IKEv2 extension: MOBIKE Faisal Memon Erik Weathers CS 259.

Slides:

Advertisements

Similar presentations

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.

Advertisements

U N L E A S H I N G A S E R V I C E S R E N A I S S A N C E SIP SIP Security Jonathan Rosenberg Chief Scientist.

Security Issues In Mobile IP

EAP-Only Authentication in IKEv2 draft-eronen-ipsec-ikev2-eap-auth

© 2004 SafeNet, Inc. All rights reserved. Mobike Protocol Design draft-ietf-mobike-design-00.txt Tero Kivinen

Internet Security CSCE 813 IPsec

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

Header and Payload Formats

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT

Chapter 5 Network Security Protocols in Practice Part I

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.

© 2004 SafeNet, Inc. All rights reserved. Mobike Protocol Design draft-kivinen-mobike-design-00.txt Tero Kivinen

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

IPsec – IKE CS 470 Introduction to Applied Cryptography

CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

NISNet Winter School Finse Internet & Web Security Case Study 2: Mobile IPv6 security Dieter Gollmann Hamburg University of Technology

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.

IKE message flow IKE message flow always consists of a request followed by a response. It is the responsibility of the requester to ensure reliability.

Internet Security CSCE 813 IPsec. CSCE Farkas2 Reading Today: – Oppliger: IPSec: Chapter 14 – Stalllings: Network Security Essentials, 3 rd edition,

Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.

 It defines the format of the frame to be exchanged between devices.  It defines how two devices can negotiate the establishment of the link and the.

Protocol Basics. IPSec Provides two modes of protection –Tunnel Mode –Transport Mode Authentication and Integrity Confidentiality Replay Protection.

Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.

IPsec: IKE, Internet Key Exchange IPsec does not use Public Key Infrastructure and exchanging keys before an IPsec connection is established is a problem.

32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.

March 7, 2005MOBIKE WG, IETF 621 Mobility Protocol Options for IKEv2 (MOPO-IKE) Pasi Eronen.

Mobile IPv6 Binding Update: Return Routability Procedure Andre Encarnacao and Greg Bayer Stanford University CS 259 Winter 2008 Andre Encarnacao, Greg.

1 Lecture 14: Real-Time Communication Security real-time communication – two parties interact in real time (as opposed to delayed communication like )

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.

1 Design of the MOBIKE Protocol Editors: T. Kivinen H. Tschofenig.

1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.

IP Security Lawrence Taub IPSEC IP security — security built into the IP layer Provides host-to-host (or router-to-router) encryption and.

CSCE 715: Network Systems Security

1 Tao Wan Digital Security Group School of Computer Science Carleton University Oct 30, 2003 IP Spoofing Attacks & Defenses.

Lecture 14 ISAKMP / IKE Internet Security Association and Key Management Protocol / Internet Key Exchange CIS CIS 5357 Network Security.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

Network Security David Lazăr.

Module 4 Quiz. 1. Which of the following statements about Network Address Translation (NAT) are true? Each correct answer represents a complete solution.

IP Security.  In CERTs 2001 annual report it listed 52,000 security incidents  the most serious involving:  IP spoofing intruders creating packets.

Mobile IP Outline Intro to mobile IP Operation Problems with mobility.

1 Mobility Support in IPv6 (MIPv6) Chun-Chuan Yang Dept. Computer Science & Info. Eng. National Chi Nan University.

© 2004 SafeNet, Inc. All rights reserved. Mobike Protocol draft-kivinen-mobike-protocol-00.txt Tero Kivinen

Chapter 8 IP Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.

IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.

MIPv6Security: Dimension Of Danger Unauthorized creation (or deletion) of the Binding Cache Entry (BCE).

Cryptography and Network Security (CS435) Part Thirteen (IP Security)

1 Authenticated Key Exchange Rocky K. C. Chang 20 March 2007.

IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.

1 Secure Key Exchange: Diffie-Hellman Exchange Dr. Rocky K. C. Chang 19 February, 2002.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Network Layer Security Network Systems Security Mort Anvari.

1 Internet Key Exchange Rocky K. C. Chang 20 March 2007.

K. Salah1 Security Protocols in the Internet IPSec.

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

8-1Network Security Virtual Private Networks (VPNs) motivation:  institutions often want private networks for security.  costly: separate routers, links,

Chapter 5 Network Security Protocols in Practice Part I

Open issues with PANA Protocol

CSE 4905 IPsec.

IPSec IPSec is communication security provided at the network layer.

IKEv2 Mobility and Multihoming Protocol (MOBIKE)

Outline Using cryptography in networks IPSec SSL and TLS.

