IPsec Internet Headquarters Branch Office SA R1 R2

Slides:



Advertisements
Similar presentations
Chapter 8 Network Security
Advertisements

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Internet Security CSCE 813 IPsec
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
Lecture 24 Secure Communications CPE 401 / 601 Computer Network Systems Slides are modified from Jim Kurose & Keith Ross.
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 5 Network Security Protocols in Practice Part I
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
Wired Equivalent Privacy (WEP)
Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture.
IEEE Wireless Local Area Networks (WLAN’s).
IP Security. IPSEC Objectives n Band-aid for IPv4 u Spoofing a problem u Not designed with security or authentication in mind n IP layer mechanism for.
Summer Workshop on Cyber Security Computer Networks Security (Part 2) Dr. Hamed Mohsenian-Rad University of California at Riverside and Texas Tech University.
Lecture 7: Network Level Security – IPSec CS 336/536: Computer Network Security Fall 2013 Nitesh Saxena Adopted from previous lecture by Keith Ross, and.
Lecture 23 Network Security (cont) CPE 401 / 601 Computer Network Systems slides are modified from Dave Hollinger slides are modified from Jim Kurose,
8: Network Security8-1 Security in the layers. 8: Network Security8-2 Secure sockets layer (SSL) r Transport layer security to any TCP- based app using.
Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),
Investigators have published numerous reports of birds taking turns vocalizing; the bird spoken to gave its full attention to the speaker and never vocalized.
Secure connections.
1 WEP Design Goals r Symmetric key crypto m Confidentiality m Station authorization m Data integrity r Self synchronizing: each packet separately encrypted.
8-1 IPSec IS IPSEC  TLS: transport layer  IPSec: network layer Network Security.
Chapter 8 roadmap 8.1 What is network security?
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
IP Security: Security Across the Protocol Stack
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
IP Security Lawrence Taub IPSEC IP security — security built into the IP layer Provides host-to-host (or router-to-router) encryption and.
SMUCSE 5349/49 IP Sec. SMUCSE 5349/7349 Basics Network-level: all IP datagrams covered Mandatory for next-generation IP (v6), optional for current-generation.
8-1 Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity & end point authentication 8.4 Securing .
Security at different layers
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 part 4: Securing IP.
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 part 3: Securing TCP.
Wireless LAN Security. Security Basics Three basic tools – Hash function. SHA-1, SHA-2, MD5… – Block Cipher. AES, RC4,… – Public key / Private key. RSA.
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 part 5: Mobile security,
IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.
8: Network Security8-1 Chapter 8 Network Security A note on the use of these ppt slides: We’re making these slides freely available to all (faculty, students,
Network Security7-1 Today r Reminder Ch7 HW due Wed r Finish Chapter 7 (Security) r Start Chapter 8 (Network Management)
IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.
1 CMPT 471 Networking II Authentication and Encryption © Janice Regan,
Wireless Security: The need for WPA and i By Abuzar Amini CS 265 Section 1.
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
Cryptography and Network Security (CS435) Part Thirteen (IP Security)
IPSec  general IP Security mechanisms  provides  authentication  confidentiality  key management  Applications include Secure connectivity over.
IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
Lecture Notes Thursday Sue B. Moon.
1 IPSec: An Overview Dr. Rocky K. C. Chang 4 February, 2002.
Lecture 22 Network Security (cont) CPE 401 / 601 Computer Network Systems slides are modified from Dave Hollinger slides are modified from Jim Kurose,
K. Salah1 Security Protocols in the Internet IPSec.
Chapters 6 & 8 WiFi and Its Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the.
EECS  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 
8-1Network Security Virtual Private Networks (VPNs) motivation:  institutions often want private networks for security.  costly: separate routers, links,
@Yuan Xue CS 285 Network Security IP Security Yuan Xue Fall 2013.
Real Security Protocols 1. Securing 2. Securing TCP connections: SSL 3. Network layer security: IPsec 4. Securing wireless LANs Computer Networking:
Lecture 9: Network Level Security – IPSec
UNIT 7- IP Security 1.IP SEC 2.IP Security Architecture
Security in the layers 8: Network Security.
CSE 4905 IPsec.
IPSec IPSec is communication security provided at the network layer.
IP Security and VPN Most of the slides are derived from the slides (Chapter-8) by the authors of «Computer Networking: A Top Down Approach», and from the.
Slides have been taken from:
CSE 4905 WiFi Security I WEP (Wired Equivalent Privacy)
Virtual Private Networks (VPNs)
TELE3119: Trusted Networks Week 2
Virtual Private Networks (VPNs)
Presentation transcript:

