Securing 7 Layers of Insecurity

DeepSec Vienna 2007 7 Layers of Insecurity . ity r cu

s s

Se k to a r s e e's r k e o n eal a o ca ad w t d h f R r spe

-gr e o t

” y r N g muc e. gua us o

a e j it s f e ibl il a litt t a

s ol a m th This eakin i e v 3 i pos w

5 r nt S d to s

us d e e r P e

ly Sp ption. e l W inc ne t y al “

a r

V swor

s u

the -- a t rtu i

enc r pa

h i V



V C DeepSec Vienna 2007 7 Layers of Insecurity r om .c owing n unte de ung) r t foll i r e w

mons rbe on) t i a t a unde ite c k Be om i i be if n or r e a a ec t be w l

od ri r v N s h i i m ha st P t ye uc th V a or a e f Au nz ( n und be - e Ma ,

ify orbe ng t o nc n ze d n 3 v u o e

cr z 5 i ite e Li als nna ic tia rde e r l t mo e (

e s

ht i w. d e Nut c V a

rbr e lbe us ba nd , m e e le l e a a l v

s Re nc a ww S i m

nnt we s e e ie r , te ngs r r r r zt, rc rz e na f fe bu e nig p:// i e o if r me nut t raini r f n: Ei unde

it unte n ge is T ge htt om be

e n Pfe omm d / d

i c d be t s I k e , e r

v né e 7 f ht r t work Ar 0 f c e e e r ngunge

Re us s 0 i ng an mus non v v , i h y i i ni s d t n müs l t t a re 2 or

e e a a f r ür ul g

s fk it da

f Be : v v e i hor or a ri ri n b nt fre be r K ght e y

De Only Nur De Aut Aut m ri

Ar y e

m Cons nde e . e

e e

ha p e s .T

e a o lge ou ma

o o N a Di f Mic C. Y Som

  C DeepSec Vienna 2007 7 Layers of Insecurity N s P k V r -

o 3 5 w t e N

e es t i a g v 7 3 i 0

5 r olo 0

n 2 r P r

e e l

b da t ttac a

ech

m p

A T

e u en

v a t   g

o r

h i N A

V C DeepSec Vienna 2007 7 Layers of Insecurity . acy N v P V -

Pri 3 5 al s e irtu i g f V o o l o

7 n ays 0 h 0

W 2 c r

e e b us

m io

v N

P N V

 V DeepSec Vienna 2007 7 Layers of Insecurity . N P V - IPv6

3 4/ 5 ) IPv c r e s fo

P I ty (

ri 7 y

0 t i 0 r

r u e

b c

m e

ative Secu ative

N N

P ©

 I DeepSec Vienna 2007 7 Layers of Insecurity acks N P f IPv6 V - o

IPv4 3

lay att 5 art ) n ep ers c with y p e ov r m r atio n c s d o to sed P fro ti I

u ec ( n da n

ca o i 7 y an ti IPs 0 t be i 0 f m r ent 2 ectio r grity vali

e th cryp n o

b te c u

n e

Prot I A En e

sec can sec is sec is S    esig 

P P

N D I I

P ©    I DeepSec Vienna 2007 7 Layers of Insecurity SP) ad (E n N n ) P y t V aylo H -

atio P 3 gri c 5 (A ti te ticatio er rity n en en s th ead th l ss i e o h l Secu au au

n n c n n i o o o o i ti t 7 ig ti 0 r o 0 lating ca ect r i

2 r grity & P su e nn cryp

b te ent o ata o c m n

I En D C e

th e cap v

    u

o S

N En A

P © 

 I DeepSec Vienna 2007 7 Layers of Insecurity er ead N P V d h -

3 5 an ay ad ad o o yl yl atew e -g d pa pa s d e -to 7 de d ted ted 0 -en o 0 o

2 m r -to ort mo M e teway d cryp cryp

b el

sp c m Ga En En En

e nn v

   

o ran

u S

N T T

P © 

 I DeepSec Vienna 2007 7 Layers of Insecurity s er E) met ) a N P ar V e (IK -

(SA 3 n n 5 ng o o a tiated i i t hare p o at s a i i s g keys c t oc n & n o i i e neg ss s s ey Exch o b A s p m

