Practical Aspects of Lecture 10: Modern Cryptography IPSEC and Crypto Politics
Josh Benaloh & Brian LaMacchia
But First...We Need to Vote IPSEC
! Two choices for the final project schedule: ! IPSEC = IP (Internet Protocol) Security ! Option 1: ! Suite of protocols that provide encryption, integrity and authentication services for IP ! Tuesday, March 19 @ UW EE1-003 packets ! Thursday, March 21 @ Redmond (room TBD) ! Mandatory-to-implement for IPv6, optional (but ! Option 2: available) for IPv4 ! Tuesday, March 19 @ Redmond (room TBD) ! Consists of two main components: ! Thursday, March 21 @ UW EE1-003 ! IPSEC proper (encryption & auth of IP packets) ! Which do you prefer? ! IPSEC key management
Practical Aspects of Modern Cryptography 3 March 12, 2002 Practical Aspects of Modern Cryptography 4 March 12, 2002
IPSEC Operation IPSEC Protection Protocols
! Provides two modes of protection ! Authentication Header (AH) ! Tunnel Mode ! Authenticates payload data ! Transport Mode ! Authenticates network header ! Protection protocols ! Gives anti-replay protection ! Authentication and Integrity (AH) ! Encapsulated Security Payload (ESP) ! Confidentiality (ESP) ! Encrypts payload data ! Replay Protection ! Authenticates payload data ! Gives anti-replay protection
Practical Aspects of Modern Cryptography 5 March 12, 2002 Practical Aspects of Modern Cryptography 6 March 12, 2002
1 Authentication Header (AH) IPSEC Authentication Header (AH) in Transport Mode ! Authentication is applied to the entire packet, with the mutable fields in the IP header Orig IP Hdr TCP Hdr Data zeroed out Insert ! If both ESP and AH are applied to a packet, Orig IP Hdr AH Hdr TCP Hdr Data AH follows ESP
Integrity hash coverage (except for mutable fields in IP hdr)
Next Hdr Payload Len Rsrv SecParamIndex Seq# Keyed Hash
AH is IP protocol 51 24 bytes total
Practical Aspects of Modern Cryptography 7 March 12, 2002 Practical Aspects of Modern Cryptography 8 March 12, 2002
IPSEC AH in Tunnel Mode Encapsulated Security Payload (ESP)
Orig IP Hdr TCP Hdr Data ! Must encrypt and/or authenticate in each packet ! Encryption occurs before authentication
IP Hdr AH Hdr Orig IP Hdr TCP Hdr Data ! Authentication is applied to data in the IPSEC header as well as the data contained Integrity hash coverage (except for mutable new IP hdr fields) as payload
New IP header with source & destination IP address
Practical Aspects of Modern Cryptography 9 March 12, 2002 Practical Aspects of Modern Cryptography 10 March 12, 2002
IPSEC ESP in Transport Mode IPSEC ESP in Transport Mode
Orig IP Hdr TCP Hdr Data Insert Append Orig IP Hdr TCP Hdr Data Orig IP Hdr ESP Hdr TCP Hdr Data ESP Trailer ESP Auth Insert Append Usually encrypted Orig IP Hdr ESP Hdr TCP Hdr Data ESP Trailer ESP Auth integrity hash coverage Usually encrypted
integrity hash coverage SecParamIndex Seq# InitVector Keyed Hash
22-36 bytes total Padding PadLength NextHdr ESP is IP protocol 50 Practical Aspects of Modern Cryptography 11 March 12, 2002 Practical Aspects of Modern Cryptography 12 March 12, 2002
2 IPSEC ESP Tunnel Mode IPSEC Key Management
! IPSEC Key Management is all about Orig IP Hdr TCP Hdr Data establishing and maintaining Security Associations (SAs) between pairs of communicating hosts IPHdr ESP Hdr IP Hdr TCP Hdr Data ESP Trailer ESP Auth
Usually encrypted
integrity hash coverage
New IP header with source & destination IP address
Practical Aspects of Modern Cryptography 13 March 12, 2002 Practical Aspects of Modern Cryptography 14 March 12, 2002
Security Associations (SA) Internet Key Exchange (IKE)
! New concept for IP communication ! Phase I ! SA not a “connection”, but very similar ! Establish a secure channel(ISAKMP SA) ! Establishes trust between computers ! Authenticate computer identity ! If securing with IPSEC, need SA ! Phase II ! ISAKMP protocol negotiates security parameters ! Establishes a secure channel between computers according to policy intended for the transmission of data (IPSEC ! Manages cryptographic keys and lifetime SA) ! Enforces trust by mutual authentication
