1

2014. 03. 24

오 대 명, 오 현 석

Email: ohs4401@naver.com, wdm1517@gmail.com

SeoulTech UCS Lab 2014-1st

Copyright ⓒ 2014 by USC Lab All Rights Reserved.

IP Security

Course Introduction

1. IP Security Overview

2. IP Security Policy

3. Encapsulating Security Payload

4. Combining Security Associations

5. Internet Key Exchange

6. Cryptographic Suites

2

1. IP Security Overview

3

What is IPSec?

4

MD5 SHA

DES 3

DES

DH2 DH1

ESP ESP

+AH IPSec Protocol

Encryption

Diffie-Hellman

Authentication

Choices:

AES

AH

IPSec

Framework

ESP

DES

MD5

DH1

IPSec Security Services

• Confidentiality

• Data integrity

• Origin authentication

• Anti-replay

5

Applications of IPsec

6 6

Security gateway

Main site

SOHO router

Mobile laptop computer

Branch or Business

partner with router

Internet

LAN IPSec

Server Cluster

IP HDR IP Payload IP HDR IP Sec HDR IP Payload

IP H

DR

IP

Sec H

DR

IP

Paylo

ad

IPsec Documents

7

RFC Content

2411 IP Security Document Roadmap

2401 IPsec Architecture

2402 AH（Authentication Header）Protocol

2403 The Use of HMAC-MD5-96 within ESP and AH

2404 The Use of HMAC-SHA-1-96 within ESP and AH

2405 The ESP DES-CBC Cipher Algorithm

2406 ESP（Encapsulating Security Payload）Protocol

2407 IPSec DOI

2408 ISAKMP Protcol

2409 IKE（Internet Key Exchange）Protocol

RFC IPsec Documents

2. IP Security Policy

8

SA(Security Association)

9

IPsec SA is a one-way logical connection between a

sender and a receiver that provide security services to

the traffic flow on it. If a peer relationship is needed for

two-way secure exchange, then two SA are required.

• Security Parameters Index (SPI)

• IP Destination Address

• Security Protocol Identifier

SAD(Security Association Database)

10

SAD defines the parameters associated with each SA.

A SA is defined by the following parameters in an SAD

entry.

• Security Parameters Index (SPI)

• Sequence Number Counter

• Sequence Counter Overflow

• Anti-Replay Window

• AH Information

• ESP Information

• Lifetime

• IPsec Protocol Mode

• Path MTU

SPD(Security Policy Database)

11

SPD means by which IP traffic is related to specific SA is

the nominal SPD.

• Remote IP Address

• Local IP Address

• Next Layer Protocol

• Name

• Local and Remote Ports

Example SPD

12

Protocol Local IP S_Port Remote IP D_Port Action Comment

TCP 192.168.1.0/24 * 192.168.2.1/32 80 PROTECT Encrypt to server

ICMP 192.168.1.0 * * * BAYPASS

HTTP Server

Remote office Corporate Office

Internet HOST_A

HOST_B

LAN:192.168.1.0/24

Router_A Router_B

Protocol Local IP S_Port Remote IP D_Port Action Comment

TCP 192.168.2.1/32

80 192.168.1.0/24 * PROTECT To Remote office

Router_A SPD

Router_B SPD

Server:192.168.2.1/24

IPsec tunnel

IP Traffic Processing(1/2)

13

Search

Security policy

database

Discard

packet

Outbound IP packet

Determine

policy

Match found

DISCARD

No match

found

Search security

association

database

Forward

packet via IP

Process

(AH/ESP)

Internet Ke

y Exchange

PROTECT

Match

found

No match

found BYPASS

Processing Model for

Outbound Packets

IP Traffic Processing(2/2)

14 14

Packet

type

Inbound IP packet

Match

found No match

found Search security

association

database

Discard

packet

IP

Processing Model for

Inbound Packets

Search security

policy

database

Deliver packet

to higher layer

Process

AH/ESP

IPsec

BYPASS

Not

BYPASS

Summary

15

Key exchange

IKE SA

IPsec SA Pair

ESP protects data

IPsec

IKE

IPsec

IKE

IPsec

16

3. Encapsulating Security Payload

ESP(Encapsulating Security Payload)

17

•Provide confidentiality

•Ensures data integrity

•Provide origin authentication

•Provide anti-replay protection

ESP protocol number is 50 in ip header.

Encryption algorithm support DES,3DES,AES.

Authencation algorithm support HMAC-MD5,HMAC-SHA-1.

