CS470, A.SelcukIPsec Attacks1 IPsec ESP Attacks CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

Slides:

Advertisements

Similar presentations

Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv IPv6.

Advertisements

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

IP Fragmentation. MTU Maximum Transmission Unit (MTU) –Largest IP packet a network will accept –Arriving IP packet may be larger IP Packet MTU.

TCP/IP Christopher Zacky. lolwut Decimal Numbers.

CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

Introduction1-1 message segment datagram frame source application transport network link physical HtHt HnHn HlHl M HtHt HnHn M HtHt M M destination application.

Instructor: Sam Nanavaty TCP/IP protocol. Instructor: Sam Nanavaty Version – Allows for the evolution of the protocol IHL (Internet header length) – Length.

IP SECURITY – Chapter 16 IP SECURITY – Chapter 16 Security Mechanisms: – S/MIME, PGP client/server - Kerberos web access - Secure Sockets Layer network.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.

Lesson 4 The IPv6 Header.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:

Attacking the IPSec Standards in Encryption- only Configurations Jean Paul Degabriele and Kenneth G. Paterson Presented by Chan Wing Cheong Mar 31, 2008.

CSEE W4140 Networking Laboratory Lecture 6: TCP and UDP Jong Yul Kim

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

1 Application TCPUDP IPICMPARPRARP Physical network Application TCP/IP Protocol Suite.

Source Port # (16)Destination Port # (16) Sequence Number (32 bits) Acknowledgement Number (32 bits) Hdr Len (4) Flags (6)Window Size (16) Options (if.

Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.

THE USE OF IP ESP TO PROVIDE A MIX OF SECURITY SERVICES IN IP DATAGRAM SREEJITH SREEDHARAN CS843 PROJECT PRESENTATION 04/28/03.

TCP. Learning objectives Reliable Transport in TCP TCP flow and Congestion Control.

IP Security. IPSEC Objectives n Band-aid for IPv4 u Spoofing a problem u Not designed with security or authentication in mind n IP layer mechanism for.

Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.

8: Network Security8-1 Security in the layers. 8: Network Security8-2 Secure sockets layer (SSL) r Transport layer security to any TCP- based app using.

Internet Protocol (IP)

Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

1 Network Security Lecture 8 IP Sec Waleed Ejaz

UNIT IP Datagram Fragmentation Figure 20.7 IP datagram.

1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.

TCP/IP Protocols Contains Five Layers

Review the key networking concepts –TCP/IP reference model –Ethernet –Switched Ethernet –IP, ARP –TCP –DNS.

Karlstad University IP security Ge Zhang

Network Security David Lazăr.

IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.

IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.

Network Security7-1 Today r Reminder Ch7 HW due Wed r Finish Chapter 7 (Security) r Start Chapter 8 (Network Management)

Washington WASHINGTON UNIVERSITY IN ST LOUIS Fred Kuhns Applied Research Laboratory NSP packet Formats.

Internet Protocol Formats. IP (V4) Packet byte 0 byte1 byte 2 byte 3 data... – up to 65 K including heading info Version IHL Serv. Type Total Length Identifcation.

Decoding an IP Header (1)

Transport-Friendly ESP Steven M. Bellovin AT&T Labs Research

IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.

Encapsulated Security Payload Header ● RFC 2406 ● Services – Confidentiality ● Plus – Connectionless integrity – Data origin authentication – Replay protection.

1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.

Lecture 6 W.Lilakiatsakun.  Internet Protocol  IPv4 /IPv6  IPsec  ICMP  Routing Protocol  RIP/OSPF  BGP  Attack on Layer3 Layer 3 Technology.

1 Figure 3-13: Internet Protocol (IP) IP Addresses and Security  IP address spoofing: Sending a message with a false IP address (Figure 3-17)  Gives.

VersionIHLTotal Length FlagsIdentificationFragment Offset Time To Live Destination Address OptionsPadding Protocol = 6 Type of Service IP Header TCP Destination.

Internet Security CSCE 813 IPsec. CSCE813 - Farkas2 TCP/IP Protocol Stack Application Layer Transport Layer Network Layer Data Link Layer.

Authentication Header ● RFC 2402 ● Services – Connectionless integrity – Data origin authentication – Replay protection – As much header authentication.

IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.

Chapter 3 TCP and IP 1 Chapter 3 TCP and IP. Chapter 3 TCP and IP 2 Introduction Transmission Control Protocol (TCP) User Datagram Protocol (UDP) Internet.

IPSEC Modes of Operation. Breno de MedeirosFlorida State University Fall 2005 IPSEC  To establish a secure IPSEC connection two nodes must execute a.