Practical Aspects of Modern Cryptography 15 March 12, 2002 Practical Aspects of Modern Cryptography 16 March 12, 2002
ISAKMP/OAKLEY ISAKMP/OAKLEY (2)
! Merge of two key management protocols ! What’s used today is a combination ! ISAKMP: Internet Security Association and Key ! ISAKMP provides the protocol framework Management Protocol ! OAKLEY provides the security mechanisms ! NSA-designed protocol to exchange security parameters (but not establish keys) ! OAKLEY ! Diffie-Hellman based key management protocol
Practical Aspects of Modern Cryptography 17 March 12, 2002 Practical Aspects of Modern Cryptography 18 March 12, 2002
3 Main Mode Main Mode (Pre-shared Key)
! Main mode negotiates an ISAKMP SA which will be used to create IPSEC SA
! Three steps Initiator Responder ! SA negotiation Header, SA Proposals ! Diffie-Hellman and nonce exchange Header, Selected SA Proposal
! Authentication Header, D-H Key Exchange, Noncei Header, D-H Key Exchange, Noncer
Encrypted
Header, Idi,Hashi Header, Idr,Hashr
Practical Aspects of Modern Cryptography 19 March 12, 2002 Practical Aspects of Modern Cryptography 20 March 12, 2002
Main Mode (Kerberos) Main Mode (Certificate)
Initiator Responder Initiator Responder
Header, SA Proposals Header, SA Proposals Header, Selected SA Proposal Header, Selected SA Proposal
Header, D-H Key Exchange, Nonce , i Header, D-H Key Exchange, Noncei Kerberos Tokeni Header, D-H Key Exchange, Noncer, Header, D-H Key Exchange, Kerberos Tokenr Noncer,Certificate Request Encrypted Encrypted Header, Id ,Hash i i Header, Idi, Certificatei, Signaturei, Header, Idr,Hashr Certificate Request Header, Idr, Certificater, Signaturer
Practical Aspects of Modern Cryptography 21 March 12, 2002 Practical Aspects of Modern Cryptography 22 March 12, 2002
Quick Mode Quick Mode Negotiation
! All traffic is encrypted using the ISAKMP Security Association
! Each quick mode negotiation results in two Initiator Responder IPSec Security Associations (one inbound, Encrypted one outbound) Header, IPSec Proposed SA Header, IPSec Selected SA
Header, Hash
Header, Connected Notification
Practical Aspects of Modern Cryptography 23 March 12, 2002 Practical Aspects of Modern Cryptography 24 March 12, 2002
4 How It All Fits Together IPSEC Bundling/Wrapping
Transport ! Multiple IPSEC transforms may be wrapped Tunnel successively around a single IP datagram ! Example: IPSEC transport sent over an IPSEC tunnel
Practical Aspects of Modern Cryptography 25 March 12, 2002 Practical Aspects of Modern Cryptography 26 March 12, 2002
Sending in Transport Mode Sending in Tunnel Mode
Application IPSec IP IP IPSec Transport Physical Physical IP IPSec
Physical Application Physical IP IPSec TCP Data
Application Application Physical IP IPSec TCP IP IPSec TCP Data Data
Outer Inner Application Physical IPSec IPSec TCP IP IP Data
Practical Aspects of Modern Cryptography 27 March 12, 2002 Practical Aspects of Modern Cryptography 28 March 12, 2002
Receiving in Tunnel Mode Receiving in Transport Mode
Application IPSec IP IP IPSec Transport Physical Physical IPSec IP
Physical Outer Inner Application Physical IPSec IPSec TCP IP IP Data
Application IP IPSec TCP Application Data Physical IP IPSec TCP Data
Application Physical IP IPSec TCP Data
Practical Aspects of Modern Cryptography 29 March 12, 2002 Practical Aspects of Modern Cryptography 30 March 12, 2002