Router A Router B

Data payload is encrypted

ESP Format(1/2)

18

0 8 16 24

Security parameters index (SPI)

Sequence number

Payload data (variable)

Padding (0 - 255 bytes)

Pad length Next header

Integrity check value - ICV (variable)

ICV

co

ve

rag

e

En

cry

pte

d

ESP Format(2/2)

19

• Security Parameters Index (32 bits)

• Sequence Number (32 bits)

• Payload Data (variable)

• Padding (0–255 bytes)

• Pad Length(8 bits)

• Next Header (8 bits)

• Integrity Check Value (variable)

• initialization value (IV) Optional

• traffic flow confidentiality (TFC) Optional

Encryption and Authentication Algorithms

20

The Payload Data, Padding, Pad Length, and Next

Header fields are encrypted by the ESP service.

The ICV field is optional.It is present only if the integrity

service is selected.The ICV is computed after the

encryption is performed. This order of processing

reducing the impact of denial of service (DoS)attacks.

Padding

21

• Padding field is used to expand the plaintext to the

required length.

• The ESP format requires that the Pad Length and Next

Header fields be right aligned within a 32-bit word.

• Additional padding may be added to provide partial

traffic-flow confidentiality by concealing the actual

length of the payload.

Anti-Replay Service

22 22

Replay attack is copy of an authenticated packet and

later transmits it to the destination.

The Sequence Number field is designed to thwart such

attacks.

N

Fixed window size W

Advance window if

valid packet to the

right is received

N-W N+1 Marked if valid

packet received

Unmarked if valid

packet not yet

received

AH(Authentication Header)

23

• Does not provide confidentiality (no encryption)

• Ensures data integrity

• Provides origin authentication

• Uses HMAC-MD5,HMAC-SHA1 mechanism

• Provides anti-replay protection

Router A Router B All data in plaintext

AH Format

24

0 8 16 24

Next Header Payload Length Reserved

Security parameters index (SPI)

Sequence number

Integrity check value - ICV (variable)

1 8 16 24

Version Header

Length Type of Service Total Length

Identification Flags(3bit) Fragment offset

Time To Live Protocol Header Checksum

Source IP Address

Destination IP Address

IP Header

AH Header

25

• Transport mode provides protection primarily for upper-

layer protocols. For example, ESP transport mode

protection extends to the payload of an IP packet.

Transport mode is used for end-to-end communication

between two hosts.

• Tunnel mode provides protection to the entire IP

packet. After the AH or ESP fields are added to the IP

packet, and in the entire packet plus new outer IP

header. Tunnel mode has been deployed widely to

implement Virtual Private Networks (VPNs).

Both AH and ESP support two modes of use:

transport and tunnel mode.

Transport and Tunnel modes

ESP Transport Mode

26

Original IP Packet

Encryption secret key

Orig IP HDR

Ciphertext

ESP AUTH

Protocol Operation for ESP

Encryption DES

3DES

AES

ESP Trailer

ESP HDR

AUTH HMAC-MD5

HMAC-SHA-1

Authencation secret key

Orig IP HDR ESP HDR Ciphertext

Data

Ciphertext

Data

ESP Tunnel Mode

27

Original IP Packet

Encryption secret key

Orig IP HDR

Ciphertext

ESP AUTH

Protocol Operation for ESP

Encryption

DES

3DES

AES

ESP Trailer

ESP HDR

AUTH HMAC-MD5

HMAC-SHA-1

Authencation secret key

ESP HDR Ciphertext

Data

Data

Ciphertext

Orig IP HDR

NEW IP HDR

AH Transport Mode

28

Original IP Packet Orig IP HDR

Protocol Operation for AH

AH HDR

HMAC-MD5

HMAC-SHA-1

Authencation secret key

Orig IP HDR AH HDR

Data

Data Orig IP HDR

Hash

Authentication Data

Data

AH Tunnel Mode

29

Original IP Packet Orig IP HDR

Protocol Operation for AH

AH HDR

HMAC-MD5

HMAC-SHA-1

Authencation secret key

Orig IP HDR AH HDR

Data

Data Orig IP HDR

Hash

Authentication Data

Data

NEW IP HDR

NEW IP HDR

Summary

30

Tunnel Mode and Transport Mode Functionality

Transport Mode SA Tunnel Mode SA

AH Authenticates IP payload and selected portions of IP header.

Authenticates inner IP packet plus selected portions of outer IP header.

ESP

Encrypts IP payload(transport level segment) and ESP trailer. Authenticates ESP header, IP payload(transport-level segment) and ESP trailer.

