Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Cryptography CSS 329 Lecture 12: Key Establishment, IPSec.

Published byWendy Farmer Modified over 7 years ago

Similar presentations

Presentation on theme: "1 Cryptography CSS 329 Lecture 12: Key Establishment, IPSec."— Presentation transcript:

1 1 Cryptography CSS 329 Lecture 12: Key Establishment, IPSec

2 2 Lecture Outline Key establishment protocols IPSEC

3 3 Recommended Reading HAC: Chapter 12

4 4 Need for Key Establishment Encrypt K (M) C = Encrypt K (M)M = Decrypt K (C)  Alice and Bob share a secret key K  How to establish the shared key?  How to refresh it (not a good idea to encrypt a lot of data with the same key)

5 5 Long-Term Key vs. Session Key Session key : temporary key, used for a short time period. Long-term key : used for a long term period, sometimes public and secret key pairs used to sign messages. Using session keys to: - limit available cipher-text encrypted with the same key - limit exposure in the event of key compromise - avoid long-term storage of a large number of distinct secret keys - create independence across communications sessions or applications

6 6 Key Establishment Key pre-distribution : keys are distributed off-line Dynamic shared key establishment : protocols that define on-line key establishment Key establishment : process to establish a shared secret key available to two or more parties; - key transport: one party creates, and securely transfers it to the other(s). - key agreement: key establishment technique in which a shared secret is derived by two (or more) parties

7 7 Key Establishment Requirements Implicit key authentication: one party is assured that no other party aside from a specifically identified second party may gain access to a particular secret key. Key confirmation : one party is assured that a second party actually has possession of a particular secret key. Explicit key authentication : both (implicit) key authentication and key confirmation hold.

8 8 Key Establishment Requirements Perfect forward secrecy: compromise of long- term key does not compromise past session keys. Known-key attack: compromise of past session keys allows either a passive adversary to compromise future session keys, or impersonation by an active adversary in the future. Key independence : compromise of any subset of session keys should not lead to compromise to other session keys.

9 9 Other Issues in Key Establishment Need and type of the authentication: unilateral vs. mutual Key control: key distribution vs. key agreement Efficiency: communication (number of message and communication rounds) and computation (exponentiations and digital signatures) costs Use of trusted third party (TTP): - on-line/off-line/no third party - degree of trust required in a third party

10 10 Key Management Key management : set of processes and mechanisms which support key establishment and the maintenance of ongoing keying relationships between parties. Two ways to achieve: - using symmetric encryption - using public key encryption

11 11 Key Management by Means of Symmetric Encryption Requires use of TTP Each entity maintains long-term keys with TTP Easy to add and remove entities Each entity needs to store only one long-term secret key Trust in TTP, it can read all messages. Compromise of TTP leads to compromise of all communication channels.

12 12 Key Management by Means of Public Key Encryption It does not use a TTP, but requires a CA to certify the public key of participants If entities are not authenticated, vulnerable to man-in-the-middle attack.

13 13 Basic Key Transport Protocol Assumes a long term symmetric key K shared between A and B Basic: new key is r A A  B: E K (r A ) Prevents replay: new key is r A A  B: E K (r A, t A, B) Mutual authentication: K = f(r A, r B ) A  B: E K (r A, t A, B) B  A: E K (r B, t B, A):

14 14 Basic Key Transport Protocol (cont.) D oes not provide perfect forward secrecy and key independence

15 15 Authenticated Key Exchange Protocol 2 Setup: A and B share long-term keys K and K’ h K is a keyed hash function h’ K’ is a keyed one-way function establish key W = h’ K’ (r B )

16 16 Shamir’s No Key Algorithm Setup: p is public, key K is transmitted over a public channel without authentication

17 17 Needham-Schroeder Public Key Protocol P A and P B denote public keys; A and B distribute keys k 1 and k 2

18 18 Key Transport: Combining Public Key Encryption and Digital Signature Encrypting signed keys: – A  B: P B (k, t A, S A (B, k, t A )) – Problem: Data for encryption is too large Encrypting and signing separately – A  B: P B (k, tA), S A (B, k, t A ) – Acceptable only if no information regarding plaintext data can be deduced from the signature Signing encrypted keys – A  B: t A, P B (A, k), S A (B, t A, P B (A, k)) – Can provide mutual authentication with two messages (timestamps) or three messages (challenge-response)

19 19 Key Agreement: Diffie-Hellman Protocol Key agreement protocol, both A and B contribute to the key Setup Z n, n prime and g generator, n and g public.

20 20 Authenticated Diffie-Hellman

21 21 MTI a and b are the private keys of A and B Secure against passive attacks only Provides mutual (implicit) key authentication but neither key confirmation nor entity authentication

22 22 Station-to-Station (STS) Provides mutual entity authentication

23 23 Summary Key establishment: transport and agreement, Symmetric encryption based and public key encryption based Authentication, replay prevention desired.

24 24 NETWORK PROTOCOLS

25 25 Before Securing a Protocol… Understand what is does Define what are the security goals Define what is the attacker model Understand/examine the environment in which the protocol will be used

26 26 OSI/ISO Model

27 27 Internet Protocol - IP IP is the current delivery protocol on the Internet, between hosts. IP provides ‘best effort’, unreliable delivery of packets. There are two versions: – IPv4 is the current routing protocol on the Internet – IPv6, a newer version, still not totally embraced by the community

28 28 Transport Protocols Provides communication between processes running on hosts The most common transport protocols are UDP and TCP. OS provides support for developing applications on top of UDP and TCP.