IPsec Internet Headquarters Branch Office SA R1 R2 193.68.2.23 200.168.1.100 172.16.1/24 172.16.2/24 SA Internet Headquarters Branch Office R1 R2 new IP header ESP hdr original IP hdr Original IP datagram payload trl auth encrypted “enchilada” authenticated padding pad length next header SPI Seq #

R1 converts original datagram into IPsec datagram Appends to back of original datagram (which includes original header fields!) an “ESP trailer” field. Encrypts result using algorithm & key specified by SA. Appends to front of this encrypted quantity the “ESP header, creating “enchilada”. Creates authentication MAC over the whole enchilada, using algorithm and key specified in SA; Appends MAC to back of enchilada, forming payload; Creates brand new IP header, with all the classic IPv4 header fields, which it appends before payload.

Inside the enchilada: ESP trailer: Padding for block ciphers new IP header ESP hdr original IP hdr Original IP datagram payload trl auth encrypted “enchilada” authenticated padding pad length next header SPI Seq # ESP trailer: Padding for block ciphers ESP header: SPI, so receiving entity knows what to do Sequence number, to thwart replay attacks MAC in ESP auth field is created with shared secret key

IPsec sequence numbers For new SA, sender initializes seq. # to 0 Each time datagram is sent on SA: Sender increments seq # counter Places value in seq # field Goal: Prevent attacker from sniffing and replaying a packet Receipt of duplicate, authenticated IP packets may disrupt service Method: Destination checks for duplicates But doesn’t keep track of ALL received packets; instead uses a window

Security Policy Database (SPD) Policy: For a given datagram, sending entity needs to know if it should use IPsec. Needs also to know which SA to use May use: source and destination IP address; protocol number. Info in SPD indicates “what” to do with arriving datagram; Info in the SAD indicates “how” to do it.

Summary: IPsec services Suppose Trudy sits somewhere between R1 and R2. She doesn’t know the keys. Will Trudy be able to see contents of original datagram? How about source, dest IP address, transport protocol, application port? Flip bits without detection? Masquerade as R1 using R1’s IP address? Replay a datagram?

Internet Key Exchange In previous examples, we manually established IPsec SAs in IPsec endpoints: Example SA SPI: 12345 Source IP: 200.168.1.100 Dest IP: 193.68.2.23 Protocol: ESP Encryption algorithm: 3DES-cbc HMAC algorithm: MD5 Encryption key: 0x7aeaca… HMAC key:0xc0291f… Such manually keying is impractical for large VPN with, say, hundreds of sales people. Instead use IPsec IKE (Internet Key Exchange)

IKE: PSK and PKI Authentication (proof who you are) with either pre-shared secret (PSK) or with PKI (pubic/private keys and certificates). With PSK, both sides start with secret: then run IKE to authenticate each other and to generate IPsec SAs (one in each direction), including encryption and authentication keys With PKI, both sides start with public/private key pair and certificate. run IKE to authenticate each other and obtain IPsec SAs (one in each direction). Similar with handshake in SSL.

IKE Phases IKE has two phases Phase 1: Establish bi-directional IKE SA Note: IKE SA different from IPsec SA Also called ISAKMP security association Phase 2: ISAKMP is used to securely negotiate the IPsec pair of SAs Phase 1 has two modes: aggressive mode and main mode Aggressive mode uses fewer messages Main mode provides identity protection and is more flexible

Summary of IPsec IKE message exchange for algorithms, secret keys, SPI numbers Either the AH or the ESP protocol (or both) The AH protocol provides integrity and source authentication The ESP protocol (with AH) additionally provides encryption IPsec peers can be two end systems, two routers/firewalls, or a router/firewall and an end system

