IPsec and SSL/TLS Cryptography 2, Part 2, Lecture 5 Ruben Niederhagen June 2nd, 2014 / department of mathematics and computer science I application layer security (SSH, S-MIME, PGP, ::: ) I transport layer security (TLS/SSL, ::: ) I network layer security (IPsec, ::: ) I data-link layer security (WEP, WPA, WPA2, ::: ) Cryptography in the TCP/IP stack 2/38 application layer application data (HTTP, SMTP...) application layer transport layer session (TCP, UDP, ...) transport layer network layer IP packets network layer data-link layer frames data-link layer physical layer physical layer Alice Bob / department of mathematics and computer science Cryptography in the TCP/IP stack 2/38 application layer application data (HTTP, SMTP...) application layer transport layer session (TCP, UDP, ...) transport layer network layer IP packets network layer data-link layer frames data-link layer physical layer physical layer Alice Bob I application layer security (SSH, S-MIME, PGP, ::: ) I transport layer security (TLS/SSL, ::: ) I network layer security (IPsec, ::: ) I data-link layer security (WEP, WPA, WPA2, ::: ) / department of mathematics and computer science data-link layer security Data-Link Layer Security 3/38 I encrypt all network packets between network links, e.g., WAP2 I point-to-point security between network interfaces I transparent encryption and decryption for higher layers I authentication between endpoints / department of mathematics and computer science Data-Link Layer Security 3/38 data-link layer security I encrypt all network packets between network links, e.g., WAP2 I point-to-point security between network interfaces I transparent encryption and decryption for higher layers I authentication between endpoints / department of mathematics and computer science network layer security Network Layer Security 4/38 Internet LAN router ISP router I encrypt IP packets, main protocol IPsec I point-to-point security between entities identified by IP addresses, e.g. routers, firewalls I routers encrypt and decrypt unnoticed by higher layers I authentication of routers to each other / department of mathematics and computer science Network Layer Security 4/38 network layer security Internet LAN router ISP router I encrypt IP packets, main protocol IPsec I point-to-point security between entities identified by IP addresses, e.g. routers, firewalls I routers encrypt and decrypt unnoticed by higher layers I authentication of routers to each other / department of mathematics and computer science transport layer security Transport Layer Security 5/38 Internet web server application server I encrypt sessions and messages, e.g. TLS/SSL I communication between web browser and server, or email clients and servers I entities identified by connections, port numbers I encrypt and authenticate sessions / department of mathematics and computer science Transport Layer Security 5/38 transport layer security Internet web server application server I encrypt sessions and messages, e.g. TLS/SSL I communication between web browser and server, or email clients and servers I entities identified by connections, port numbers I encrypt and authenticate sessions / department of mathematics and computer science Transport Layer Security 5/38 transport layer security Internet web server application server I encrypt sessions and messages, e.g. TLS/SSL I communication between web browser and server, or email clients and servers I entities identified by connections, port numbers I encrypt and authenticate sessions / department of mathematics and computer science SMTP transport layer security IMAP transport layer security Transport Layer Security 6/38 mail server Internet mail server / department of mathematics and computer science Transport Layer Security 6/38 SMTP transport layer security mail server Internet IMAP transport layer security mail server / department of mathematics and computer science Transport Layer Security 6/38 SMTP transport layer security mail server Internet IMAP transport layer security mail server / department of mathematics and computer science application layer security Application Layer Security 7/38 Internet mail server mail server I add security to standard message formats (e.g. S/MIME) I for email: entire link between two user mail clients is protected I authentication of sender and data I end users have control over their keys (but need to know what they are doing, how to use PKI) I end-to-end security / department of mathematics and computer science Application Layer Security 7/38 application layer security Internet mail server mail server I add security to standard message formats (e.g. S/MIME) I for email: entire link between two user mail clients is protected I authentication of sender and data I end users have control over their