IPSecurity(IPSEC)and InternetKeyExchange(IKE)

AnupamaPotluri DepartmentofComputerandInformation Sciences UniversityofHyderabad

Overview

MotivationforIPSecurity IPSecurityArchitecture InboundandOutboundProcessing AuthenticationHeader(AH) EncapsulatingSecurityPayload(ESP) Scalability/PrivacyIssues InternetKeyExchange(IKE)

MotivationforIPSecurity

Providesecurityatthenetworklayerincluding

AccessControl DataOriginAuthentication ConnectionlessIntegrity Confidentiality

HelpsinestablishmentofVirtualPrivate Networks(VPNs)

IPSecurityArchitecture

ComponentsofIPSEC

SecurityPolicyDatabase SecurityAssociationDatabase AH ESP IKE

TransportandTunnelMode

IPSECArch:Scenario1

Secureconnection (tunnelmodeonly) H1 R1 R2 H2

SecureConnection (transportortunnel mode)

IPSECArch:Scenario2

SecureConnection (tunnelmodeonly) H1 R1 R2 H2

SecureConnection (transportortunnel mode)

TransportMode

OriginalDatagram IPheader restofthedatagram

IPheader

IPSecHdr

restofthedatagram

TransportMode

TunnelMode

OriginalDatagram IPheader restofthedatagram

IPheader

IPsecHdr

IPHdr

restofthedatagram

SecurityPolicyDatabase

Definesthesecuritypoliciesoftheenterprise Exampleentries:
Dest B B B Protocol TCP TCP TCP SrcPort * * * DestPort 80 22 80 Policy Pass Apply Apply Sec.Serv. None ESP AH

Source A C *

SecurityAssociationDatabase

ASecurityAssociationisaninstantiationofa securitypolicythatisdynamicallycreatedand deleted. AsinglesecuritypolicycanhavemanySAs sincethepolicycanhaveawildcardforany selectorbutaseparateSAforeachindividual connection AnSAisidentifieduniquelybytheDestination Address,SPIandSecurityProtocol(AHor ESP)

OutboundProcessing
1.Matchthepacket'sselectorfieldsagainstthe outboundpoliciesintheSPDtolocatethefirst appropriatepolicy,whichwillpointtozeroormoreSA bundlesintheSAD. 2.Matchthepacket'sselectorfieldsagainstthoseinthe SAbundlesfoundin(1)tolocatethefirstSAbundle thatmatches.IfnoSAswerefoundornonematch, createanappropriateSAbundleandlinktheSPD entrytotheSADentry.Ifnokeymanagemententityis found,dropthepacket. 3.UsetheSAbundlefound/createdin(2)todothe requiredIPsecprocessing,e.g.,authenticateand encrypt.

InboundProcessing
1.Usethepacket'sdestinationaddress(outerIP header),IPsecprotocol,andSPItolookuptheSAin theSAD.IftheSAlookupfails,dropthepacketand log/reporttheerror. 2.UsetheSAfoundin(1)todotheIPsecprocessing, e.g.,authenticateanddecrypt. 3.FindanincomingpolicyintheSPDthatmatchesthe packet. 4.CheckwhethertherequiredIPsecprocessinghas beenapplied.

AuthenticationHeader

SecurityServicesprovidedare:

DataOriginAuthentication ConnectionlessIntegrity AntiReplay

AuthenticationHeaderFormat
0 NextHeader 8 PayloadLen 16 Reserved 31

SecurityParameterIndex(SPI) SequenceNumberField

AuthenticationDataorICV(variablelength)

OutboundProcessing:Calculating theICV

TheAHICVisaonewayhashcomputedusing SHA1orMD5over:

IPheaderfieldsthatareeitherimmutableintransit orthatarepredictableinvalueuponarrivalatthe endpointfortheAHSA theAHheader(NextHeader,PayloadLen, Reserved,SPI,SequenceNumber,andthe AuthenticationData(whichissettozeroforthis computation),andexplicitpaddingbytes(ifany)) theupperlevelprotocoldata,whichisassumedto beimmutableintransit

Mutable,ImmutableandPredictable Fields

Immutable

Version,InternetHeaderLength,TotalLength, Identification,Protocol(Thisshouldbethevaluefor AH.),SourceAddress,DestinationAddress(without looseorstrictsourcerouting) DestinationAddress(withlooseorstrictsourcerouting) TypeofService(TOS),Flags,FragmentOffset,Timeto Live(TTL),HeaderChecksum