Mobile IP Outline Homework #4 Solutions Intro to mobile IP Operation

Tero Kivinen, AuthenTec

Tero Kivinen, AuthenTec

Presentation transcript:

IKEv2 extension: MOBIKE Faisal Memon Erik Weathers CS 259

MOBIKE uIKEv2 Mobility and Multihoming Protocol As defined in draft-ietf-mobike-protocol-07.txt Main purpose –For roaming devices (devices which move and hence have changing IP addresses), that want to keep the existing IKE and IPsec SAs in place despite the IP address changing, and without requiring a full rekey. Secondary purpose –Multihomed (multiple interface) device which decides to change its IKE endpoint IP. Could be a result of link failure or other conditions.

MOBIKE Init and AUTH Exchanges HDR, KEi, Ni IR HDR, KEr, Nr HDR, {IDi, AUTH, MOBIKE}K IR HDR, {IDr, AUTH, MOBIKE}K IR Typical IKEv2 init exchange, with notify declaring support for MOBIKE.

HDR, {Cookie}K IR MOBIKE Address Change Exchange HDR, {UpdateSA_Address}K IR I2R HDR, {ACK}K IR HDR, {Cookie}K IR Initiator IP address changed to I2. Cookie exchange is for optional return routability verification.

IKEv2 General Attacks Replay Attack Prevented by nonces and also by message IDs in the cryptographically protected IKE header (HDR) MITM Attack Prevented by AUTH payload in IKE_AUTH exchange DoS Very difficult to handle, but an optional cookie exchange prior to DH exponentiation is included in IKEv2 to prevent spoof attacks from forcing expensive exponentiation.

IKEv2 Exchanges IR All IKEv2 requests are ACKed. After the IKE_INIT exchange, all messages are encrypted and MACed. {HDR, {Payload}K IR-E }K IR-A

IKEv2 MITM Attack HDR, KEi, Ni I R HDR, KEa, Nr Typical IKEv2 init exchange, with attacker A attempting MITM attack by substituing his own DH values. A HDR, KEr, Nr HDR, KEa, Ni

IKEv2 MITM Attack Prevention HDR, ID I, {AUTH}K IA IR Typical IKEv2 AUTH exchange, thwarting A’s MITM attack when AUTH payload is checked by responder. The AUTH payload is an integrity checksum defined as 1 of: AUTH = MAC({1 st msg we sent, ID’, Nonce of partner}, key derived from shared secret) AUTH = SIG({1st msg we sent, ID’, Nonce of partner}, our private key) A HDR, ID R, {AUTH}K AR HDR, ID A, {AUTH}K AR

MOBIKE Possible Attacks IKEv2 general attacks are still prevented by same mechanisms. Traffic Redirection and DoS of 3 rd parties NATs are permitted (general case) Layer 3 & 4 headers are unprotected and unauthenticated (so NATs can work) Thus allowing DoS is allowed IPSec SAs are switched to the source IP in UPDATE_SA_ADDRESS request Seems attacker can just replace source IP with arbitrary one 2 mechanisms help limit attacks to simple DoSes Return routability exchange attacker cannot generate reply unless he knows the IKE session keys. IKEv2 request ACKing if the UPDATE_SA_ADDRESS request isn’t ACKed, the client will resend it.

MOBIKE Possible Attacks When NATs are not allowed (e.g. site-to- site situation with controlled path) the overwriting of source IP by an attacker is detected by inclusion of the new address in the protected portion of the UPDATE_SA_ADDRESS request.

Return Routability Prevents Attack NAT I1 I2A R UPDATE_SA_ADDRESS ACK COOKIE2 Attacker cannot send COOKIE2 reply since he doesn’t know session key

MOBIKE Modeling Modeled in Murφ 4 agents involved Initiator Initiator-prime (post address change) Responder Intruder Intruder controls network Acts as sink for network messages, forwarding them out to all possible recipients from all possible sources. Cannot modify protected portions of IKE messages.

MOBIKE Modeling Modeled as state machine with 8 states 8 messages types IP addresses are modeled with agent IDs ID payloads are modeled with the corresponding agent ID Nonces are random numbers Cookies are random numbers AUTH payload is made up of shared secret known only to the initiator and the responder. IKE HDR is modeled as a message id (one field in the actual IKE HDR).

MOBIKE Modeling cont. Message is a union of all 8 IKE messages. Not all fields will be used in all messages. SA’s and TS’s (traffic selector) are not modeled. NAT detection is not modeled. Invariants Check that both the responder and initiator correctly authenticate with each other and complete the state machine. Message correctness Verify the AUTH payload Verify the ID is equal to the source. Verify the cookie for the return routability test.