@Yuan Xue CS 285 Network Security IP Security Yuan Xue Fall 2013

@Yuan Xue Review Multi/Demultiplex port CW port Congestion window port Congestion window port SSL_CTX SSL SSL_SESSION HTTP Application Transport Network Link Fragment/Reassemble Forward Routing IP Address Routing table Forwarding table Scheduling/medium access SMTP PGP FTP User ID/ /Key ID UDPTCP SSL HTTPS CW port Stream Frame Packet payloadTCP hdr payload SSL hdr payloadSSL hdr payloadTCP hdrSSL hdrIP

@Yuan Xue Comparison PGPSSL Application LayerTransport Layer OfflineOnline/Realtime Connectionless -Single data message -Data order? -Replay attack? Connection-oriented - A data stream - Data order? - Replay attack? Protect application payload (only) Authentication Entity: User(Key ID) Protected Unit: data message Authentication Entity: SSL Session (certificate) Protected Unit: SSL connection/TCP/Port

@Yuan Xue Issues TCP header/IP header are not protected Why this is a bad thing? Application specific protection needs user awareness Why this is a bad thing? Think about SMTP/HTTP that run over TCP, instead of SSL

@Yuan Xue Any Idea for A Solution? Security Service/protocol at a lower layer How about network layer? Above IP  enjoy the routing service Below transport  support all applications/processes on this host + protect TCP header how about IP header?

@Yuan Xue Let’s work on a solution together Security Requirement Confidentiality Integrity  Data Integrity  Source Authentication  Replay defense (*) Option for both/either of the above two requirements More Details Which part should be protected?  Whether IP header should/can be protected? How to establish cryptography context?  Keys/ciphers, etc…

@Yuan Xue IP Headers Version Header Length TOS Packet length Packet Id Flags Fragment offset TTL Protocol number Checksum Source IP address Destination IP address Options PredictableImmutable Mutable Some fields are mutable  how to perform MAC calculation/verification? Some fields are necessary for intermediate routers to forward the packet  if they are encrypted, the packet can not be delivered. What should we do?

@Yuan Xue IPSec Overview Background A collection of protocols and mechanisms  RFC 2401, RFC 2402, RFC 2406, RFC 2408 IPsec is a mandatory part of IPv6 (mandatory to implement, not mandatory to use), and is optional for use with IPv4IPv6IPv4 IPsec aims to provide a framework of open standards for secure communications over IP Protect every protocol/service running on top of IPv4 and IPv6 Transparent to applications above transport (TCP/UDP) layer  Data confidentiality  Data integrity  Source authentication Prevent IP address spoofing Guard against packet replay

@Yuan Xue Ipsec Architecture Confidentiality  ESP Integrity  AH  Replay defense  Usage of sequence number Option for both/either of the above two requirements  Authentication and encapsulation can be used separately Which part should be protected?  transport mode: only TCP/UDP header+ payload  tunnel mode: IP header + TCP/UDP header+ payload (more details later) How to establish cryptography context?  Security association  Key management…

@Yuan Xue Transport Mode vs. Tunnel Mode Transport mode Protects the payload data from upper-layer protocol IP header in clear text Host-to-host communication Tunnel-mode Protects the entire IP packets including the IP header Network-to-network/host-to-network Adding a new IP header  has new destination address IP header Encrypted data payload New IP header IP header data payload Encrypted IPSec header

@Yuan Xue IPsec in Transport Mode End-to-end security between two hosts Requires IPsec support at each host

@Yuan Xue IPsec in Tunnel Mode Gateway-to-gateway security Internal traffic behind gateways not protected Typical application: virtual private network (VPN) Only requires IPsec support at gateways

@Yuan Xue Tunnel Mode Illustration IPsec protects communication on the insecure part of the network Implements IPsec Implements IPsec

@Yuan Xue Security Association To decide the protection for an outgoing packet, IPsec uses the security parameter index (SPI), an index to the security association database (SADB), along with the destination address in a packet header, which together uniquely identify a security association for that packet. For an incoming packet IPsec gathers decryption and verification keys from the security association database. Security Association One-way relationship between a sender and a receiver For two-way security exchange, two SA are required SPI +IP Destination Address + Security Protocol Identifier ( whether an AH or an ESP) Security Parameters Index (SPI) carried in AH/ESP headers to enable the receiving system to select the SA to process the packet SADB SPI SA