Mutablebutpredictable

Mutable(zeroedpriortoICVcalculation)

InboundProcessing

Reassemblethepacket,ifrequired SecurityAssociationLookup(SPI,Destination andAH)asthekey Verifythesequencenumber VerifytheICV

EncapsulatingSecurityPayload

SecurityServicesprovidedare

DataOriginAuthentication ConnectionlessIntegrity Confidentiality AntiReplay LimitedTrafficFlowConfidentiality

ESPHeader/TrailerFormat
SecurityParameterIndex(SPI) SequenceNumber PayloadData(variable)

Padding Padding PadLength NextHeader

AuthenticationDataorICV(variable)

ESPOutboundProcessing
1.encapsulates(intotheESPPayloadfield):

fortransportmode,justtheoriginalupperlayer protocolinformation. fortunnelmodetheentireoriginalIPdatagram.

2.addsanynecessarypadding. 3.encryptstheresult(PayloadData,Padding, PadLengthandNextHeader)usingthekey, encryptionalgorithm,algorithmmodeindicated bytheSA.

ESPInboundProcessing
1.decryptstheESPPayloadData,Padding,PadLength, andNextHeaderusingthekey,encryptionalgorithm, algorithmmodeindicatedbytheSA. 2.processesanypaddingasspecifiedintheencryption algorithmspecification. 3.reconstructstheoriginalIPdatagramfrom:
a)fortransportmodeoriginalIPheaderplustheoriginal upperlayerprotocolinformationintheESPPayloadfield b)fortunnelmodetunnelIPheader+theentireIP datagramintheESPPayloadfield.

IPSECSummary

IPSECconsistsof

asecuritypolicydatabasethatdeterminesthetype ofsecurityappliedforthattrafficinthatenterprise asecurityassociationthatisaspecific instantiationofasecuritypolicy Basedonthesecurityneeded,theAHandESP protocolscanbeappliedeitheraloneorin combination ForSecurityAssociationsbetweenSecurity Gateways,onlyTunnelModeisallowed

IPSECSummary

FragmentationhappensafterIPSECis appliedatthesourceandReassemblybefore IPSECisappliedatthedestination AllMutablefieldsarezeroedbeforeIPSECis applied IftheintegrityoftheIPheaderneedstobe protected,AHisused IfConfidentialityisneeded,ESPisused.

Scalability/PrivacyIssues

AHandESPusesymmetrickeycryptography usingsharedkeys. Sharingofkeyscanbemanualandstoredin thesystems. Thisisnonscalableaseverypairof systems/usersmusthaveauniquekey Privacycanbecompromisedifthesystemis compromised

InternetKeyExchange(IKE)

IKEisadynamickeyexchangeprotocolthat provides

authenticationandconfidentialityforthematerial exchangedtogeneratekeys. PerfectForwardSecrecyforIdentitiesandKeys Phase1:Tonegotiatethekeysusedto authenticate/protecttheIKEexchangeitselfMain ModeorAggressiveMode Phase2:TonegotiatethekeysusedinIPSECor anyothersecurityprotocolQuickMode

Hastwophases:

IKEPayloads

FixedHeader,HDR SecurityAssociationPayload(SA)contains securityproposalsandtransforms KeyExchangePayload(KE)containsthe DiffieHellmanpublickeys NoncePayload(NiandNr)randomnumbers asprotectionagainstreplayattacks IdentificationPayload(IDii,IDir)Identityof thepeersinthekeyexchange

IKEAuthenticationPayloads

SignaturePayload(SIG_I,SIG_R)contains digitalsignatures CertificatePayload(CERT)containsthe certificatemappingtheidentitytothepublickey signedbytheCertificateAuthority(CA) HashPayload(HASH_x)containstheone wayhashvalueusingSHA1orMD5asperthe specification