Encrypts inner IP packet and ESP trailer. Authenticates ESP inner IP packet and ESP trailer.

31

4. Combining Security Associations

Security Association Bundle

• A sequence of SAs through which traffic must be

processed to provide a desired set of IPsec services.

– Transport Adjacency.

• Refers to applying more than one security protocol to the same IP

packet without invoking tunneling.

– Iterated Tunneling

• Refers to the application of multiple layers of security protocols effected

through IP tunneling.

32

Authentication Plus Confidentiality

• ESP with authentication option

– The user first applies ESP to the data to be

protected and then appends the authentication data

field.

Transport mode ESP : IP header is not protected.

Tunnel mode ESP : The entire inner IP packet is

protected by the privacy mechanism for delivery to

the inner IP destination.

33

Protocol Operation for ESP(1/2)

34

Protocol Operation for ESP(2/2)

35

Authentication Plus Confidentiality

• Transport Adjacency(중첩 전송) – Another way to apply authentication after encryption is to use

two bundled transport SAs, with the inner being an ESP SA and

the outer being an AH SA.

The advantage is include the source and destination IP addresses.

The disadvantage is the overhead of two SAs versus one SA.

• Transport-Tunnel Bundle(전송-터널 묶음) – The use of authentication prior to encryption

The authentication data are protected by encryption

It may be desirable to store the authentication information with the

message at the destination for later reference.

36

Case 1. All security is provided between end systems that

implement IPsec.

For any two end systems to communicate via an SA, they

must share the appropriate secret keys

IPsec Architecture(1/4)

37

IPsec Architecture(2/4)

38

Case 2. Security is provided only between gateways

(routers, firewalls, etc.)and no hosts implement IPsec.

IPsec Architecture(3/4)

39

Case 3. This builds on case 2 by adding

end-to-end security.

IPsec Architecture(4/4)

40

Case 4. This provides support for a remote host that uses the

Internet to reach an organization’s firewall and then to gain

access to some server or workstation behind the firewall.

41

5. Internet Key Exchange

The Key management portion of IPsec

• The key management portion of IPsec involves the

determination and distribution of secret keys.

• A typical requirement is four keys for communication

between two applications – Transmit and receive pairs for both integrity and confidentiality.

42

Internet Key Exchange

• The IPsec Architecture document mandates support for

two types of key management

• Manual(수동)

– A system administrator manually configures each system with its

own keys and with the keys of other communicating systems.

– This is practical for small, relatively static environments.

• Automated(자동)

– An automated system enables the on-demand creation of keys for

SAs.

– Facilitates the use of keys in a large distributed system with an

evolving configuration.

43

Internet Key Exchange Protocol

• The default automated key management protocol for IPsec is referred to as : Oakley/ISAKMP

• Oakley Key Determination Protocol(Oakley 키 결정 프로토콜)

– Oakley is a key exchange protocol based on the Diffie-Hellman algorithm but providing added security.

• ISAKMP: Internet Security Association and Key Management Protocol(인터넷 보안 연계와 키 관리 프로토콜)

– ISAKMP provides a framework for Internet key management and provides the specific protocol support

– ISAKMP is including formats, for negotiation of security attributes

44

Key Determination Protocol

• IKE key determination is a refinement of the Diffie-Hellman key exchange algorithm.

• The Diffie-Hellman algorithm has two attractive features

– 비밀키는 필요할 때만 생성 – 키 교환은 전역 매개변수에 대한 동의 외에 사전 기반구조 불필요

• The Diffie-Hellman algorithm has three disadvantages

– 상대방의 신분에 관한 어떤 정보도 제공하지 않음 – Man-in-the-middle Attack – 계산량이 매우 많음. 공격자의 매우 많은 개수의 키를 요구하는 방해

공격(clogging attack)에 매우 취약

45

Features of IKE Key Determination

• The IKE key determination algorithm is characterized

by five important features

– It employs a mechanism known as cookies to thwart clogging

attacks. • 상대 의존적인 쿠키 생성과 승인 및 쿠키의 빠른 생성과 확인 방안

– It enables the two parties to negotiate a group • 키 교환 전역 매개 변수 정의와 알고리즘 식별 지원

– It uses nonces to ensure against replay attacks. • 자체적으로 생성된 난수를 응답 메시지에 포함하고 암호화하여 교환

46

Features of IKE Key Determination

–It enables the exchange of Diffie-Hellman public key values.

