Download presentation
Presentation is loading. Please wait.
Published byWendy Farmer Modified over 7 years ago
1
1 Cryptography CSS 329 Lecture 12: Key Establishment, IPSec
2
2 Lecture Outline Key establishment protocols IPSEC
3
3 Recommended Reading HAC: Chapter 12
4
4 Need for Key Establishment Encrypt K (M) C = Encrypt K (M)M = Decrypt K (C) Alice and Bob share a secret key K How to establish the shared key? How to refresh it (not a good idea to encrypt a lot of data with the same key)
5
5 Long-Term Key vs. Session Key Session key : temporary key, used for a short time period. Long-term key : used for a long term period, sometimes public and secret key pairs used to sign messages. Using session keys to: - limit available cipher-text encrypted with the same key - limit exposure in the event of key compromise - avoid long-term storage of a large number of distinct secret keys - create independence across communications sessions or applications
6
6 Key Establishment Key pre-distribution : keys are distributed off-line Dynamic shared key establishment : protocols that define on-line key establishment Key establishment : process to establish a shared secret key available to two or more parties; - key transport: one party creates, and securely transfers it to the other(s). - key agreement: key establishment technique in which a shared secret is derived by two (or more) parties
7
7 Key Establishment Requirements Implicit key authentication: one party is assured that no other party aside from a specifically identified second party may gain access to a particular secret key. Key confirmation : one party is assured that a second party actually has possession of a particular secret key. Explicit key authentication : both (implicit) key authentication and key confirmation hold.
8
8 Key Establishment Requirements Perfect forward secrecy: compromise of long- term key does not compromise past session keys. Known-key attack: compromise of past session keys allows either a passive adversary to compromise future session keys, or impersonation by an active adversary in the future. Key independence : compromise of any subset of session keys should not lead to compromise to other session keys.
9
9 Other Issues in Key Establishment Need and type of the authentication: unilateral vs. mutual Key control: key distribution vs. key agreement Efficiency: communication (number of message and communication rounds) and computation (exponentiations and digital signatures) costs Use of trusted third party (TTP): - on-line/off-line/no third party - degree of trust required in a third party
10
10 Key Management Key management : set of processes and mechanisms which support key establishment and the maintenance of ongoing keying relationships between parties. Two ways to achieve: - using symmetric encryption - using public key encryption
11
11 Key Management by Means of Symmetric Encryption Requires use of TTP Each entity maintains long-term keys with TTP Easy to add and remove entities Each entity needs to store only one long-term secret key Trust in TTP, it can read all messages. Compromise of TTP leads to compromise of all communication channels.
12
12 Key Management by Means of Public Key Encryption It does not use a TTP, but requires a CA to certify the public key of participants If entities are not authenticated, vulnerable to man-in-the-middle attack.
13
13 Basic Key Transport Protocol Assumes a long term symmetric key K shared between A and B Basic: new key is r A A B: E K (r A ) Prevents replay: new key is r A A B: E K (r A, t A, B) Mutual authentication: K = f(r A, r B ) A B: E K (r A, t A, B) B A: E K (r B, t B, A):
14
14 Basic Key Transport Protocol (cont.) D oes not provide perfect forward secrecy and key independence
15
15 Authenticated Key Exchange Protocol 2 Setup: A and B share long-term keys K and K’ h K is a keyed hash function h’ K’ is a keyed one-way function establish key W = h’ K’ (r B )
16
16 Shamir’s No Key Algorithm Setup: p is public, key K is transmitted over a public channel without authentication
17
17 Needham-Schroeder Public Key Protocol P A and P B denote public keys; A and B distribute keys k 1 and k 2
18
18 Key Transport: Combining Public Key Encryption and Digital Signature Encrypting signed keys: – A B: P B (k, t A, S A (B, k, t A )) – Problem: Data for encryption is too large Encrypting and signing separately – A B: P B (k, tA), S A (B, k, t A ) – Acceptable only if no information regarding plaintext data can be deduced from the signature Signing encrypted keys – A B: t A, P B (A, k), S A (B, t A, P B (A, k)) – Can provide mutual authentication with two messages (timestamps) or three messages (challenge-response)
19
19 Key Agreement: Diffie-Hellman Protocol Key agreement protocol, both A and B contribute to the key Setup Z n, n prime and g generator, n and g public.
20
20 Authenticated Diffie-Hellman
21
21 MTI a and b are the private keys of A and B Secure against passive attacks only Provides mutual (implicit) key authentication but neither key confirmation nor entity authentication
22
22 Station-to-Station (STS) Provides mutual entity authentication
23
23 Summary Key establishment: transport and agreement, Symmetric encryption based and public key encryption based Authentication, replay prevention desired.