5 What is Network Address Translation NATs Rewrite Address/Port (NAT) ? Pairs ! Network Address Translation (NAT) User Kernel TCPIP.SYS IPNAT.SYS Translation Table ! Dynamically modifies source address S 10.0.0.2 S 10.0.0.2 10.0.0.2, 1185, 23 =172.31.249.14 D 131.107.1.7 D 131.107.1.7 Kernel mode 10.0.0.3, 1185, 23 =172.31.249.14 ! Dynamically recomputes interior UDP/TCP firewall hook checksums S 172.31.249.14 S 172.31.249.14 D 131.107.1.7 D 131.107.1.7 ! Port Address Translation (PAT) ! Dynamically modifies TCP/UDP source address and port ! Dynamically recomputes interior UDP/TCP checksums
Practical Aspects of Modern Cryptography 31 March 12, 2002 Practical Aspects of Modern Cryptography 32 March 12, 2002
IPSEC AH and NAT IPSEC ESP and NAT
! Change in address or port will cause message ! Can change IP header in special cases only integrity check to fail ! Special TCP/UDP ignores pseudo header used in ! Packet will be rejected by destination IPSEC checksum calculation ! AH cannot be used with NAT or PAT devices ! Port information encrypted! ! Can’t change ESP header because integrity hash coverage Orig IP Hdr AH Hdr TCP Hdr Data
Message Integrity Check coverage (except for mutable fields) Orig IP Hdr ESP Hdr TCP Hdr Data ESP Trailer ESP Auth
encrypted
integrity hash coverage
Practical Aspects of Modern Cryptography 33 March 12, 2002 Practical Aspects of Modern Cryptography 34 March 12, 2002
Why Talk About Crypto Politics?
! You can’t really avoid the political aspects of crypto, especially if you’re trying to ship a The Politics of Crypto product that depends on good crypto ! In the past, the regulations have been so complex & time consuming that companies had dedicated individuals/departments for dealing with regs. ! Often public pronouncements don’t match reality ! Just because a government body says “crypto is freely exportable” doesn’t make it so
Practical Aspects of Modern Cryptography 36 March 12, 2002
6 Topics in Crypto Politics Caveats...
! I’m going to present a U.S.-centric view of ! Export controls the issues ! Key Escrow ! Each country deals differently with these issues, ! Patents but the U.S. typically leads in this policy area ! Copyright ! These are national issues – nation-states are still important to the discussion ! Much of what we have learned about the history of export controls has come from FOIA requests ! The government doesn’t like to give answers...
Practical Aspects of Modern Cryptography 37 March 12, 2002 Practical Aspects of Modern Cryptography 38 March 12, 2002
Export Controls Export Controls “Should the export of cryptographic software ! Question 1: from the U.S. be restricted? If not, why not? If so, why and to what degree?” “Should the export of cryptographic software from the U.S. be restricted? If not, why not? If so, why and to what degree?” ! For the next 2-3 minutes, think about how you would individually respond to this Discuss. question. ! You might find it helpful to organize your thoughts into “pros” and “cons” ! Just brainstorm for the next few minutes...
Practical Aspects of Modern Cryptography 39 March 12, 2002 Practical Aspects of Modern Cryptography 40 March 12, 2002
Export Controls Export Controls
! Question 1: ! OK, now that you’ve thought about it a bit, talk with your neighbors and see what they “Should the export of cryptographic software came up with... from the U.S. be restricted? If not, why not? If so, why and to what degree?”
Discuss.
Practical Aspects of Modern Cryptography 41 March 12, 2002 Practical Aspects of Modern Cryptography 42 March 12, 2002
7 Export Controls Export Controls in the U.S.
! Question 1: ! In the beginning, cryptographic hardware and software were considered “munitions” by the “Should the export of cryptographic software U.S. government. from the U.S. be restricted? If not, why not? ! Export of crypto was covered by the same set of If so, why and to what degree?” regulations that covered the export of other munitions, like nuclear weapons, missiles, and the equipment that is used to make them Discuss. ! These regulations were known as ITAR (International Traffic in Arms Regulations).
