ip security · 2014-04-02 · ip security policy 8 . sa(security association) 9 ipsec sa is a...
TRANSCRIPT
1
2014. 03. 24
오 대 명, 오 현 석
Email: [email protected], [email protected]
SeoulTech UCS Lab 2014-1st
Copyright ⓒ 2014 by USC Lab All Rights Reserved.
IP Security
Course Introduction
1. IP Security Overview
2. IP Security Policy
3. Encapsulating Security Payload
4. Combining Security Associations
5. Internet Key Exchange
6. Cryptographic Suites
2
1. IP Security Overview
3
What is IPSec?
4
MD5 SHA
DES 3
DES
DH2 DH1
ESP ESP
+AH IPSec Protocol
Encryption
Diffie-Hellman
Authentication
Choices:
AES
AH
IPSec
Framework
ESP
DES
MD5
DH1
IPSec Security Services
• Confidentiality
• Data integrity
• Origin authentication
• Anti-replay
5
Applications of IPsec
6 6
Security gateway
Main site
SOHO router
Mobile laptop computer
Branch or Business
partner with router
Internet
LAN IPSec
Server Cluster
IP HDR IP Payload IP HDR IP Sec HDR IP Payload
IP H
DR
IP
Sec H
DR
IP
Paylo
ad
IPsec Documents
7
RFC Content
2411 IP Security Document Roadmap
2401 IPsec Architecture
2402 AH(Authentication Header)Protocol
2403 The Use of HMAC-MD5-96 within ESP and AH
2404 The Use of HMAC-SHA-1-96 within ESP and AH
2405 The ESP DES-CBC Cipher Algorithm
2406 ESP(Encapsulating Security Payload)Protocol
2407 IPSec DOI
2408 ISAKMP Protcol
2409 IKE(Internet Key Exchange)Protocol
RFC IPsec Documents
2. IP Security Policy
8
SA(Security Association)
9
IPsec SA is a one-way logical connection between a
sender and a receiver that provide security services to
the traffic flow on it. If a peer relationship is needed for
two-way secure exchange, then two SA are required.
• Security Parameters Index (SPI)
• IP Destination Address
• Security Protocol Identifier
SAD(Security Association Database)
10
SAD defines the parameters associated with each SA.
A SA is defined by the following parameters in an SAD
entry.
• Security Parameters Index (SPI)
• Sequence Number Counter
• Sequence Counter Overflow
• Anti-Replay Window
• AH Information
• ESP Information
• Lifetime
• IPsec Protocol Mode
• Path MTU
SPD(Security Policy Database)
11
SPD means by which IP traffic is related to specific SA is
the nominal SPD.
• Remote IP Address
• Local IP Address
• Next Layer Protocol
• Name
• Local and Remote Ports
Example SPD
12
Protocol Local IP S_Port Remote IP D_Port Action Comment
TCP 192.168.1.0/24 * 192.168.2.1/32 80 PROTECT Encrypt to server
ICMP 192.168.1.0 * * * BAYPASS
HTTP Server
Remote office Corporate Office
Internet HOST_A
HOST_B
LAN:192.168.1.0/24
Router_A Router_B
Protocol Local IP S_Port Remote IP D_Port Action Comment
TCP 192.168.2.1/32
80 192.168.1.0/24 * PROTECT To Remote office
Router_A SPD
Router_B SPD
Server:192.168.2.1/24
IPsec tunnel
IP Traffic Processing(1/2)
13
Search
Security policy
database
Discard
packet
Outbound IP packet
Determine
policy
Match found
DISCARD
No match
found
Search security
association
database
Forward
packet via IP
Process
(AH/ESP)
Internet Ke
y Exchange
PROTECT
Match
found
No match
found BYPASS
Processing Model for
Outbound Packets
IP Traffic Processing(2/2)
14 14
Packet
type
Inbound IP packet
Match
found No match
found Search security
association
database
Discard
packet
IP
Processing Model for
Inbound Packets
Search security
policy
database
Deliver packet
to higher layer
Process
AH/ESP
IPsec
BYPASS
Not
BYPASS
Summary
15
Key exchange
IKE SA
IPsec SA Pair
ESP protects data
IPsec
IKE
IPsec
IKE
IPsec
16
3. Encapsulating Security Payload
ESP(Encapsulating Security Payload)
17
•Provide confidentiality
•Ensures data integrity
•Provide origin authentication
•Provide anti-replay protection
ESP protocol number is 50 in ip header.
Encryption algorithm support DES,3DES,AES.
Authencation algorithm support HMAC-MD5,HMAC-SHA-1.