24
24 NETWORK PROTOCOLS
25
25 Before Securing a Protocol… Understand what is does Define what are the security goals Define what is the attacker model Understand/examine the environment in which the protocol will be used
26
26 OSI/ISO Model
27
27 Internet Protocol - IP IP is the current delivery protocol on the Internet, between hosts. IP provides ‘best effort’, unreliable delivery of packets. There are two versions: – IPv4 is the current routing protocol on the Internet – IPv6, a newer version, still not totally embraced by the community
28
28 Transport Protocols Provides communication between processes running on hosts The most common transport protocols are UDP and TCP. OS provides support for developing applications on top of UDP and TCP.
29
29 Establishing a ``Secure Channel’’ Services provides: confidentiality, integrity and authentication At what level in the stack? What are advantages disadvantages based on the level Two protocols: SSL (TLS) and IPSec.
30
30 IPSEC
31
31 What is IPSec ? Set of security mechanisms to protect the IP protocol Flexible: supports combinations of authentication, integrity, access control, and confidentiality IETF IPSEC Working Group: http://www.ietf.org/html.charters/ipsec-charter.html Documented in RFCs and Internet drafts
32
32 IPv4 Header
33
33 IPv6 Header
34
34 IPSec Overview Transparent to applications (below transport layer (TCP, UDP) Facilitate direct IP connectivity between sensitive hosts through untrusted networks Provides: – access control – integrity – data origin authentication – rejection of replayed packets – confidentiality Provide application-independent security No substitute for application layer security !!! No protection against traffic analysis attacks !!!
35
35 Putting it all together Authentication mechanisms Encryption algorithms Key management
36
36 IPSec Documents RFC 2401: An overview of security architecture RFC 2402: Description of a packet authentication extension to IPv4 and IPv6 RFC 2406: Description of a packet encryption extension to IPv4 and IPv6 RFC 2408: Specification of key management capabilities
37
37 IPSec Features Interoperable router and end-system implementations Provides separation between authentication and confidentiality Algorithm-independent design, but standard default algorithms are specified Key management protocol separate from IP security protocol Both IPv4 and IPv6 supported
38
38 Security Mechanisms Authentication Header (AH): provides integrity and authentication without confidentiality Encapsulating Security Payload (ESP): provides confidentiality and can also provide integrity and authentication Operates based on security associations Tunnel-mode: encapsulates an entire IP datagram Transport-mode: encapsulates an upper-layer protocol (e.g. TCP or UDP) and prepends an IP header in clear
39
39 Security Associations (SA) A relationship between a sender and a receiver. Identified by three parameters: – Security Parameter Index (SPI) – IP Destination address – Security Protocol Identifier Being established through the key management protocol outside the IP security protocol SPI + IP destination address uniquely identifies a particular Security Association SAs are unidirectional, sender supplies SPI to receiver
40
40 Parameters of a Security Association Authentication algorithm and mode for AH Encryption algorithm, algorithm mode, initialisation vector, and transform for ESP Key(s) and key lifetimes used with ESP and AH Lifetime of the Security Association Authentication algorithm with ESP (if used) Sensitivity level of protected data
41
41 Authentication Header Provides support for data integrity and authentication (MAC code) of IP packets. Guards against replay attacks. Integrity and data source authentication provided using HMAC (requires a secret key shared between source and destination) Non-repudation can be provided if using digital signatures
42
42 AH Authentication: Transport Mode
43
43 AH Authentication: Tunnel Mode The new IP header contains different IP addresses than the ultimate destination and source
44
44 Encapsulating Security Payload ESP provides confidentiality services
45
45 ESP Encryption and Authentication: Transport Mode
46
46 ESP Encryption and Authentication: Tunnel Mode
47
47 Cryptographic Algorithms Encryption: – Three-key triple DES – RC5 – IDEA – Three-key triple IDEA – CAST – Blowfish Authentication: – HMAC-MD5 – HMAC-SHA-1
48
48 Defending Against Replay Attacks Based on the sequence number (32 bits) carried in every packet For every packet the sequence number is incremented The receiver maintains a window (32 or more), window is moved only when received packets verified: “packets are authenticated and sequence number is in the window” Duplicates are rejected!
49
49 Key Management Manual Automated Oakley Key Determination Protocol Internet Security Association and Key Management Protocol (ISAKMP) Internet Key Exchange (IKE) Oakley: – Digital signatures – Public-key encryption – Symmetric-key encryption
50
50 Transport vs. Tunnel Mode Transport Tunnel
51
51 IPSec in Action (1)
52
52 IPSec in Action (2)
53
53 IPSec in Action (3)
54
54 Summary IPSec defines flexible security mechanisms for IP: integrity, data source authentication, confidentiality and limit replay attacks.
55
55 Next Lecture… Secure communication protocols: SSL
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.