keys (but need to know what they are doing, how to use PKI) I end-to-end security / department of mathematics and computer science 8/38 Network Layer Security IPsec / department of mathematics and computer science IPsec 9/38 IP packet: IP header IP data (payload) IPsec was mandatory for IPv6 and is now optional; optional for IPv4. IPsec provides cryptographic functionality to protect IP packets: I packet integrity, I packet origin authentication, I confidentiality, I some traffic flow confidentiality, I protection against replay attacks. IPsec protocols I AH - Authentication Header, I ESP - Encapsulating Security Payload. / department of mathematics and computer science I Message authentication/integrity: Hash-based Message Authentication Code (HMAC), Must have: • HMAC-SHA1-96. May have: • HMAC-MD5-96. These are symmetric algorithms, need a pre-shared secret key. IPsec - crypto algorithms 10/38 See RFC4835 I Encryption: block ciphers in Cipher Block Chaining (CBC) mode. Must have: • no encryption, • AES-CBC with 128-bit keys, • TripleDES-CBC (168-bit keys). / department of mathematics and computer science These are symmetric algorithms, need a pre-shared secret key. IPsec - crypto algorithms 10/38 See RFC4835 I Encryption: block ciphers in Cipher Block Chaining (CBC) mode. Must have: • no encryption, • AES-CBC with 128-bit keys, • TripleDES-CBC (168-bit keys). I Message authentication/integrity: Hash-based Message Authentication Code (HMAC), Must have: • HMAC-SHA1-96. May have: • HMAC-MD5-96. / department of mathematics and computer science IPsec - crypto algorithms 10/38 See RFC4835 I Encryption: block ciphers in Cipher Block Chaining (CBC) mode. Must have: • no encryption, • AES-CBC with 128-bit keys, • TripleDES-CBC (168-bit keys). I Message authentication/integrity: Hash-based Message Authentication Code (HMAC), Must have: • HMAC-SHA1-96. May have: • HMAC-MD5-96. These are symmetric algorithms, need a pre-shared secret key. / department of mathematics and computer science SA parameters: I sequence number, sequence number overflow, I anti-replay window, I AH information: authentication algorithm, key, key lifetime, etc., I ESP information: encryption algorithm, key, key lifetime, etc., I lifetime of the SA, I IPsec protocol mode (tunnel, transport, see below), I maximal packet size. IPsec – Security Associations 11/38 I Concept to formalize unidirectional security relationships between two parties. I Enforce security policy defined in Security Policy Database (SPDB). I Security Association Database (SADB) contains list of active security associations (SA). / department of mathematics and computer science IPsec – Security Associations 11/38 I Concept to formalize unidirectional security relationships between two parties. I Enforce security policy defined in Security Policy Database (SPDB). I Security Association Database (SADB) contains list of active security associations (SA). SA parameters: I sequence number, sequence number overflow, I anti-replay window, I AH information: authentication algorithm, key, key lifetime, etc., I ESP information: encryption algorithm, key, key lifetime, etc., I lifetime of the SA, I IPsec protocol mode (tunnel, transport, see below), I maximal packet size. / department of mathematics and computer science A security association can be used I for one communication direction (bidirectional needs two SAs), I for AH or ESP; can be combined, e.g. ESP then AH. SAs are negotiated by public-key mechanisms (see below). IPsec – Security Associations 12/38 The Security Policy Database describes how to treat certain IP packets (BYPASS, DISCARD, PROTECT). Which SA to use for certain traffic is derived from selectors such as I destination IP address, I source IP address, I transport layer protocol, I source and destination ports. Most selectors are read off from the IP packet (headers). / department of mathematics and computer science IPsec – Security Associations 12/38 The Security Policy Database describes how to treat certain IP packets (BYPASS, DISCARD, PROTECT). Which SA to use for certain traffic is derived from selectors such as I destination IP address, I source IP address, I transport layer protocol, I source and destination ports. Most selectors are read off from the IP packet (headers). A security association can be used I for one communication direction (bidirectional needs two SAs), I for AH or ESP; can be combined, e.g. ESP then AH. SAs are negotiated by public-key mechanisms (see below). / department of mathematics and computer science Tunnel mode: I entire IP packet is protected (i.e. IP header and data), I becomes the payload of a new IP packet, I may contain different source and destination addresses, I provides data flow confidentiality to some extent, I can be used between hosts, gateways