Router A Router B
Data payload is encrypted
ESP Format(1/2)
18
0 8 16 24
Security parameters index (SPI)
Sequence number
Payload data (variable)
Padding (0 - 255 bytes)
Pad length Next header
Integrity check value - ICV (variable)
ICV
co
ve
rag
e
En
cry
pte
d
ESP Format(2/2)
19
• Security Parameters Index (32 bits)
• Sequence Number (32 bits)
• Payload Data (variable)
• Padding (0–255 bytes)
• Pad Length(8 bits)
• Next Header (8 bits)
• Integrity Check Value (variable)
• initialization value (IV) Optional
• traffic flow confidentiality (TFC) Optional
Encryption and Authentication Algorithms
20
The Payload Data, Padding, Pad Length, and Next
Header fields are encrypted by the ESP service.
The ICV field is optional.It is present only if the integrity
service is selected.The ICV is computed after the
encryption is performed. This order of processing
reducing the impact of denial of service (DoS)attacks.
Padding
21
• Padding field is used to expand the plaintext to the
required length.
• The ESP format requires that the Pad Length and Next
Header fields be right aligned within a 32-bit word.
• Additional padding may be added to provide partial
traffic-flow confidentiality by concealing the actual
length of the payload.
Anti-Replay Service
22 22
Replay attack is copy of an authenticated packet and
later transmits it to the destination.
The Sequence Number field is designed to thwart such
attacks.
N
Fixed window size W
Advance window if
valid packet to the
right is received
N-W N+1 Marked if valid
packet received
Unmarked if valid
packet not yet
received
AH(Authentication Header)
23
• Does not provide confidentiality (no encryption)
• Ensures data integrity
• Provides origin authentication
• Uses HMAC-MD5,HMAC-SHA1 mechanism
• Provides anti-replay protection
Router A Router B All data in plaintext
AH Format
24
0 8 16 24
Next Header Payload Length Reserved
Security parameters index (SPI)
Sequence number
Integrity check value - ICV (variable)
1 8 16 24
Version Header
Length Type of Service Total Length
Identification Flags(3bit) Fragment offset
Time To Live Protocol Header Checksum
Source IP Address
Destination IP Address
IP Header
AH Header
25
• Transport mode provides protection primarily for upper-
layer protocols. For example, ESP transport mode
protection extends to the payload of an IP packet.
Transport mode is used for end-to-end communication
between two hosts.
• Tunnel mode provides protection to the entire IP
packet. After the AH or ESP fields are added to the IP
packet, and in the entire packet plus new outer IP
header. Tunnel mode has been deployed widely to
implement Virtual Private Networks (VPNs).
Both AH and ESP support two modes of use:
transport and tunnel mode.
Transport and Tunnel modes
ESP Transport Mode
26
Original IP Packet
Encryption secret key
Orig IP HDR
Ciphertext
ESP AUTH
Protocol Operation for ESP
Encryption DES
3DES
AES
ESP Trailer
ESP HDR
AUTH HMAC-MD5
HMAC-SHA-1
Authencation secret key
Orig IP HDR ESP HDR Ciphertext
Data
Ciphertext
Data
ESP Tunnel Mode
27
Original IP Packet
Encryption secret key
Orig IP HDR
Ciphertext
ESP AUTH
Protocol Operation for ESP
Encryption
DES
3DES
AES
ESP Trailer
ESP HDR
AUTH HMAC-MD5
HMAC-SHA-1
Authencation secret key
ESP HDR Ciphertext
Data
Data
Ciphertext
Orig IP HDR
NEW IP HDR
AH Transport Mode
28
Original IP Packet Orig IP HDR
Protocol Operation for AH
AH HDR
HMAC-MD5
HMAC-SHA-1
Authencation secret key
Orig IP HDR AH HDR
Data
Data Orig IP HDR
Hash
Authentication Data
Data
AH Tunnel Mode
29
Original IP Packet Orig IP HDR
Protocol Operation for AH
AH HDR
HMAC-MD5
HMAC-SHA-1
Authencation secret key
Orig IP HDR AH HDR
Data
Data Orig IP HDR
Hash
Authentication Data
Data
NEW IP HDR
NEW IP HDR
Summary
30
Tunnel Mode and Transport Mode Functionality
Transport Mode SA Tunnel Mode SA
AH Authenticates IP payload and selected portions of IP header.
Authenticates inner IP packet plus selected portions of outer IP header.
ESP
Encrypts IP payload(transport level segment) and ESP trailer. Authenticates ESP header, IP payload(transport-level segment) and ESP trailer.