@Yuan Xue Implementation

@Yuan Xue Authentication Header Security Service Data integrity Source authentication -- Prevent IP spoofing Guard against replay attack Integrity check value MAC -- HMAC-MD5-96/HMAC-SHA-1-96 Calculated over  Immutable IP header field, set the mutable field to zero  AH header other than AD field  Upper-level protocol data IP v4 Identifies security association (shared keys and algorithms) Anti-replay Authenticates source, verifies integrity of payload

@Yuan Xue AH in Transport Mode Before AH is applied

@Yuan Xue AH in Tunnel Mode Before AH is applied

@Yuan Xue ESP: Encapsulating Security Payload Security Service Confidentiality Authentication (optional) Encryption Algorithm 3DES, RC5, IDEA, CAST, Blowfish … +CBC mode Authentication Algorithm MAC -- HMAC-MD5-96/HMAC-SHA-1-96 Packet format Adds new header and trailer fields to packet Transport mode Confidentiality of packet between two hosts Complete hole through firewalls Tunnel mode Confidentiality of packet between two gateways or a host and a gateway Implements VPN tunnels

@Yuan Xue New IP header Confidentiality and integrity for packet payload Symmetric cipher negotiated as part of SA Authentication (Optional) Transport mode Tunnel mode ESP Security Guarantees Original IP header ESP headerTCP/UDP segmentESP trailerESP auth encrypted authenticated Original IP header ESP headerTCP/UDP segmentESP trailerESP auth

@Yuan Xue ESP Packet Identifies security association (shared keys and algorithms) Anti-replay TCP segment (transport mode) or entire IP packet (tunnel mode) Pad to block size for cipher, also hide actual payload length Type of payload HMAC-based Integrity Check Value (similar to AH)

@Yuan Xue Virtual Private Networks (VPN) VPN tunnel Secure communication between parts of the same organization over public untrusted Internet ESP can be used to implement a VPN Packets go from internal network to a gateway with destination IP address Entire packet protected by ESP, including original headers so destination addresses are hidden Receiving gateway decrypts packet and forwards original IP packet to receiving address in the network that it protects

@Yuan Xue AH vs. ESP AH protects some of the field in IP header ESP only protects everything beyond the ESP header Separation of authentication and encryption Port information in clear text for firewall

@Yuan Xue Combination of SA Authentication + confidentiality ESP with authentication option AH SA + ESP SA bundle Transport + Tunnel Bundle

@Yuan Xue Prevention of Replay Attacks When SA is established, sender initializes 32-bit counter to 0, increments by 1 for each packet If wraps around , new SA must be established Recipient maintains a sliding 64-bit window If a packet with high sequence number is received, do not advance window until packet is authenticated Duplicated packets will be dropped What if TCP retransmit a packet with the same sequence number? Will it be dropped?

@Yuan Xue Key Management Oakley Key Determination Protocol Based on Diffie-Hellman algorithm Internet Security Association and Key Management Protocol (ISAKMP) A framework for Internet key management Internet Key Exchange Protocol (IKE) The first phase establishes an ISAKMP SA  based on pre-shared keys (PSK), RSA keys and X.509 certificates, even via Kerberos. In the second phase the ISAKMP SA is used to negotiate and setup the IPsec SAs.

@Yuan Xue Comparison Again PGPSSLIPSec Application LayerTransport Layer (above TCP) Network Layer(above IP) OfflineOnline/Realtime Connectionless -Single data message -Data order (n/a) -Replay attack (timestamp) Connection-oriented - A data stream - Data order (via tcp) - defense against replay attack Connectionless - defense against replay attack Protect application payload (only) Transport: Protect tcp hdr + application payload Tunnel: Protect IP hdr + tcp hdr + payload Authentication Entity: User(Key ID) Protected Unit: entire data message Authentication Entity: SSL Session (certificate) Protected Unit: SSL connection/TCP/Port Entity: Security association

@Yuan Xue Review Multi/Demultiplex port CW port Congestion window port Congestion window port SSL_CTX SSL SSL_SESSION HTTP Application Transport Network Link Fragment/Reassemble Forward Routing IP Address Routing table Forwarding table IEEE SMTP PGP FTP User ID/ /Key ID UDPTCP SSL HTTPS CW port Stream Frame Packet payloadTCP hdr payload SSL hdr payloadSSL hdr payloadIPSecSSLIP IPSec SADB TCP payloadIPSecSSLIPTCP (Transport mode) MAC

@Yuan Xue Reference