IPSec and IKE IPSec and IKE VPN: IPSec and IKE 1. Standard for real-time communication security • confidentiality • message integrity 2. Negotiate Security Associations (crypto protected conn) • cryptographic protocol • key size 3. Other features • data compression, if any • type of error checking • how sender indicates it is finished sending • how the receiving device indicates it has received msg 4. Establish and exchange session keys based on above 5. Used to support virtual private networks IPSec and IKE Layer 3.5 implementation: applications do not have to be changed to use it - all applications automatically use it whether they like it or not. Applications User TCP OS IPSec IP ... IPSec and IKE Layer 3.5 implementation: applications do not have to be changed to use it - all applications automatically use it whether they like it or not. But the OS needs to be modified Applications User TCP OS IPSec IP ... IPSec and IKE Layer 3.5 implementation: applications do not have to be changed to use it - all applications automatically use it whether they like it or not. But the OS needs to be modified Applications User IPSec capable of authenticating TCP but can only tell app the address OS of source IPSec IP ... IPSec and IKE Layer 3.5 implementation: applications do not have to be changed to use it - all applications automatically use it whether they like it or not. But the OS needs to be modified Applications User IPSec capable of authenticating TCP but can only tell app the address OS of source IPSec Operates like a firewall IP - encrypts - has policies ... - authenticates address to app IPSec and IKE Perfect Forward Secrecy: attacker cannot decrypt even if the entire session is recorded and attacker breaks into both parties and finds their secrets (uses session keys). IPSec and IKE Perfect Forward Secrecy: attacker cannot decrypt even if the entire session is recorded and attacker breaks into both parties and finds their secrets (uses session keys). Denial of Service Protection: lock out with repeated authentication attempts. Uses cookies: unpredictable numbers sent to IP address with expectation of return - if no return then connection is stopped. Uses stateless cookies so that no one has to remember where the cookies came from ( hash(IP address, some secret)). IPSec and IKE Perfect Forward Secrecy: attacker cannot decrypt even if the entire session is recorded and attacker breaks into both parties and finds their secrets (uses session keys). Denial of Service Protection: lock out with repeated authentication attempts. Uses cookies: unpredictable numbers sent to IP address with expectation of return - if no return then connection is stopped. Uses stateless cookies so that no one has to remember where the cookies came from ( hash(IP address, some secret)). Endpoint Identifier Hiding: prevent target node from knowing the source of a packet. Uses Diffie-Hellman to get a key then authentication information is sent encrypted. IPSec and IKE Live Partner Reassurance: prevent replay attacks. Can change secret Diffie-Hellman a,b but that is expensive, alternative: use a nonce as part of the session key. IPSec and IKE Live Partner Reassurance: prevent replay attacks. Can change secret Diffie-Hellman a,b but that is expensive, alternative: use a nonce as part of the session key. Data Stream Protection: individual packets are self- contained so they can be encrypted and integrity protected independently. Decryption can easily be offloaded to other software or hardware. IPSec and IKE Security Association: • A cryptographically protected connection • Each end has ≥ one key, sequence number, identity of other end • Each end has crypto services used: integrity only, encryption+integrity, crypto algorithms • Unidirectional - two connections needed for 2-way operation • Details of an SA are kept in a database • IPSec header has a Security Parameter Index (SPI) field that identifies the SA allowing the sender to look up necessary info in the sender©s SA database. • SPI value is chosen by the receiver. • An SA is defined by an SPI and destination address (if receiver is involved in a multicast, it may not have chosen the SA ± the destination address is a group address in the case of multicast) IPSec and IKE Security Association Database: • Transmitter checks receiver©s address to see how to transmit (database entry provides the SPI, key, crypto algorithms, etc.) • When receiving a packet, SPI of the packet is used to find the SA entry giving the receiver the key, sequence # etc. IPSec and IKE Security Association Database: • Transmitter checks receiver©s address to see how to transmit (database entry provides the SPI, key, crypto algorithms, etc.) • When receiving a packet, SPI of the packet is used to find the SA entry giving the receiver the key, sequence # etc. Security Policy Database: • Which packets are to be dropped completely • Which should be forwarded or accepted without IPSec protection • Which