Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
IPSec 406 NW’98 © 1998, Cisco Systems, Inc. 1 Security Threats telnet foo.bar.org username: dan password: m-y-p-a-s-s-w-o-r-d I’m Bob, Send Me all Corporate Correspondence with Cisco d-a-n Bob Loss of Privacy Impersonation Deposit $ 1000 Deposit $ 100 CPU Bank Customer Loss of Integrity Denial of Service 406 NW’98 © 1998, Cisco Systems, Inc. 2 Challenges of Data Confidentiality • Protect confidentiality of data over an untrusted network • Ensure identity of users and systems • Scale from small to very large networks • Implement a manageable public key infrastructure 406 NW’98 © 1998, Cisco Systems, Inc. 3 What Is IPSec? • Network layer encryption and authentication • Open standards for ensuring secure private communications • Provides a necessary component of a standards-based, flexible solution for deploying a network-wide security policy 406 NW’98 © 1998, Cisco Systems, Inc. 4 Benefits of IPSec • Standard for privacy, integrity and authenticity for networked commerce • Implemented transparently in the network infrastructure • End-to-end security solution including routers, firewalls, PCs and servers 406 NW’98 © 1998, Cisco Systems, Inc. 5 IPsec Everywhere! Router to Firewall Router to Router PC to Firewall PC to Server 406 NW’98 PC to Router © 1998, Cisco Systems, Inc. 6 Keyed Hashing for Authentication • Secret key and message are hashed together • Recomputation of digest verifies that message originated with peer and that message was not altered in transit “Secret Key” Hash Function Hash 406 NW’98 © 1998, Cisco Systems, Inc. 7 Diffie-Hellman Key Exchange (1976) By Openly Exchanging Non-Secret Numbers, Two People Can Compute a Unique Shared Secret Number Known Only to Them 406 NW’98 © 1998, Cisco Systems, Inc. 8 Grounds of Diffie-Hellman • one large prime number (generator) g is made public • computing gR is fast • computing R from gR is much more difficult • modulus (prime), p • modular arithmetic (mod p) actually used => nearly impossible to get back R 406 NW’98 © 1998, Cisco Systems, Inc. 9 Diffie-Hellman Public Key Exchange Alice Private Value, XA Public Value, YA YA =g XA Private Value, XB Public Value, YB mod p YB = g XB Bob mod p YA YB YB XA = (g XB X A ) =g XB XA = g XA XB = (g XB X A ) = YA XB mod p (shared secret) 406 NW’98 © 1998, Cisco Systems, Inc. 10 Using Certificates BANK Internet • Certificate Authority (CA) verifies identity • CA signs digital certificate containing device’s public key • Certificate equivalent to an ID card 406 NW’98 © 1998, Cisco Systems, Inc. 11 Digital Certificate • A digital certificate contains: Serial number of the certificate Issuer algorithm information Valid to/from date User public key information 0000123 RSA, 3837829… 1/1/93 to 12/31/98 Alice Smith, Acme Corp RSA, 3813710… Acme Corporation, Security Dept. RSA, 2393702347… Signature of issuing authority 406 NW’98 © 1998, Cisco Systems, Inc. 12 How peers work with CA ? CA’s own certificate signed by CA 3. peer’s certificate signed by CA Strong or human authentication needed for steps 1. and 2. 406 NW’98 0. peer generates public/private key pair © 1998, Cisco Systems, Inc. 13 Certification Authority • CA is a software • main purpose of CA = sign certificates after valid authentication • private key of CA is the ‘most secret’ key • CA can be offline or online • CA is used only: –on installation –public key changes –renewal of certificates 406 NW’98 © 1998, Cisco Systems, Inc. 14 How to scale CA ? a root CA can delegate authentication to lower CA root lower CA root CA own certificate signed by root CA lower CA certificate signed by root CA router certificate signed by lower CA certificates chain of router 406 NW’98 © 1998, Cisco Systems, Inc. 15 How to scale CA ? • beside