto schemes Same (frequently updated) secret for all connections ISAKMP requires unique cookie for each connect Add timestamp to each cookie to prevent replay attacks Now responder needs to keep state (“cookie crumb”) Vulnerable to denial of service (why?) Inherent conflict: to prevent replay, need to remember values that you’ve generated or seen before, but keeping state allows denial of service

19 IKE Overview Goal: create security association between 2 hosts
Shared encryption and authentication keys, agreement on crypto algorithms Two phases: 1st phase establishes security association (IKE-SA) for the 2nd phase Always by authenticated Diffie-Hellman (expensive) 2nd phase uses IKE-SA to create actual security association (child-SA) to be used by AH and ESP Use keys derived in the 1st phase to avoid DH exchange Can be executed cheaply in “quick” mode To create a fresh key, hash old DH value and new nonces

20 Why Two-Phase Design? Expensive 1st phase creates “main” SA
Cheap 2nd phase allows to create multiple child SAs (based on “main” SA) between same 2 hosts Different conversations may need different protection Some traffic only needs integrity protection or short-key crypto Too expensive to always use strongest available protection Avoid multiplexing several conversations over same SA For example, if encryption is used without integrity protection (bad idea!), it may be possible to splice the conversations Different SAs for different classes of service

21 IKEv1 Was a Mess Two modes for 1st phase: “main” and “aggressive”
Fewer messages in “aggressive” mode, but no identity protection and no defense against denial of service Main mode vulnerable to DoS due to bad cookie design Many field sizes not verified; poor error handling Four authentication options for each mode Shared keys; signatures; public keys in 2 different ways Special “group” mode for group key establishment Grand total of 13 different variants Difficult to implement, impossible to analyze Security problems stem directly from complexity

22 IKEv2: Phase One I R ga mod p, crypto proposal, Ni CookieR
Optional: refuse 1st message and demand return of stateless cookie CookieR ga mod p, crypto proposal, Ni I R CookieR, ga mod p, crypto proposal, Ni gb mod p, crypto accepted, Nr switch to K=f(Ni,Nr,crypto,gab mod p) EncK(“I”, sigI(m1-4), [cert], child-SA) EncK(“R”, sigR(m1-4), [cert], child-SA) Initiator reveals identity first Prevents “polling” attacks where attacker initiates IKE connections to find out who lives at an IP addr Instead of running 2nd phase, “piggyback” establishment of child-SA on initial exchange

23 IKEv2: Phase Two (Create Child-SA)
After Phase One, I and R share key K I R EncK(proposal, Ni, [ga mod p], traffic) Crypto suites, protocol (AH, ESP or IPcomp) Optional re-key using old DH value and fresh nonces IP address range, ports, protocol id EncK(proposal, Nr, [gb mod p], traffic) Can run this several times to create multiple SAs

24 Other Aspects of IKE We did not talk about…
Interaction with other network protocols How to run IPSec through NAT (Network Address Translation) gateways? Error handling Very important! Bleichenbacher attacked SSL by cryptanalyzing error messages from an SSL server Protocol management Dead peer detection, rekeying, etc. Legacy authentication What if one of the parties doesn’t have a public key?

25 Current State of IPSec Best currently existing VPN standard
For example, used in Cisco PIX firewall, many remote access gateways IPSec has been out for a few years, but wide deployment has been hindered by complexity ANX (Automotive Networking eXchange) uses IPSec to implement a private network for the Big 3 auto manufacturers and their suppliers

Download ppt "IPSec: Internet Key Exchange"

Similar presentations

ISA 662 IKE Key management for IPSEC Prof. Ravi Sandhu.

ISA 662 IKE Key management for IPSEC Prof. Ravi Sandhu.
Key Exchange Protocols J. Mitchell CS 259. Next few lectures uToday Key exchange protocols and properties uThursday Cathy Meadows: GDOI uNext Tues Contract-signing.

Key Exchange Protocols J. Mitchell CS 259. Next few lectures uToday Key exchange protocols and properties uThursday Cathy Meadows: GDOI uNext Tues Contract-signing.
Key Management Protocols and Compositionality John Mitchell Stanford TECS Week2005.

Key Management Protocols and Compositionality John Mitchell Stanford TECS Week2005.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
Header and Payload Formats

Header and Payload Formats
IKEv2 extension: MOBIKE Faisal Memon Erik Weathers CS 259.

IKEv2 extension: MOBIKE Faisal Memon Erik Weathers CS 259.
Security at the Network Layer: IPSec

Security at the Network Layer: IPSec
IP Security and Key Establishment CS 395T. Plan for the Next Few Lectures uToday: “systems” lecture on IP Security and design of key exchange protocols.

IP Security and Key Establishment CS 395T. Plan for the Next Few Lectures uToday: “systems” lecture on IP Security and design of key exchange protocols.
1 IPSec—An Overview Somesh Jha Somesh Jha University of Wisconsin University of Wisconsin.

1 IPSec—An Overview Somesh Jha Somesh Jha University of Wisconsin University of Wisconsin.
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.

Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
IPsec – IKE CS 470 Introduction to Applied Cryptography

IPsec – IKE CS 470 Introduction to Applied Cryptography
CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:

CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:
IKE message flow IKE message flow always consists of a request followed by a response. It is the responsibility of the requester to ensure reliability.

IKE message flow IKE message flow always consists of a request followed by a response. It is the responsibility of the requester to ensure reliability.

Similar presentations

Ads by Google