should be forwarded or accepted with IPSec protection & which type of protection (encrypt, integrity) • Decisions based on ports, source addr, dest addr, protocol type or any other fields in the packet header. IPSec and IKE Authentication Header (AH): • Message integrity protection only (Message Authentication) • IPSec computes a HMAC checksum over nearly all the fields of the IP packet, and stores it in a new AH header ... IP header ... (8 bits) next header (8 bits) payload length (size of AH header) (16 bits) unused (32 bits) SPI (Security Parameter Index) (32 bits) sequence number (detect replayed packet) (N32 bits) authentication data (MD5 or SHA-1 hash) ... rest of packet ... • Can protect some IP header fields and all AH fields IPSec and IKE Authentication Header (AH): (8 bits) next header (8 bits) payload length (16 bits) unused (32 bits) Security Parameter Index (32 bits) sequence number (N32 bits) authentication data next header: same as protocol field in IPv4 ± says IP layer is protected payload length: size of AH header in 32 bit chunks, not counting first 64 sequence number: assigned by AH and used so that AH can recognize replayed packets and discard them. IPSec and IKE Authentication Header (AH): (8 bits) next header (8 bits) payload length (16 bits) unused (32 bits) Security Parameter Index (32 bits) sequence number (N32 bits) authentication data next header: same as protocol field in IPv4 ± says IP layer is protected payload length: size of AH header in 32 bit chunks, not counting first 64 sequence number: assigned by AH and used so that AH can recognize replayed packets and discard them. AH protects immutable and mutable but pedictable fields. For example, source computes AH knowing destination address even though next address is address of next hop. All AH fields are protected. IPSec and IKE IPv4 Header: (4 bits) version header length (4 bits) (8 bits) type of service (priority/quality) (16 bits) length of header plus data in this fragment (16 bits) packet id flags (3 bits) (13 bits) frag offset time to live (hops) (8 bits) (8 bits) protocol checksum (hdr only) (16 bits) (32 bits) source addr dest addr (32 bits) options protocol: 0x32 = ESP 0x33 = AH mutable fields: type of service, flags, frag offset, hops, checksum mutable but predictable: dest addr fields in yellow are integrity protected (included in hash) others are not IPSec and IKE Encapsulating Security Payload (ESP): • Provides integrity and/or encryption • Only protects information after the IP header (HMAC for ESP header and payload) • Typical encryption algorithms used: DES, 3-DES, Blowfish, AES IPSec and IKE Encapsulating Security Payload (ESP): • Provides integrity and/or encryption • Only protects information after the IP header (HMAC for ESP header and payload) • Typical encryption algorithms used: DES, 3-DES, Blowfish, AES There is nothing in the packet that says it©s encrypted - so firewalls may get stuck if they need to check ports, for example, because they cannot reliably get that info - only the sender and receiver know whether the ESP packets are encrypted IPSec and IKE Encapsulating Security Payload header (ESP): (32 bits) Security Parameter Index (32 bits) sequence number header initialization vector TCP header + payload (data) padding (8 bits) padding length trailer (8 bits) next header/protocol type authentication data encryption sequence number: for detecting replay attacks integrity initialization vector: depends on the encryption scheme (CBC) padding: depends on the crypto algorithm used, allows block encryption algorithms room for multiples of their blocksize padding length: size of the padding field IPSec and IKE Transport Mode: 1. IPSec info between IP header and rest of packet 2. Applied end-to-end, authentication, encryption, or both IP Header Rest of Packet IP Header IPSec Rest of Packet IPSec and IKE Transport Mode (AH): IPSec and IKE Transport Mode (AH): - the IP header is modified only slightly - after validation, the IPSec header is stripped away - the original protocol field is restored in the IP header - thus, the packet is restored to its original state and can be delivered IPSec and IKE Transport Mode (AH): - AH is incompatible with Network Address Translation (map range of private addresses to/from small set of public addresses) and Port Address Translation (map multiple private addresses to single external address, ports are assigned) IPSec and IKE Transport Mode (ESP): IPSec and IKE Transport Mode: 1. IPSec info between IP header and rest of packet 2. Applied end-to-end, authentication, encryption, or both IP Header Rest of Packet IP Header IPSec Rest of Packet Tunnel Mode: 1. Keep original IP packet intact, add new IP header and IPSec information (AH or ESP) 2. Firewall-to-firewall, end-to-firewall, encrypt header & payload IP Header Rest of Packet New IP Header IPSec IP Header Rest of Packet IPSec and IKE Tunnel Mode (AH): IPSec and IKE Tunnel Mode (ESP): IPSec and IKE AH vs.