Encrypts inner IP packet and ESP trailer. Authenticates ESP inner IP packet and ESP trailer.
31
4. Combining Security Associations
Security Association Bundle
• A sequence of SAs through which traffic must be
processed to provide a desired set of IPsec services.
– Transport Adjacency.
• Refers to applying more than one security protocol to the same IP
packet without invoking tunneling.
– Iterated Tunneling
• Refers to the application of multiple layers of security protocols effected
through IP tunneling.
32
Authentication Plus Confidentiality
• ESP with authentication option
– The user first applies ESP to the data to be
protected and then appends the authentication data
field.
Transport mode ESP : IP header is not protected.
Tunnel mode ESP : The entire inner IP packet is
protected by the privacy mechanism for delivery to
the inner IP destination.
33
Protocol Operation for ESP(1/2)
34
Protocol Operation for ESP(2/2)
35
Authentication Plus Confidentiality
• Transport Adjacency(중첩 전송) – Another way to apply authentication after encryption is to use
two bundled transport SAs, with the inner being an ESP SA and
the outer being an AH SA.
The advantage is include the source and destination IP addresses.
The disadvantage is the overhead of two SAs versus one SA.
• Transport-Tunnel Bundle(전송-터널 묶음) – The use of authentication prior to encryption
The authentication data are protected by encryption
It may be desirable to store the authentication information with the
message at the destination for later reference.
36
Case 1. All security is provided between end systems that
implement IPsec.
For any two end systems to communicate via an SA, they
must share the appropriate secret keys
IPsec Architecture(1/4)
37
IPsec Architecture(2/4)
38
Case 2. Security is provided only between gateways
(routers, firewalls, etc.)and no hosts implement IPsec.
IPsec Architecture(3/4)
39
Case 3. This builds on case 2 by adding
end-to-end security.
IPsec Architecture(4/4)
40
Case 4. This provides support for a remote host that uses the
Internet to reach an organization’s firewall and then to gain
access to some server or workstation behind the firewall.
41
5. Internet Key Exchange
The Key management portion of IPsec
• The key management portion of IPsec involves the
determination and distribution of secret keys.
• A typical requirement is four keys for communication
between two applications – Transmit and receive pairs for both integrity and confidentiality.
42
Internet Key Exchange
• The IPsec Architecture document mandates support for
two types of key management
• Manual(수동)
– A system administrator manually configures each system with its
own keys and with the keys of other communicating systems.
– This is practical for small, relatively static environments.
• Automated(자동)
– An automated system enables the on-demand creation of keys for
SAs.
– Facilitates the use of keys in a large distributed system with an
evolving configuration.
43
Internet Key Exchange Protocol
• The default automated key management protocol for IPsec is referred to as : Oakley/ISAKMP
• Oakley Key Determination Protocol(Oakley 키 결정 프로토콜)
– Oakley is a key exchange protocol based on the Diffie-Hellman algorithm but providing added security.
• ISAKMP: Internet Security Association and Key Management Protocol(인터넷 보안 연계와 키 관리 프로토콜)
– ISAKMP provides a framework for Internet key management and provides the specific protocol support
– ISAKMP is including formats, for negotiation of security attributes
44
Key Determination Protocol
• IKE key determination is a refinement of the Diffie-Hellman key exchange algorithm.
• The Diffie-Hellman algorithm has two attractive features
– 비밀키는 필요할 때만 생성 – 키 교환은 전역 매개변수에 대한 동의 외에 사전 기반구조 불필요
• The Diffie-Hellman algorithm has three disadvantages
– 상대방의 신분에 관한 어떤 정보도 제공하지 않음 – Man-in-the-middle Attack – 계산량이 매우 많음. 공격자의 매우 많은 개수의 키를 요구하는 방해
공격(clogging attack)에 매우 취약
45
Features of IKE Key Determination
• The IKE key determination algorithm is characterized
by five important features
– It employs a mechanism known as cookies to thwart clogging
attacks. • 상대 의존적인 쿠키 생성과 승인 및 쿠키의 빠른 생성과 확인 방안
– It enables the two parties to negotiate a group • 키 교환 전역 매개 변수 정의와 알고리즘 식별 지원
– It uses nonces to ensure against replay attacks. • 자체적으로 생성된 난수를 응답 메시지에 포함하고 암호화하여 교환
46
Features of IKE Key Determination
–It enables the exchange of Diffie-Hellman public key values.