7 key y to 0 l A t

et K ith ed r 2 n y ua

r ds uri r t o

e i ect

b g

te r ee l m n

n u I Man Sec A e

v c     o

o e N SA C

 S DeepSec Vienna 2007 7 Layers of Insecurity t ey ) en OI d K em D ) an ag E n KMP) o K I ti ( N a

man (IPSEC P I d e V ci (ISA - l O g e 3 an so D n 5 d co e y s a t As g to C h Mo ri c an e ity e Pro r x v RF

d i ch n E cu nt

i Secu ex y

ess r e 7 sed g 0 eme

0 K et Se et IP o g

2 n n t ag A r r r

e e es key rop

b l E E Main Mo te te n d m K K n n r I I I I Man e

E p e  an   

o t K

N H I

n © 

 I DeepSec Vienna 2007 7 Layers of Insecurity e od kets) m y ex ac l l N e p P

v V ke i - mp li

3 o n s 5 c ess r o r e (few ash ti g ro g r c ta e e h e ag an n n s th

o men P ti e i I e ce

l m a g r r exch 7 u n i 0 u igh fo an

0 o g

i 2

r te- s

e nf in imp iffing

u b k

sec/IKE are very are very sec/IKE r o

m act: h

P c

k: med Sn B C I e

p a v s i    ey exch  u t o

m t N I R K B

 A DeepSec Vienna 2007 7 Layers of Insecurity g N P n V i - l

3 e 5 . n y g n o u l ) T o

P n t T n i P ech o P 7 ( 0

0 - l

2 PN T r o o

e t V

c b

t y

m o

t n v i

o o r N Earl

P P DeepSec Vienna 2007 7 Layers of Insecurity t E n s i -Po e GR o ag t-t n i an 28 bit key E m N 1

P r n V o ® Po - to o

i s 3 6 P h GR P-v2 5 t oft 5 C i A w H ticat ssion en h 40, eer w t se i Micros

th MSC e 1723/T

p o i w n

au v to

tw ft® r via (MPPE)

7 s S C4 r n 0 n n e L 0 so o ink o o v 2 ffe ses l ti ti

si e O o u P-T

cro

ses R P P

m P

U Mi EA Ses PPP e

cryp cryp

v T     

P N En En PPT PPT

 P DeepSec Vienna 2007 7 Layers of Insecurity P-v2 A s CH P/IPsec he st server 2T MS- n

as i L h r ga o

le a N ☺

P with V -

sed 3 PTP 5 IPsec essab tacks ys so t u P e u o at se sa n u s

el : MS s fin se g n s th d i eier i e g an n ath s u n vo m d len k a r PTP 7 u ch e p i a l 0 y P e igh

o e c r 2 y ke r r swo ce Sch

e W grad nt cti u

b p o r a eo ull

m act: h

r P k: med U Pas C F B e

s T p th i     

o m n

P N R I I I

 P DeepSec Vienna 2007 7 Layers of Insecurity l 5. o r c N o P t aye V - o r 3 n L 5 P

t o r g o n i p l p e n Su n N 7 u 0

0 T

2 r

2 e )

r P

m e

e T

v y

ayer 2 ayer 2 o

a N L

L © 

( L DeepSec Vienna 2007 7 Layers of Insecurity ) n 5 r c i ort 1701 ) laye ticatio y C t e (p en A b th N d DP PN traff l (L P r V ntiali u V S) au - r