Practical Aspects of Modern Cryptography 43 March 12, 2002 Practical Aspects of Modern Cryptography 44 March 12, 2002
Export Controls (cont.) Crypto Export/Import Controls
! The export of cryptography is currently ! Under ITAR, all exports of crypto required a license restricted by the U.S. BXA (Commerce Dept. Bureau of Export Administration) ! If you were exporting “weak crypto” you could get a license. ! Until January 2000, couldn’t export symmetric ciphers using keys > 56 bits in length. ! “Strong crypto” couldn’t be exported at all. ! Jan 2000: Clinton administration rewrote the ! “Crypto with a hole” couldn’t be exported regulations either. ! “ITAR” became “EAR”, and the regulations ! The distinction between “weak” and “strong” got a bit “looser” but they still exist was generally based on bit-length of the secret key or public key modulus ! You can (generally speaking) export “strong crypto” without a specific product license Practical Aspects of Modern Cryptography 45 March 12, 2002 Practical Aspects of Modern Cryptography 46 March 12, 2002
Current Export Regulations Example: Windows XP
! “Monolithic applications” can export strong ! Windows XP ships with “strong crypto” cryptography in binary form simply by bakedin&enabled sending the BXA a piece of e-mail ! RSA to 4096 bits, TripleDES, etc. ! Example: secure e-mail client, web browser ! Windows XP is exportable because it’s a ! “Crypto libraries” can be exported under an “monolithic application” “open source” exemption, if they qualify ! CryptoAPI, the Win32 crypto library that was ! “Crypto with a hole” in commercial products designed to support plug-able “cryptographic is still tightly controlled service providers” is not freely exportable ! If you want to plug into CryptoAPI, you need a license... Practical Aspects of Modern Cryptography 47 March 12, 2002 Practical Aspects of Modern Cryptography 48 March 12, 2002
8 The Regs are Still Ambiguous .NET FX Crypto Object Model
! Inthe.NETFramework,wehaveaclass Abstract Base Class Symmetric library for cryptography… Algorithm ! It took BXA (really, NSA) 18 months to tell us what the rules were regarding export of our class library… Abstract Algorithm TripleDES Rijndael RC2 Classes
Algorithm TripleDESCrypto Rijndael RC2Crypto Implementation ServiceProvider Managed ServiceProvider Classes (CryptoAPI) (C#) (CryptoAPI)
Practical Aspects of Modern Cryptography 49 March 12, 2002 Practical Aspects of Modern Cryptography 50 March 12, 2002
The Regs are Still Ambiguous More Export Control Stories
! In the .NET Framework, we have a class library for cryptography… ! Bruce Schneier and the first edition of Applied Cryptography ! It took BXA (really, NSA) 18 months to tell us what the rules were regarding export of our class ! Phil Karn’s attempt library… ! Dan Bernstein’s attempt ! We could open up & let people subclass the bottom ! http://www.eff.org/bernstein/ abstract classes (like RSA) without a license ! Matt Blaze and the “fancy gun” ! Opening up AsymmetricAlgorithm was not allowed without an explicit license ! http://www.frogtown.com/pipermail/funny/1996 -January/000150.html ! Solution? Open source the code! ! Phil Zimmermann and PGP 1.0
Practical Aspects of Modern Cryptography 51 March 12, 2002 Practical Aspects of Modern Cryptography 52 March 12, 2002
Key Escrow Key Escrow
! The general topic of “key escrow” is about ! There are no legitimate cases (at least from a commercial perspective) for archival of secret archiving copies of private keys with third session keys. parties. ! If the data didn’t get transmitted correctly during the ! This is also sometimes called “key archival” session, send it again ! When the government is the archive, this is ! Governments care about session encryption key GAK (Government Access to Keys) recovery ! There are legitimate cases where you might ! Want to preserve their wiretapping capabilities need a key escrow scheme ! Government spent a lot of time trying to convince businesses that the needs of stored data recovery & ! Stored data recovery in case of session key recovery were the same accident/loss/termination of employment
Practical Aspects of Modern Cryptography 53 March 12, 2002 Practical Aspects of Modern Cryptography 54 March 12, 2002
9 Key Escrow Key Escrow
! Question 2: ! Again, brainstorm on your own for 2-3 minutes, then discuss for a few minutes with “Should a national government have the right to demand encryption keys from citizens when (a) they your neighbors. are suspects in a criminal investigation, or (b) in cases of `national security’? If not, why not? If so, what procedures should the government have to follow to obtain the keys?” “Have your feelings changed post-9/11?” Discuss.