–It authenticates the Diffie-Hellman exchange to thwart man-in-
the-middle attacks. • 3가지 인증 방식 : 디지털 서명, 공개키 암호화, 대칭키 암호화
47
Cookie exchange
• 방해 공격 방지를 위해 쿠키(cookie) 교환 기법 사용 – 양쪽의 초기 메시지에 의사난수인 쿠키를 넣어서 전송하고, 상대방의 수신
확인 응답이 필요
– 수신 확인 응답(acknowledgement)은 Diffie-Hellman 키 교환의 첫 메시
지에서 반복
• 쿠키 생성을 위한 기본 요구 사항 – 쿠키는 특정 상대에게 의존적이어야 함
– 발행 개체가 아닌 다른 개체에 의해 받아들여질 쿠키를 생성할 수 없어야
함 • 발행 개체가 쿠키의 생성과 후속 검증 작업에서 내부 비밀 정보를 사용
– 프로세서 자원을 파괴하려는 공격자를 방지하기 위해 쿠키의 생성과 검증
방법은 신속해야 함
• 쿠키 생성을 위한 권장 방법 – IP 발신지와 목적지 주소, UDP의 발신 포트와 목적지 포트, 그리고 로컬에
서 생성된 비밀 값에 대해 빠른 해쉬(예: MD5)를 실행
48
IKEv2 Exchanges(1/2)
• Initial exchange(초기 교환) – 첫 번째 교환
• 두 피어(peer-to-peer)는 암호 알고리즘과 비표, Diffie-Hellman(DH) 값
들과 함께 사용할 다른 보안 매개변수에 관한 정보들을 교환
• 교환 후 IKE SA라 불리는 특별한 SA를 설정 – 두 피어(peer) 간에 보안 채널을 위한 매개변수들을 정의
– 두 번째 교환 • 두 당사자들은 상호 인증
• 피어들 간에 일반(non-IKE) 통신을 보호하기 위해 사용되는 첫 번째
IPsec SA를 설정
• CREATE_CHILD_SA_exchange : 트래픽 보호를 위한 추가 SA를 설정
하기 위해 사용
• Information exchange(정보 교환) : 관리 정보, IKEv2 오류 메시지 등
을 교환하기 위해 사용
49
IKEv2 Exchanges(2/2)
50
Header and Payload Formats
•IKE Header Format
– 보안 연계를 만들고, 협상, 수정, 삭제하기 위한 절차와 패킷 형식
을 정의함
• Payload Header
– 페이로드 형식은 특정한 키 교환 프로토콜과, 암호 알고리즘, 그리
고 인증 메커니즘과는 독립적이며, 일관된 프레임워크를 제공
51
IKE Header(1/2)
52
IKE Header(1/2)
• Initiator SPI (64 bits): A value chosen by the initiator to
identify a unique IKE security association (SA).
• Responder SPI (64 bits): A value chosen by the
responder to identify a unique IKE SA.
• Next Payload (8 bits): Indicates the type of the first
payload in the message.
• Major Version (4 bits): Indicates major version of IKE
in use.
• Minor Version (4 bits): Indicates minor version in use.
53
IKE Header(2/2)
• Exchange Type (8 bits): Indicates the type of
exchange
• Flags (8 bits): Indicates specific options set for this
IKE
• Message ID (32 bits): Used to control retransmission
of lost packets and matching of requests and
responses.
• Length (32 bits): Length of total message (header plus
all payloads) in octets.
54
Generic Payload Header(1/2)
55
Generic Payload Header(2/2)
56
57
6. Cryptographic Suites
Cryptographic Suites
• 다양한 유형의 암호 알고리즘을 필요로 함
• 상호 운용성을 촉진하기 위해 두 가지 RFC가 권장하는 암
호 도구를 정의 – RFC 4308은 가설 사설망을 위한 두 가지 암호 도구를 정의
• VPN-A는 일반적으로 기업 VPN 보안으로 사용. 3DES와 HMAC을 필요
로 함
• VPN-B는 더 강한 보안을 제공하며, IPsecv3와 IKEv2로 구현되는 새로
운 VPN에 권장. AES를 필요로 함
– RFC 4869는 미국 국가 안보국(NSA: National Security Agency)의
suite B 명세와 호환되는 4가지 선택적 암호 suites를 정의 • ESP와 IKE에 대한 선택을 제공
• AES-GCM, AES-CBC, HMAC-SHA, ECP, ECDSA
58
Cryptographic Suites for IPsec
59
Cryptographic Suites
60
Reference
• William Stallings, “네트워크 보안 에센셜”
• 서상원, “인터넷 보안, IPSec”
61
Q & A
62
Thank You!
63