Lecture 22 Wireless Security CPE 401/601 Computer Network Systems All material copyright 1996-2009 J.F Kurose and K.W. Ross, All Rights Reserved slides are modified from Jim Kurose & Keith Ross

Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity 8.4 Securing e-mail 8.5 Securing TCP connections: SSL 8.6 Network layer security: IPsec 8.7 Securing wireless LANs 8.8 Operational security: firewalls and IDS

WEP Design Goals Symmetric key crypto Confidentiality Station authorization Data integrity Self synchronizing: each packet separately encrypted Given encrypted packet and key, can decrypt; can continue to decrypt packets when preceding packet was lost Unlike Cipher Block Chaining (CBC) in block ciphers Efficient Can be implemented in hardware or software

Review: Symmetric Stream Ciphers keystream generator key Combine each byte of keystream with byte of plaintext to get ciphertext m(i) = ith unit of message ks(i) = ith unit of keystream c(i) = ith unit of ciphertext c(i) = ks(i)  m(i) ( = exclusive or) m(i) = ks(i)  c(i) WEP uses RC4

Stream cipher and packet independence Recall design goal: each packet separately encrypted If for frame n+1, use keystream from where we left off for frame n, then each frame is not separately encrypted Need to know where we left off for packet n WEP approach: initialize keystream with key + new IV for each packet: keystream generator Key+IVpacket keystreampacket

WEP encryption (1) Sender calculates Integrity Check Value (ICV) over data four-byte hash/CRC for data integrity Each side has 104-bit shared key Sender creates 24-bit initialization vector (IV), appends to key: gives 128-bit key Sender also appends keyID (in 8-bit field) 128-bit key inputted into pseudo random number generator to get keystream data in frame + ICV is encrypted with RC4: Bytes of keystream are XORed with bytes of data & ICV IV & keyID are appended to encrypted data to create payload Payload inserted into 802.11 frame encrypted data ICV IV MAC payload Key ID

WEP encryption (2) New IV for each frame

WEP decryption overview encrypted data ICV IV MAC payload Key ID Receiver extracts IV Inputs IV and shared secret key into pseudo random generator, gets keystream XORs keystream with encrypted data to decrypt data + ICV Verifies integrity of data with ICV Note that message integrity approach used here is different from the MAC (message authentication code) and signatures (using PKI).

End-point authentication w/ nonce Nonce: number (R) used only once –in-a-lifetime How: to prove Alice “live”, Bob sends Alice nonce, R. Alice must return R, encrypted with shared secret key “I am Alice” R K (R) A-B Alice is live, and only Alice knows key to encrypt nonce, so it must be Alice!

WEP Authentication Not all APs do it, even if WEP is being used. AP indicates if authentication is necessary in beacon frame. Done before association. AP authentication request nonce (128 bytes) nonce encrypted shared key success if decrypted value equals nonce

Breaking 802.11 WEP encryption security hole: 24-bit IV, one IV per frame, -> IV’s eventually reused IV transmitted in plaintext -> IV reuse detected attack: Trudy causes Alice to encrypt known plaintext d1 d2 d3 d4 … Trudy sees: ci = di XOR kiIV Trudy knows ci di, so can compute kiIV Trudy knows encrypting key sequence k1IV k2IV k3IV … Next time IV is used, Trudy can decrypt!

802.11i: improved security numerous (stronger) forms of encryption possible provides key distribution uses authentication server separate from access point

802.11i: four phases of operation STA: client station AP: access point AS: Authentication server wired network 1 Discovery of security capabilities 2 STA and AS mutually authenticate, together generate Master Key (MK). AP servers as “pass through” 3 STA derives Pairwise Master Key (PMK) 3 AS derives same PMK, sends to AP STA, AP use PMK to derive Temporal Key (TK) used for message encryption, integrity 4

EAP: extensible authentication protocol EAP: end-end client (mobile) to authentication server protocol EAP sent over separate “links” mobile-to-AP (EAP over LAN) AP to authentication server (RADIUS over UDP) wired network EAP TLS EAP EAP over LAN (EAPoL) RADIUS IEEE 802.11 UDP/IP