this hierarchical scheme there is a meshed one • CA role can be split: publication authority: CRL storage local registration authority: very similar to lower CA 406 NW’98 © 1998, Cisco Systems, Inc. 16 What worth is a certificate ? • certificate are signed by CA private key ==> secure the private key • own key pairs can be compromised ==> corresponding certificate must be revocated (black list = CRL Certificate Revocation List) 406 NW’98 © 1998, Cisco Systems, Inc. 17 Certificate Revocation List • List of revoked certificates signed by CA • Stored on CA or directory service • No requirement on devices to ensure CRL is current 406 NW’98 © 1998, Cisco Systems, Inc. Revoked Cert 12345 Cert 12241 Cert 22333 18 Defining the Terms • PKCS—Public Key Cryptography Standards • PKIX—Public Key Infrastructure Working group • CEP—Certificate enrollment protocol. Used by Cisco to enroll certificates 406 NW’98 © 1998, Cisco Systems, Inc. 19 PKCS Standards • Created by RSA to ensure interoperability • Important PKCS for IPSec: PKCS #1: RSA signature definition PKCS #7: Digitally signed or enveloped messages PKCS #10: Certification requests 406 NW’98 © 1998, Cisco Systems, Inc. 20 IETF Public Key Infrastructure Working Group (PKIX) • Facilitate the use of X.509 certificates in multiple applications, including IPSec, S/Mime, Web • Promote interoperability 406 NW’98 © 1998, Cisco Systems, Inc. 21 Certificate Enrollment Protocol • Lightweight protocol to support certificate life cycle operations • Uses PKCS #7 and #10 • Transaction-oriented request / response protocol • Transport-mechanism independent • Requires manual authentication during enrollment 406 NW’98 © 1998, Cisco Systems, Inc. 22 IPSec Description 406 NW’98 © 1998, Cisco Systems, Inc. 23 IPSec Security Services • Data integrity • Data origin authentication • Replay prevention • Confidentiality • Limited traffic flow confidentiality 406 NW’98 © 1998, Cisco Systems, Inc. 24 Tunnel and Transport Modes • Transport mode for end-to-end session • Tunnel mode for everything else Tunnel Mode Tunnel Mode Transport Mode 406 NW’98 © 1998, Cisco Systems, Inc. 25 IPsec Modes IP HDR Data Tunnel Mode New IP HDR IPsec HDR IP HDR Data may be encrypted IP HDR Data Transport Mode IP HDR IPsec HDR Data may be encrypted 406 NW’98 © 1998, Cisco Systems, Inc. 26 IPsec: Authentication Header • RFC 1826 Aug ‘95 without anti-replay • RFC 2085 Feb ‘97 with anti-replay • Authentication Header, AH • additional header inside the IP datagram • MD5 can be used (RFC 1828), • or … (currently IETF drafts) 406 NW’98 © 1998, Cisco Systems, Inc. 27 IPsec AH (Cont.) Original IP datagram IP header other headers and payloads secret key Digital signature (RFC 1828 = MD5) IP header Auth. header other headers and payloads Authenticated IP datagram 406 NW’98 © 1998, Cisco Systems, Inc. 28 IPsec Encapsulating Security Payload • RFC 1827 Aug ‘95 • Encapsulation Security Payload, ESP • confidentiality of whole IP datagram (tunnel) TCP or UDP payload only (transport) • DES can be used (RFC1829) • or … (currently IETF drafts) also with authentication in ESP 406 NW’98 © 1998, Cisco Systems, Inc. 29 IPsec ESP Transport (Cont.) Can be used end to end, between host ESP Transport ‘tunnel’ Sniffers are defeated 406 NW’98 © 1998, Cisco Systems, Inc. 30 IPsec ESP Transport Original IP datagram IP header other headers and payloads secret key Encryption algorithm IP header ESP header other headers and payloads ESP trailer IP datagram with transport ESP 406 NW’98 © 1998, Cisco Systems, Inc. 31 IPsec ESP Tunnel (Cont.) Usually between firewalls for VPN ESP Transport ‘tunnel’ Sniffing possible Sniffing possible Sniffers are defeated 406 NW’98 © 1998, Cisco Systems, Inc. 32 IPsec ESP Tunnel (Cont.) Or between client and firewall mainly