N s 3 l ho 5 ng fide e s (L fo n in U trato n el l nn 2, n e cen stro co n latio er n nn w o w tu su ay e a tu C i f tu e l es no es no ne rk Server s s v r cap k o 7 r r 0 li e

vid vid 0 o o v 2

s fo etwo cces r r r ks t

e O A b

p p N create

ai itiato

ses en oo m P P P P P

n P

W I L U e

v T    

2T 2T 2T 2T 2T

2 N L L L L L

 L DeepSec Vienna 2007 7 Layers of Insecurity er g t ssen f pa emen n o ag ) N th P i V an 2F - w

m ectio 3 (L

5 n ed g sp in bin er m d s n rwardin l i o es sessio e n co F 7 n 0 fte ay h vid 0 n o l o 2

m P r u r

s e T co b i p Sec el

ayer 2

m P P P

to P L I PPT

nn v

o T   

r 2T 2T o

2 N p T L L

3 irtua 5 it's V t ye

7 ™ 0 0 N

2 n an r P e

b V pe

m n

e v s O

' o

t p

N I

 O DeepSec Vienna 2007 7 Layers of Insecurity n o P ti TT ing H cryp ) SSL gh CP en u N en P nd V - hro a

t w ce or T 3 n 5 e s i pa e on DP xes everyth s v e xi r l er e sed ro ticatio v p us 194 (U ultip O e en n

m is ba t i th

us 7 ™

ort 1 0 ™ ™ 0 ien N ab)

2 (

P es au e

VPN VPN

b V d i an ses p

m n

C U e en

en e v  

o p

N Prov Op Server/cl Op

S ha o L y n T ackets h S, p N d p o P V a D se - r

LS at all ticate u o 3 VPN g 5 pt n en o y , t r all th r p LS y certificates r receive key receive t/enc c key is L/T / n au & i n't start T re fo C d

s ca

ca atu 7 ™ stat n 0 ™

ecryp sen r 0 N g ker

2 o ects SS S key r P

si key e

VPN

b V ttac MAC ata d c /TL

m n

ti PSK A Prot D H e

en e v   MAC   

o p

N Op H SSL Sta

 O DeepSec Vienna 2007 7 Layers of Insecurity t n e n cli A e o C od er c s p e t o fig ates r n c i N f a p P co

0.5)

V ™ -

execu se 2. 3 N sh 5 u u P s certi p

u can V r s o 0.0 to n r i . ates, c e ve 2 c ve p r er ™ s O

N m

t mali 7 u n us i u 0 ™

igh 0 h certificates o b t

nVP 2 i r

s icio e id w eck certifi l

pe VPN b k

a m

act: h c M

k: med Mal (O C V e en

T a v s i    t o

m t N R I Op MI

 A DeepSec Vienna 2007 7 Layers of Insecurity . l e nn u h T t N P V s wi -

n 3 5 ectio n on l C 7 el 0

0 H

2 r S

b S

ure Sh n

e e v

o p

N Sec

 O DeepSec Vienna 2007 7 Layers of Insecurity p s c d r r , o et n n rases el t h in, e Passw tificatio g ds assp o m o N i en P rl d , V - e T eth ith p

3 st i w m rsh 5

ing

o s n d H , On r h I le , S b n key S o si PK r i n places orwa ticatio s, f os e e s o tect p l r en d X ard s s p r 7 l

d el O th 0

0 t C ne ero an d 2

r swo n b t ar f au e n r b o a er

m ure Sh grity pro s K Sm Pas Po e

v H te    

ot C o

S N L I T Sec

N ) P t l V -

3 5 ks with s h k g g c i a attac t t ssin m/h s A u

i si ue y ks (very difficu ks (very 7 H g ed acks 0 al sertion 0 S

d r 2 w in ttac r S att o e

) a y/

b IP a n l m swo act: m M

k: l e e

P/ p T

v s i

ep p C o raffic an

N I T R Pas T MI R

O ©        ( DeepSec Vienna 2007 7 Layers of Insecurity s n o i N t P a V t -

3 n 5 e m e ere. l h p T t m u I

O 7 0 N

0 P 2

V e ey is

r K m

e e

v h

o t

N T

 O DeepSec Vienna 2007 7 Layers of Insecurity PSK d l N P n V an ne o - s

n ti it 3 l n a 5 b o l o i to t su

2/3 tu a 128 t cap n sh i e En wf m P o 7

l e 0 I l 0 orts layer rietary VPN to p 2

r p

e p chi yp m

b I ses B r

n Prop U Su C e

PE N ama     I

P N H tinc vtu C

 V DeepSec Vienna 2007 7 Layers of Insecurity es. . . n cat i o f ms. ti keys N ta erti r P c u V