Practical Aspects of Modern Cryptography 55 March 12, 2002 Practical Aspects of Modern Cryptography 56 March 12, 2002
Key Escrow Digital Telephony
! Question 2: ! In the U.S., the digitization of the nation’s telephone system was seen by law “Should a national government have the right to demand encryption keys from citizens when (a) they enforcement as a threat to their ability to are suspects in a criminal investigation, or (b) in conduct wiretaps cases of `national security’? If not, why not? If so, ! In the analog world, you just go tap a pair of what procedures should the government have to wires follow to obtain the keys?” ! In the digital world, you need to sift out the right “Have your feelings changed post-9/11?” bits from the optical fiber. Discuss. ! Evenifyoufindthebits,theycouldbe encrypted!
Practical Aspects of Modern Cryptography 57 March 12, 2002 Practical Aspects of Modern Cryptography 58 March 12, 2002
Digital Telephony & CALEA ! U.S. Congress response to law enforcement was to pass laws mandating that telephone companies guarantee wiretap access to their customers’ communications The Clipper Chip ! Communications Assistance for Law Enforcement Act (CALEA), Oct. ’94 ! FBI said $150M-$500M in ’92-94 ! Industry said cost would be $3B in ’94 ! As of ’98, est. $8B/year, $12M per wiretap ! CALEA still isn’t a reality (cost, tech difficulty) ! CALEA doesn’t help if the bits themselves are encrypted! FBI needed something else…
Practical Aspects of Modern Cryptography 59 March 12, 2002
10 The Clipper Chip How Clipper Worked
! Clipper was implemented in a tamper-resistant ! US Government attempt to “stimulate” the hardware device (a single chip) market for “voluntary” key escrow ! Each chip was numbered and had a separate per-chip equipment secret that was also held by a “trusted agency” (read: US ! Contracted w/ AT&T to produce “Clipper Gov’t) phones” for government use ! Per-session keys were encrypted with a Clipper ! Phones would also be available for non- family key and the per-chip key, and sent along as government use part of the data stream ! Encryption keys could be accessed through the ! Someone listening in on the conversation would see “Law Enforcement Access Field” (LEAF) in the enough information to identify the chip used to protocol encrypt, find the per-chip key, and recover the session key Practical Aspects of Modern Cryptography 61 March 12, 2002 Practical Aspects of Modern Cryptography 62 March 12, 2002
How Clipper Worked (2) Clipper in Operation
! 128-bit LEAF contains session key encrypted ! Other party & third-party decrypt LEAF with with family and per-chip keys the family key 32 bits 80 bits 16 bits ! Both parties check the checksum to detect bogus LEAF ! Encr ChipID Encr Session Key Checksum Bogus LEAF " chip turns off, refuses to F C decrypt ! Third party looks up chip key in DB to decrypt session key
Key DB
Practical Aspects of Modern Cryptography 63 March 12, 2002 Practical Aspects of Modern Cryptography 64 March 12, 2002
Clipper Weaknesses Opposition to Clipper
! The 80-bit session key was too small ! Opposition to Clipper was widespread ! The symmetric cipher (SKIPJACK) was ! The US Gov’t proposed it as the federal Escrowed classified; no public scrutiny Encryption Standard and rammed it through NIST into FIPS185inFeb’94 ! Later, a “panel of outside experts” was allowed to ! During the public comment period, 300 comments look at it for a day received, only 2 supported it ! Even later, after Clipper failed, SKIPJACK was ! No one bought Clipper declassified ! AT&T shut down its product line, offered leftover ! 16-bit checksum could be defeated (Blaze ’94) phones to employees to get rid of them ! Oddly, the proposal probably did more to galvanize ! ChipID tagged every single communication the strong-crypto community than anything else
Practical Aspects of Modern Cryptography 65 March 12, 2002 Practical Aspects of Modern Cryptography 66 March 12, 2002
11 Patents
! Crypto has a long, involved history with the US Patent Office ! The RSA patent was one of the first (if not *the* first) “algorithm” patent ! You can’t actually patent an algorithm, so RSA patented every type of machine/embodiment that implemented the algorithm ! For 17 years, RSA was patented in the US, but freely available overseas
Practical Aspects of Modern Cryptography 67 March 12, 2002 Practical Aspects of Modern Cryptography 68 March 12, 2002
Copyright Copyright & DRM
! More recently, cryptography has become an ! Digital Rights Management (DRM) technologies issue in the area of copyright. limit access to digital intellectual property. ! Why? ! Example: A DRM-protected e-book might let you read the book only a fixed number of times. ! The rise of digital rights management (DRM) ! Example: A DRM-protected streaming audio player systems, all of which are based on strong could charge you based on bandwidth & content. crypto. ! Major issues: ! Breakthecrypto,breaktheDRM… ! How restrictive can a DRM be? ! How restrictive should aDRMbe? ! How do DRMs interact with “fair use” and other copyright rights reserved to the public?