K. Salah1 Security Protocols in the Internet IPSec.

@Yuan Xue CS 285 Network Security IP Security Yuan Xue Fall 2013.

© 2003, Cisco Systems, Inc. All rights reserved.

Chapter 3 TCP and IP Chapter 3 TCP and IP.

Introduction to TCP/IP networking

CSE 4905 IPsec.

IT443 – Network Security Administration Instructor: Bo Sheng

Transport Layer.

Internet Protocol Formats

IPSec IPSec is communication security provided at the network layer.

Standards Basics.

Internet Protocol (IP)

What does this packet do?

IPv6: Does it Provide Benefits to Space Communications?

Internet Protocol Formats

Presentation transcript:

CS470, A.SelcukIPsec Attacks1 IPsec ESP Attacks CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk

CS470, A.SelcukIPsec Attacks2 Attacks on ESP Encryption S.Bellovin, “Problem areas for the IP security protocols”, Usenix Security Symposium, C.McCubbin, A.Selcuk, D.Sidhu, “Initialization Vector Attacks on the IPsec Protocol Suite”, IEEE Workshop on Enterprise Security, Attack model: –Host-pair keying –ESP encryption without authentication –CBC mode of encryption

CS470, A.SelcukIPsec Attacks3 TCP Header | Source Port | Destination Port | | Sequence Number | | Acknowledgment Number | | Data | |U|A|P|R|S|F| | | Offset| Reserved |R|C|S|S|Y|I| Window | | | |G|K|H|T|N|N| | | Checksum | Urgent Pointer | | Options | Padding | | data |

CS470, A.SelcukIPsec Attacks4 UDP Header | Source Port | Destination Port | | Length | Checksum |

CS470, A.SelcukIPsec Attacks5 IPv4 Header |Version| IHL |Type of Service| Total Length | | Identification |Flags| Fragment Offset | | Time to Live | Protocol | Header Checksum | | Source Address | | Destination Address | | Options | Padding |

CS470, A.SelcukIPsec Attacks6 Reading Encrypted Data L A, L B : Legitimate user accounts on hosts A, B X A, X B : Attacker’s accounts on A and B ESP K IPsecretTCPL A L B : ESP K IPanyUDPX A X B : ESP K IPUDPX A X B :secretTCP Monitored data: Re-injected data:

CS470, A.SelcukIPsec Attacks7 Reading Encrypted Data (cont’d) Due to CBC, only first block of the pasted packet will be corrupted. (Can be avoided if IV is copied as well) Padding may be added to re-injected packet if needed to make lengths match If IPv6 in use, UDP checksum mandatory trials are needed on average to pass validation. If L A, L B are using UDP, attack is easier: –Wait till session ends –Allocate L B ’s UDP port to X B –Replay all packets

CS470, A.SelcukIPsec Attacks8 Session Hijacking ESP K IPdataTCPL A L B : ESP K IPCBC padUDPX A X B : L A L B :TCP Monitored data: Re-injected data: rm –rf / CBC padckfix rm –rf / ESP K IP

CS470, A.SelcukIPsec Attacks9 Session Hijacking (cont’d) Due to CBC, the first pasted block will be corrupted; the “CBC pad”. Some extra bytes may be needed to restore to a known state (e.g., shell prompt) “ckfix” is to fix the checksum; takes on average 2 16 trials. Attack can work without having logins X A, X B. (e.g., with SMTP-level source routing)

CS470, A.SelcukIPsec Attacks10 IV Attacks IV is sent in the payload; subject to modification By modifying IV, the first plaintext block can be modified in controllable manner: P 1 = D K (C 1 )  IV Attacks have further impact: First block includes the upper-layer header Checksums, if present, may be fixed by modifying insensitive fields in the first block

CS470, A.SelcukIPsec Attacks11 IV Attacks on TCP Fields in first 64 bits: Source Port, Destination Port, Seq.No. Fields in bits : Window Size, Ack.No., Offset, flags Attacks on Destination Port: Decrypted packets delivered to X B. Other attacks: Seq.No. (reordering), Window Size (flooding/stalling) Checksum fixing: by “reserved” or Ack.No.

CS470, A.SelcukIPsec Attacks12 IV Attacks on UDP Fields in first 64 bits: Source Port, Destination Port, Length, Checksum Bits : Data payload Dest. Port: Decrypted packets delivered to X B. Length: Packets can be truncated. Checksum can be fixed directly. With a 128-bit cipher, the first 64 bits of the payload can be modified.

CS470, A.SelcukIPsec Attacks13 Conclusion Encryption without integrity protection can be all but useless. Authentication is better made mandatory in IPsec. Moral of the story: It is safe to always use authentication/integrity protection when confidentiality is desired; the cost is marginal.