orith - g

3 men n 5 alg e

e yo l si e g r u imp

en han ecu c s

eck d wh n l 7 3 fu

ow 0 e 5 0

y 2 r

ect an r ays ch

ar e e b w t l se kn e car

m p Prot U B A e

mm v a N . . . .

h P N Su

V C DeepSec Vienna 2007 7 Layers of Insecurity N P V -

3 5 7 u 0 s? 0 o n 2

r Y o

b ti k

m n e es

v a

o h N Qu

 T DeepSec Conference © November 2007

Chapter 53 Virtual Private Networks

 Virtually Speaking of Real Security. D 7

eep L ayers o

“We use military-grade Sec encryption. This just speaks to

the need to safeguard one's Vien f I password with as much care as n secu

possible.” n a 2007 rity -- Vincent Sollitto

99 - Things in Life 1 DeepSec Conference © November 2007

 Some rights reserved / Einige Rechte vorbehalten

 Michael Kafka, René Pfeiffer, Sebastian Mayer C.a.T. Consulting and Trainings, Vienna, Austria

 You may freely use, distribute and modify this work under following D agreement: 7

eep  Diese Arbeit darf frei genutzt, verbreitet und bearbeitet werden unter L

folgenden Bedingungen: ayers o Sec Authors must be referenced (also for modification) Autoren müssen genannt werden (auch bei Bearbeitung)

Vien

Only for non commercial use f I Nur für nichtkommerzielle Nutzung n secu

Derivative work under same licence n

Derivative Arbeit unter selber Lizenz a 2007

http://www.creativecommons.com rity

This presentation is published under the CreativeCommons License which can be viewed in detail on their hompage: http://creativecommons.org/licenses/by-nc-sa/2.0/at/ Read more on http://www.creativecommons.com

You are free:

to Share — to copy, distribute and transmit the work

to Remix — to adapt the work

Under the following conditions: Attribution. You must attribute the work in the manner specified by the author or licensor (but not in any way that suggests that they endorse you or your use of the work). Noncommercial. You may not use this work for commercial purposes.

Share Alike. If you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

● For any reuse or distribution, you must make clear to others the license terms of this work. The best way to do this is with a link to this web page. ● Any of the above conditions can be waived if you get permission from the copyright holder. ● Nothing in this license impairs or restricts the author's moral rights.

Chapter 53 Virtual Private Networks

 Agenda  Technologies  Attacks D 7

eep L ayers o Sec

Vien f I n secu n a 2007 rity

VPN Technologies

 Various Ways of Virtual Privacy. D 7

eep L ayers o Sec

Vien f I n secu n a 2007 rity

IP Security (IPsec)

 Native Security for IPv4/IPv6. D 7

eep L ayers o Sec

Vien f I n secu n a 2007 rity

IP Security (IPsec)

 IPsec is mandatory part of IPv6  IPsec can be used with IPv4  Design of IPsec covers D 7

eep  Encryption L ayers o

 Integrity validation Sec  Authentication

Vien  Protection from replay attacks f I n secu n a 2007 rity

IPSec Protocols

 Authentication header (AH)  Connectionless integrity  Data origin authentication D 7

eep  Encapsulating Security Payload (ESP) L ayers o

 Integrity & authentication Sec  Encryption

Vien f I n secu n a 2007 rity

IPSec Modes

 Transport mode  End-to-end  Encrypted payload D 7

eep  Tunnel mode L ayers o

 Gateway-to-gateway Sec  Encrypted payload and header

Vien f I n secu n a 2007 rity

Transport is usually used to secure host-to-host connections. In IPv6 all security and authentication is shifted to the IPsec component. This is the reason why IPsec is mandatory in IPv6. Other protocols such as OSPFv6 or others don't have their own mechanisms for authentication anymore.