Practical Aspects of Modern Cryptography 69 March 12, 2002 Practical Aspects of Modern Cryptography 70 March 12, 2002
Digital Millennium Copyright Act Anti-Circumvention Measures (DMCA) ! The DMCA made it a crime to circumvent a ! Characterized by proponents as a “small, “technological measure that effectively controls technical” change to US copyright law access to a work” ! “A technological measure ‘effectively controls access to ! In reality, made major, sweeping provisions to a work’ if the measure, in the ordinary course of its the rules regarding digital content operation, requires the application of information…with ! Incorporated into U.S. law at 17 USC 1201 the authority of the copyright owner, to gain access to et. sec. the work. ! Limited exemptions for ! “No person shall circumvent a technological measure that effectively ! Encryption research controls access to a work protected under ! Reverse-engineering computer programs for [copyright]…” interoperability. Practical Aspects of Modern Cryptography 71 March 12, 2002 Practical Aspects of Modern Cryptography 72 March 12, 2002
12 DMCA cases/issues (1) DMCA cases/issues (2)
! DeCSS ! CPHack ! DVDs are encrypted. In order to play a DVD, a ! CyberPatrol (owned by Mattel, Inc.) is your licensed DVD play must first authenticate to the typical “parental filter” for web browsers DVD disk. ! CP’s list of banned web sites is encrypted (using ! DeCSS is a program that removes/bypasses the a secret algorithm) as part of the program encryption, allowing the DVD to be played on an ! Jansson & Skala figured out how to break the “unlicensed” player, such as a Linux box. encryption scheme (in a very nice piece of ! MPAA sued, claiming DCMA violations cryptanalysis) ! Upheld in NY ! They write a program, CPHack, which shows you the list of banned sites on your copy of CP. ! Mattel sues Practical Aspects of Modern Cryptography 73 March 12, 2002 Practical Aspects of Modern Cryptography 74 March 12, 2002
DMCA cases/issues (3) DMCA cases/issues (4)
! SDMI (Felten v. RIAA) ! bnetd ! DMCAwasusedtothreatenanacademicgroup ! Blizzard Entertainment (a game software that successfully broke a number of proposed company) puts out a beta test of Warcraft III watermarking technologies (at least one of which ! W3 talks to Blizzard servers for on-line is being used in commercial product) multiplayer games ! The Blizzard servers authenticate software copies when the user logs in (looking for infringing copies...) ! The servers were slow, so some enterprising folks reverse-engineered the protocol and started running their own servers (bnetd servers) Practical Aspects of Modern Cryptography 75 March 12, 2002 Practical Aspects of Modern Cryptography 76 March 12, 2002
DMCA cases/issues (4 cont)
! Blizzard threatened the authors of bnetd with a DMCA complaint ! They claimed that because bnetd doesn’t implement the CD auth protocol, it facilitates infringement ! bnetd folks pulled the software
Practical Aspects of Modern Cryptography 77 March 12, 2002
13