–It authenticates the Diffie-Hellman exchange to thwart man-in-

the-middle attacks. • 3가지 인증 방식 : 디지털 서명, 공개키 암호화, 대칭키 암호화

47

Cookie exchange

• 방해 공격 방지를 위해 쿠키(cookie) 교환 기법 사용 – 양쪽의 초기 메시지에 의사난수인 쿠키를 넣어서 전송하고, 상대방의 수신

확인 응답이 필요

– 수신 확인 응답(acknowledgement)은 Diffie-Hellman 키 교환의 첫 메시

지에서 반복

• 쿠키 생성을 위한 기본 요구 사항 – 쿠키는 특정 상대에게 의존적이어야 함

– 발행 개체가 아닌 다른 개체에 의해 받아들여질 쿠키를 생성할 수 없어야

함 • 발행 개체가 쿠키의 생성과 후속 검증 작업에서 내부 비밀 정보를 사용

– 프로세서 자원을 파괴하려는 공격자를 방지하기 위해 쿠키의 생성과 검증

방법은 신속해야 함

• 쿠키 생성을 위한 권장 방법 – IP 발신지와 목적지 주소, UDP의 발신 포트와 목적지 포트, 그리고 로컬에

서 생성된 비밀 값에 대해 빠른 해쉬(예: MD5)를 실행

48

IKEv2 Exchanges(1/2)

• Initial exchange(초기 교환) – 첫 번째 교환

• 두 피어(peer-to-peer)는 암호 알고리즘과 비표, Diffie-Hellman(DH) 값

들과 함께 사용할 다른 보안 매개변수에 관한 정보들을 교환

• 교환 후 IKE SA라 불리는 특별한 SA를 설정 – 두 피어(peer) 간에 보안 채널을 위한 매개변수들을 정의

– 두 번째 교환 • 두 당사자들은 상호 인증

• 피어들 간에 일반(non-IKE) 통신을 보호하기 위해 사용되는 첫 번째

IPsec SA를 설정

• CREATE_CHILD_SA_exchange : 트래픽 보호를 위한 추가 SA를 설정

하기 위해 사용

• Information exchange(정보 교환) : 관리 정보, IKEv2 오류 메시지 등

을 교환하기 위해 사용

49

IKEv2 Exchanges(2/2)

50

Header and Payload Formats

•IKE Header Format

– 보안 연계를 만들고, 협상, 수정, 삭제하기 위한 절차와 패킷 형식

을 정의함

• Payload Header

– 페이로드 형식은 특정한 키 교환 프로토콜과, 암호 알고리즘, 그리

고 인증 메커니즘과는 독립적이며, 일관된 프레임워크를 제공

51

IKE Header(1/2)

52

IKE Header(1/2)

• Initiator SPI (64 bits): A value chosen by the initiator to

identify a unique IKE security association (SA).

• Responder SPI (64 bits): A value chosen by the

responder to identify a unique IKE SA.

• Next Payload (8 bits): Indicates the type of the first

payload in the message.

• Major Version (4 bits): Indicates major version of IKE

in use.

• Minor Version (4 bits): Indicates minor version in use.

53

IKE Header(2/2)

• Exchange Type (8 bits): Indicates the type of

exchange

• Flags (8 bits): Indicates specific options set for this

IKE

• Message ID (32 bits): Used to control retransmission

of lost packets and matching of requests and

responses.

• Length (32 bits): Length of total message (header plus

all payloads) in octets.

54

Generic Payload Header(1/2)

55

Generic Payload Header(2/2)

56

57

6. Cryptographic Suites

Cryptographic Suites

• 다양한 유형의 암호 알고리즘을 필요로 함

• 상호 운용성을 촉진하기 위해 두 가지 RFC가 권장하는 암

호 도구를 정의 – RFC 4308은 가설 사설망을 위한 두 가지 암호 도구를 정의

• VPN-A는 일반적으로 기업 VPN 보안으로 사용. 3DES와 HMAC을 필요

로 함

• VPN-B는 더 강한 보안을 제공하며, IPsecv3와 IKEv2로 구현되는 새로

운 VPN에 권장. AES를 필요로 함

– RFC 4869는 미국 국가 안보국(NSA: National Security Agency)의

suite B 명세와 호환되는 4가지 선택적 암호 suites를 정의 • ESP와 IKE에 대한 선택을 제공

• AES-GCM, AES-CBC, HMAC-SHA, ECP, ECDSA

58

Cryptographic Suites for IPsec

59

Cryptographic Suites

60

Reference

• William Stallings, “네트워크 보안 에센셜”

• 서상원, “인터넷 보안, IPSec”

61

Q & A

62

Thank You!

63