Security Association

 Connected points share parameters  Algorithms & keys  Security Association (SA) D 7

eep  SA needs to be negotiated L ayers o

 Internet Key Exchange (IKE) Sec  Manual keying

Vien f I n secu n a 2007 rity

Internet Key Exchange (IKE)

 IKE proposed in RFCs  Internet Security Association and Key Management Protocol (ISAKMP) D 7

 eep Internet IP Security DOI (IPSEC DOI) L ayers o  Handles key exchange and management Sec  IKE Main Mode

 Vien IKE Aggressive Mode f I n secu n a 2007 rity

An architecture for the Internet Key Exchange Protocol

Attacks on IPsec

 Bugs in implementations  IPsec/IKE are very complex  Configuration errors likely D 7

eep  Key exchange in aggressive mode L ayers o

 Sniffing exchange (few packets) Sec  Brute-force the hash

Vien  Risk: medium f I n secu  Impact: high n a 2007 rity

Penetration Testing IPsec VPNs A Cryptographic Evaluation of IPsec Cryptography in Theory and Practice: The Case of Encryption in IPsec IPsec offers “too much” options. This can easily lead to implementation errors that may open doors for attackers. It also increases the possibility for errors in the source code of the IPSec stack. Nevertheless IPSec offers interoperability and a solid encryption with key management provided the administrators created a proper configuration. Mitigation: • Make sure IPsec parametersare fully defined and known to everyone dealing with administration. • Always use encryption and integrity checks (make sure integrity of packets gets really checked). • IPsec endpoints need to be inside DMZs so that decrypted traffic can still be inspected. • Don't use the aggressive mode (also known as quick mode) if possible. • Test the implementation of IPsec you use. Disagreement between developers and standard designers may lead to unpredicted results (see Lost in Translation: Theory and Practice in Cryptography for details).

Point-to-Point Tunneling Protocol (PPTP)

 Early VPN Technology. D 7

eep L ayers o Sec

Vien f I n secu n a 2007 rity

PPTP Overview

 PPTP uses two sessions  PPP link to peer with GRE  Session on 1723/TCP to manage GRE D 7

eep  PPTP offers authentication L ayers o

 Microsoft® MSCHAP-v2 Sec  EAP-TLS

Vien  Encryption via Microsoft® Point-to-Point f I n

Encryption (MPPE) secu n  Uses RC4 with 40, 56 or 128 bit keys a 2007 rity

PPTP proposed in RFC 2637 FAQ on PPTP from Microsoft®

PPTP Weakness

 In theory PPTP is fine  Bruce Schneier says so ☺

 D In practice avoid MS PPTP with MS-CHAP-v2 7

eep  Full key length not used L ayers o

 Passwords use guessable hashes Sec  Control channel attacks against server

Vien  Upgrade path: use IPsec or L2TP/IPsec f I n secu  Risk: medium n a 2007  Impact: high rity

Frequently Asked Questions -- Microsoft's PPTP Implementation (Bruce Schneier's web site) Cryptanalysis of Microsoft's PPTP Authentication Extensions (MS-CHAPv2) Mitigation: • Avoid Microsoft® PPTP with MS-CHAP v2. • Use a strong password policy and change passwords periodically. • Use IPsec or L2/TP/IPsec

Layer 2 Tunneling Protocol (L2TP)

 Layer 2 VPN Support on Layer 5. D 7

eep L ayers o Sec

Vien f I n secu n a 2007 rity

L2TP Overview

 L2TP creates a tunnel for VPN traffic  Uses encapsulation in UDP (port 1701)  Looks like layer 2, should be layer 5 D 7

eep  L2TP Access Concentrator (LAC) L ayers o

 Initiator of tunnel Sec  L2TP Network Server (LNS)