29 29 Establishing a ``Secure Channel’’ Services provides: confidentiality, integrity and authentication At what level in the stack? What are advantages disadvantages based on the level Two protocols: SSL (TLS) and IPSec.

30 30 IPSEC

31 31 What is IPSec ? Set of security mechanisms to protect the IP protocol Flexible: supports combinations of authentication, integrity, access control, and confidentiality IETF IPSEC Working Group: http://www.ietf.org/html.charters/ipsec-charter.html Documented in RFCs and Internet drafts

32 32 IPv4 Header

33 33 IPv6 Header

34 34 IPSec Overview Transparent to applications (below transport layer (TCP, UDP) Facilitate direct IP connectivity between sensitive hosts through untrusted networks Provides: – access control – integrity – data origin authentication – rejection of replayed packets – confidentiality Provide application-independent security No substitute for application layer security !!! No protection against traffic analysis attacks !!!

35 35 Putting it all together Authentication mechanisms Encryption algorithms Key management

36 36 IPSec Documents RFC 2401: An overview of security architecture RFC 2402: Description of a packet authentication extension to IPv4 and IPv6 RFC 2406: Description of a packet encryption extension to IPv4 and IPv6 RFC 2408: Specification of key management capabilities

37 37 IPSec Features Interoperable router and end-system implementations Provides separation between authentication and confidentiality Algorithm-independent design, but standard default algorithms are specified Key management protocol separate from IP security protocol Both IPv4 and IPv6 supported

38 38 Security Mechanisms Authentication Header (AH): provides integrity and authentication without confidentiality Encapsulating Security Payload (ESP): provides confidentiality and can also provide integrity and authentication Operates based on security associations Tunnel-mode: encapsulates an entire IP datagram Transport-mode: encapsulates an upper-layer protocol (e.g. TCP or UDP) and prepends an IP header in clear

39 39 Security Associations (SA) A relationship between a sender and a receiver. Identified by three parameters: – Security Parameter Index (SPI) – IP Destination address – Security Protocol Identifier Being established through the key management protocol outside the IP security protocol SPI + IP destination address uniquely identifies a particular Security Association SAs are unidirectional, sender supplies SPI to receiver

40 40 Parameters of a Security Association Authentication algorithm and mode for AH Encryption algorithm, algorithm mode, initialisation vector, and transform for ESP Key(s) and key lifetimes used with ESP and AH Lifetime of the Security Association Authentication algorithm with ESP (if used) Sensitivity level of protected data

41 41 Authentication Header Provides support for data integrity and authentication (MAC code) of IP packets. Guards against replay attacks. Integrity and data source authentication provided using HMAC (requires a secret key shared between source and destination) Non-repudation can be provided if using digital signatures

42 42 AH Authentication: Transport Mode

43 43 AH Authentication: Tunnel Mode The new IP header contains different IP addresses than the ultimate destination and source

44 44 Encapsulating Security Payload ESP provides confidentiality services

45 45 ESP Encryption and Authentication: Transport Mode

46 46 ESP Encryption and Authentication: Tunnel Mode

47 47 Cryptographic Algorithms Encryption: – Three-key triple DES – RC5 – IDEA – Three-key triple IDEA – CAST – Blowfish Authentication: – HMAC-MD5 – HMAC-SHA-1

48 48 Defending Against Replay Attacks Based on the sequence number (32 bits) carried in every packet For every packet the sequence number is incremented The receiver maintains a window (32 or more), window is moved only when received packets verified: “packets are authenticated and sequence number is in the window” Duplicates are rejected!

49 49 Key Management Manual Automated Oakley Key Determination Protocol Internet Security Association and Key Management Protocol (ISAKMP) Internet Key Exchange (IKE) Oakley: – Digital signatures – Public-key encryption – Symmetric-key encryption

50 50 Transport vs. Tunnel Mode Transport Tunnel

51 51 IPSec in Action (1)

52 52 IPSec in Action (2)

53 53 IPSec in Action (3)

54 54 Summary IPSec defines flexible security mechanisms for IP: integrity, data source authentication, confidentiality and limit replay attacks.

55 55 Next Lecture… Secure communication protocols: SSL

Download ppt "1 Cryptography CSS 329 Lecture 12: Key Establishment, IPSec."

Similar presentations

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
Henric Johnson1 Chapter 6 IP Security Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 6 IP Security Henric Johnson Blekinge Institute of Technology, Sweden
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.

Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.

Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
Cryptography and Network Security

Cryptography and Network Security
1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.

Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.
1 Chapter 6 IP Security Henric Johnson Blekinge Institute of Technology, Sweden Revised by Andrew.

1 Chapter 6 IP Security Henric Johnson Blekinge Institute of Technology, Sweden Revised by Andrew.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security

CSCE 715: Network Systems Security
2003-2004 - Information management 1 Groep T Leuven – Information department 1/26 IPSec IP Security (IPSec)

Information management 1 Groep T Leuven – Information department 1/26 IPSec IP Security (IPSec)
/IPsecurity.ppt 1 - Chapter 6 of William Stallings. Network Security Essentials (2nd edition). Prentice Hall.

/IPsecurity.ppt 1 - Chapter 6 of William Stallings. Network Security Essentials (2nd edition). Prentice Hall.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.

1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.

Similar presentations

Ads by Google