for VPDN ESP Transport ‘tunnel’ Sniffing possible Sniffers are defeated 406 NW’98 © 1998, Cisco Systems, Inc. 33 IPsec ESP Tunnel Original IP datagram IP header other headers and payloads New IP header built by tunnel end new IP header secret key Encryption algorithm new IP header ESP header IP header other headers and payloads ESP trailer IP datagram with tunnel ESP 406 NW’98 © 1998, Cisco Systems, Inc. 34 Security Association (SA) Firewall Router • Agreement between two entities on a security policy, including: Encryption algorithm Authentication algorithm Shared session keys SA lifetime • Unidirectional. Two-way communication consists of two SAs 406 NW’98 © 1998, Cisco Systems, Inc. 35 Internet Key Exchange (IKE) AKA: ISAKMP + Oakley 406 NW’98 © 1998, Cisco Systems, Inc. 36 IPsec needs IKE IKE IKE protocol Transform, key material IKE Transform, key material IPsec protocols ESP, AH IPsec SA needs for all peers: - which transform - which key 406 NW’98 © 1998, Cisco Systems, Inc. 37 IKE • Negotiates policy to protect communication • Authenticated Diffie-Hellman key exchange • Negotiates (possibly multiple) security associations for IPSec 406 NW’98 © 1998, Cisco Systems, Inc. 38 Perfect Forward Secrecy (PFS) • Compromise of a single key will permit access to only data protected by that particular key • IKE provides PFS if required by using Diffie-Hellman for each rekey • If PFS not required, can refresh key material without using Diffie Hellman 406 NW’98 © 1998, Cisco Systems, Inc. 39 IKE Authentication • Signatures • Encrypted nonce’s • Pre-shared key 406 NW’98 © 1998, Cisco Systems, Inc. 40 Initiating New Connections IKE IPSec Data • Establish IKE SA—“Main mode” • Establish IPSec SA—“Quick mode” Multiple quick modes for each main mode • Send protected data 406 NW’98 © 1998, Cisco Systems, Inc. 41 How IPSec Uses IKE 1. Outbound packet from Alice to Bob. No IPSec SA 4. Packet is sent from Alice to Bob protected by IPSec SA IPSec IPSec Alice’s router Bob’s router IKE 2. Alice’s IKE begins negotiation with Bob’s 406 NW’98 IKE Tunnel IKE 3. Negotiation complete. Alice and Bob now have complete set of SAs in place © 1998, Cisco Systems, Inc. 42 Creating an IKE SA DES MD5 RSA Sig DH1 DES SHA Pre-shared DH1 DES MD5 RSA Sig DH1 YA YB Home-gw 10.1.2.3 Pent-gw 26.9.0.26 CRL • Negotiate IKE parameters • Exchange DH Numbers • Exchange Certificates and check CRL 406 NW’98 • Exchange signed data for authentication © 1998, Cisco Systems, Inc. 43 Creating IPSec SA—Quick Mode IKE SA DES MD5 DH1 DES SHA DH1 DES MD5 DH1 YA YB Data • Requires IKE SA to be in place • Negotiate IPSec parameters Local Policy 406 NW’98 { • Create shared session key Exchange DH numbers for PFS or Exchange nonces for quick rekey © 1998, Cisco Systems, Inc. 44 Overlapping Security Associations SA-1 protects Net A to B Bob Net B Net A SA-2 protects Alice to IBM Alice • Multiple, overlapping security associations • Selectable with extended access lists 406 NW’98 © 1998, Cisco Systems, Inc. 45 Dynamic Crypto Maps • Enables easy configuration for remote clients • Crypto map template created without defining a peer • If incoming IPSec SA request is accepted, then a temporary crypto map entry is created 406 NW’98 © 1998, Cisco Systems, Inc. 46 Different Keys Everywhere R SS I T IY T Y U N UI NVI VEE R Ensure Confidential Communications in an unsecured Network 406 NW’98 © 1998, Cisco Systems, Inc. 47 Define Sensitive Traffic for Each 406 NW’98 © 1998, Cisco Systems, Inc. 48 Enable Mobile Users with L2TP and IPSec IPSec L2TP or L2F • IPSec protects traffic from remote sites to the enterprise using any application • IPSec may be combined with L2TP or L2F • Travelers can access the network as securely as they would in the office 406 NW’98 © 1998, Cisco Systems, Inc. 49