Vien  Waits for new tunnels f I n secu  L2TP provides no strong authentication n a 2007  L2TP provides no confidentiality rity

Layer 2 Tunnel Protocol (documentation from Cisco) U.S. Patent 5,918,019

L2TP Tunnels

 L2TP provides session management  L2TP is often combined with  IPSec D 7

eep  PPTP L ayers o

 Layer 2 Forwarding (L2F) Sec  Tunnel may hinder inspection of passenger

Vien

protocol f I n secu n a 2007 rity

OpenVPN™

 It's Open and yet it's Virtually Private. D 7

eep L ayers o Sec

Vien f I n secu n a 2007 rity

OpenVPN™ Overview

 OpenVPN™ is based on OpenSSL  Server/client in userspace  OpenVPN™ multiplexes everything D 7

eep  Uses port 1194 (UDP or TCP) L ayers o

 Can (ab)use proxies through HTTP Sec  Provides authentication and encryption

Vien f I n secu n a 2007 rity

OpenVPN™ Cryptography

 Static key  HMAC send/receive key  Data decrypt/encrypt D 7

eep  SSL/TLS keys & certificates L ayers o

 HMAC signature for all VPN packets Sec  Protects SSL/TLS, no DoS, no scanning

Vien  OpenVPN™ can authenticate TLS handshake f I n secu  PSK or static key is used n a 2007  Attacker can't start TLS at all rity

Attacks on OpenVPN™

 MITM with certificates  Valid but malicious certificates  Check certificates, use a proper CA D 7

eep  OpenVPN™ servers push configs L ayers o

 Malicious server can execute code on client Sec (OpenVPN™ 2.0.0 to 2.0.5)

 Vien Risk: medium f I

 n

Impact: high secu n a 2007 rity

Mitigation: • Establish a proper PKI for OpenVPN™ deployment. • Test your OpenVPN™ implementation with test tools and random data.

OpenSSH

 Secure Shell Connections with Tunnel. D 7

eep L ayers o Sec

Vien f I n secu n a 2007 rity

SSH and OpenSSH

 Secure Shell replaces rsh, rlogin, telnet, rcp  TCP tunnels possible  Port and X forwarding D 7

eep  Integrity protection, host identification L ayers o

 Lots of authentication methods Sec  Passwords or keys with passphrases

Vien  Smart Cards, PKI, One Time Passwords f I n secu  Kerberos n a 2007 rity

(Open)SSH Attacks

 Replay/insertion attacks with SSH v1  MITM attacks (very difficult)  Password guessing D 7

eep  TCP/IP attacks L ayers o

 Traffic analysis Sec  Risk: low

Vien  Impact: medium/high f I n secu n a 2007 rity

OpenSSH knows different SSH protocols (v1, v1.5, v2, compatibility modes). SSH v1 has a weakness in its CRC-32 checksumming and may allow insertion attacks. There is also a possibility to stage a MITM attack, but this requires getting the private server host key. SSH can't do anything against TCP/IP attacks or traffic analysis (in terms of volume and addresses used). Mitigation: • Limit access to SSH ports (22/TCP). • Don't allow interactive username/password logins. Use keys with passphrases instead. Further reading: • OpenSSH security information • Detailed Review of SSH

Other VPN Implementations

 The Key is Out There. D 7

eep L ayers o Sec

Vien f I n secu n a 2007 rity

VPN Implementations

 CIPE  Crypto IP Encapsulation  vtun D 7

eep  Supports layer 2/3 tunnel L ayers o

 Uses Blowfish 128 bit and PSK Sec  tinc

Vien  Hamachi f I n secu  Proprietary VPN tool n a 2007 rity

Chapter 53 VPN

 Summary . Always check implementation. . Use known secure algorithms. D 7

eep . Be careful when using certificates. L ayers o

. Protect and change your keys. Sec

Vien f I n secu n a 2007 rity

Thank You

 Questions? D 7

eep L ayers o Sec

Vien f I n secu n a 2007 rity

99 - Things in Life 28