IKEMainModeAuth.with Signatures
HDR,SAproposal

HDR,SAchosen HDR,KE,Ni

A
HDR,KE,Nr HDR*,IDii,[CERT,]SIG_I

HDR*,IDir,[CERT,]SIG_R

IKEAggressiveModeAuth.with Signatures
HDR,SAproposal,KE,Ni,IDii

HDR,SAchosen,KE,Nr,IDir,[CERT,]SIG_R

HDR,[CERT,]SIG_I

GenerationofKeyingMaterial

TheKEpayloadcarriestheDiffieHellman publickeysg^xandg^y.Thesearethenusedto generateg^xywhichisusedforgenerating keyingmaterial Thegenerationisasfollows:

SKEYID = prf(Ni_b | Nr_b, g^xy) SKEYID_d = prf(SKEYID, g^xy | CKY-I | CKY-R | 0) SKEYID_a = prf(SKEYID, SKEYID_d | g^xy | CKY-I | CKY-R | 1)

SKEYID_e = prf(SKEYID, SKEYID_a | g^xy | CKY-I | CKY-R | 2)

GenerationofHashValues

Thesignaturesinthepreviousslidesare calculatedbyencryptingahashofthe messageusingtheprivatekey.Thehash values

HASH_I = prf(SKEYID, g^x | g^y | CKY-I | CKY-R | SAi_b | IDii_b ) HASH_R = prf(SKEYID, g^y | g^x | CKY-R | CKY-I | SAi_b | IDir_b )

IKEQuickMode
HDR*,HASH(1),SAproposal,Ni, [,KE][,IDci,IDcr]

HDR*,HASH(2), SAchosen,Nr, [,KE][,IDci,IDcr]

HDR*,HASH(3)

SA,ProposalandTransform Payloads
NH=SA Reserved Situation NH=Proposal Proposal1 Reserved PROTO_AH SPI NH=Transform Transform1 Reserved AH_SHA PayloadLength Reserved PayloadLength SPIsize=4 #Trans.=1 PayloadLength DomainofInterpretation(DOI)

AttributesinTLVformat(variableinlength)

HashCalculationinQuickMode

ThehashvaluesseeninQuickModeare calculatedasfollows:
HASH(1) = prf(SKEYID_a, M-ID | SA | Ni [ | KE ] | IDci | IDcr ) HASH(2) = prf(SKEYID_a, M-ID | Ni_b | SA | Nr | KE ] [ | IDci | IDcr ) HASH(3) = prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b) [ [

KeyingmaterialforIPSECSAisgeneratedas follows:
KEYMAT = prf(SKEYID_d, protocol | SPI | Ni_b | Nr_b)

PerfectForwardSecrecy

PerfectForwardSecrecy(PFS)isdefinedas follows:

Compromiseofasinglekeyallowsaccesstoonly dataprotectedbyasinglekey.

Thisisachievedbyensuringthatthekeyused toprotecttransmissionofdataisnotusedto generatekeyingmaterialforfuture communication.

IKEPFS

IKEachieves

PFSforkeysbyhavinganadditionalDiffie HellmanexchangeaspartofQuickModeexchange anddeletingaIPSECSAafterthesessionisdone oratimeoutoccurs. PFSforIdentitiesbyusingMainModetoprotect identitiesanddeletinganISAKMPSAnegotiated oncethequickmodenegotiationiscompleted. PFSforbothIdentitiesandKeysbycombining thetwo.

IKESummary

IKEisakeyexchangeprotocolthatallowsfor thekeyingmaterialtobeexchangedwith authentication(andconfidentiality,ifrequired). ItallowsforPerfectForwardSecrecyof IdentitiesandKeys ItconsistsoftwophasesPhase1forthe exchangeofkeyingmaterialtoprotectphase2 exchangeandPhase2forexchangeofkeying materialofIPSEC

References

RFC2401:SecurityArchitecturefortheInternetProtocolby StephenKent,BBNCorporationandRonAtkinson,@Home Network,Nov.1998. RFC2402:IPAuthenticationHeader(AH)byStephenKent, BBNCorporationandRonAtkinson,@HomeNetwork,Nov. 1998. RFC2406:IPEncapsulatingSecurityPayload(ESP)by StephenKent,BBNCorporationandRonAtkinson,@Home Network,Nov.1998. RFC2409:InternetKeyExchange(IKE)byDanielHarkinsand DaveCarrel,CiscoSystemsInc.,Nov.1998. NetworkSecurity:PrivateCommunicationinaPUBLIC WorldbyCharlieKaufman,RadiaPerlmanandMikeSpeciner, PearsonEducation,2002.