Professional Documents
Culture Documents
IP Security
Have a range of application specific security mechanisms
eg. S/MIME, PGP, Kerberos, SSL/HTTPS
However there are security concerns that cut across protocol layers Would like security implemented by the network for all applications
IPSec
General IP Security mechanisms Provides
authentication confidentiality key management
Applicable to use over LANs, across public & private WANs, & for the Internet
IPSec Uses
Transparency
Benefits of IPSec
In a firewall/router provides strong security to all traffic crossing the perimeter In a firewall/router is resistant to bypass Is below transport layer, hence transparent to applications Can be transparent to end users Can provide security for individual users Secures routing architecture
IP Security Architecture
Specification is quite complex Defined in numerous RFCs
incl. RFC 2401/2402/2406/2408 many others, grouped by category
Authentication header (AH) Encapsulating security payload (ESP) Practical Issues w/ NAT
Encrypted
New IP Header
AH or ESP Header
Orig IP Header
TCP Data
Transport Mode
IP IP IPSec header options header Real IP destination ESP Higher layer protocol
AH
ESP protects higher layer payload only AH can protect IP headers as well as higher layer payload
Tunnel Mode
Outer IP IPSec Inner IP Higher header header header layer protocol Destination IPSec entity ESP Real IP destination
AH
ESP applies only to the tunneled packet AH can be applied to portions of the outer header
Security Association - SA
Defined by 3 parameters:
Security Parameters Index (SPI) IP Destination Address Security Protocol Identifier
Have a database of Security Associations Determine IPSec processing for senders Determine IPSec decoding for destination SAs are not fixed! Generated and customized per traffic flows
SA Database - SAD
Holds parameters for each SA
Lifetime of this SA AH and ESP information Tunnel or transport mode
Bypass
Outbound: do not apply IPSec Inbound: do not expect IPSec
Outbound Processing
Outbound packet (on A)
A
IP Packet Is it for IPSec? If so, which policy entry to select? SPD (Policy) SA Database
Send to B
Inbound Processing
Inbound packet (on B) From A
SPI & Packet
SA Database SPD (Policy) Was packet properly secured?
un-process
Original IP Packet
Authentication header (AH) Encapsulating security payload (ESP) Practical Issues w/ NAT
Authenticated Header
Data integrity
Entire packet has not been tampered with
Authentication
Can trust IP address source Use MAC to authenticate
Symmetric encryption, e.g, DES One-way hash functions, e.g, HMAC-MD5-96 or HMAC-SHA-1-96
SAD
Reserved
ICV
IPSec protocol header except the ICV value field Upper-level data
Tunnel Mode
Cover entire original packet
Transport Mode
Good for host to host traffic
Tunnel Mode
Good for VPNs, gateway to gateway security
Pad as necessary Encrypt result [payload, padding, pad length, next header] Apply authentication (optional)
Allow rapid detection of replayed/bogus packets Integrity Check Value (ICV) includes whole ESP packet minus authentication data field
Original IP Header SPI Sequence Number Payload (TCP Header and Data) Variable Length Padding (0-255 bytes)
Pad Length Next Header
Packet decryption
Decrypt quantity [ESP payload,padding,pad length,next header] per SA specification Processing (stripping) padding per encryption algorithm Reconstruct the original IP datagram
Authentication header (AH) Encapsulating security payload (ESP) Practical Issues w/ NAT
NATs
Network address translation = local, LANspecific address space translated to small number of globally routable IP addresses Motivation:
Scarce address space Security: prevent unsolicited inbound requests
Prevalence of NATs
Claim: 50% of broadband users are behind NATs All Linksys/D-Link/Netgear home routers are NATs
NAT types
All use net-10/8 (10.*.*.*) or 192.168/16 Address translation Address-and-port translation (NAPT)
most common form today, still called NAT one external (global) IP address
NAT Example
Messages sent between host B to another host on the Internet Host B original source socket: 192.168.0.101 port 1341 Host B translated socket: 68.40.162.3 port 5280
A B C
Backup Slides
SA Bundle
More than 1 SA can apply to a packet Example: ESP does not authenticate new IP header. How to authenticate?
Use SA to apply ESP w/o authentication to original packet Use 2nd SA to apply AH
reject 0
verify
Anti-replay Feature
Optional Information to enforce held in SA entry Sequence number counter - 32 bit for outgoing IPSec packets Anti-replay window
32-bit Bit-map for detecting replayed packets
New New ESP Orig Orig ESP ESP TCP Data IP hdr ext hdr hdr IP hdr ext hdr trailer Auth
Key Management
Handles key generation & distribution Typically need 2 pairs of keys
2 per direction for AH & ESP
Outline
Introductions What is it? Overview Security/Tunneling Advantages and Disadvantages Demonstration
Introductions
Gregg
Liz
BSG Student Developer Unified Western Grocers Retail Technology Specialist BSG Business Analyst ResNet Network Technician COB CRC: Tier 2/3 Support Technician BSG Student Tester/Analyst
Whitney
VPN: Types
Secure VPNs use cryptographic tunneling protocols.
IPsec, SSL/TLS, OpenVPN, PPTP, L2TP, L2TPv3, VPN-Q and MPVPN
Trusted VPNs rely on the security of a single providers network to protect the traffic.
MPLS and L2F
VPN: Security
Encryption IPSec Authentication
User/System and Data AAA Servers
(Authentication, Authorization, and Accounting)
Firewalls
VPN: Tunneling
Requires 3 protocols
Carrier
Default network protocol
Passenger
Original data
Encapsulation
GRE, IPSec, L2F, PPTP, L2TP
VPN: Encapsulation
Figure 1
Remote-Access
Typically uses PPP
VPN: Advantages
Cost Effective Greater scalability Easy to add/remove users Mobility Security
VPN: Disadvantages
Understanding of security issues Unpredictable Internet traffic Difficult to accommodate products from different vendors
VPN Demonstration
Click on Start select Network Connections
VPN Demonstration
In Network Connections on the left hand side there is a link to Create New Connection click on this and a wizard will pop up assisting the user
VPN Demonstration
Select Connect to the Network at my Workplace
VPN Demonstration
Select Virtual Private Network Connection
VPN Demonstration
Make a name for this connection that you are establishing to distinguish this connection from other VPN connections that might already be established
VPN Demonstration
For this demonstration I am trying to connect to my wireless router off campus therefore the IP address that I insert is the IP address for my router which I can find out by running an ipconfig and it is the IP address for your default gateway
VPN Demonstration
Personal preference as to whether or not you want other users to be able to use this VPN connection on this computer
VPN Demonstration
VPN Demonstration
VPN Demonstration
This is a profile (username and password) that has already been created on your router which can be created by typing in the IP address of your router in a web browser
VPN Demonstration
VPN Demonstration
In Start Run insert the IP address of the computer that you want to access that is connected to the router
VPN Demonstration
Using the same username and password already established for the router you can connect to this specific computer
VPN Demonstration
These are only the files that are shared on this computer
How to connect to OSU: Dave Sullivan made a helpful Tutorial First on the Engineering Website you have to download the Cisco VPN Client One must acquire authorization information prior to using the VPN service Once registration is complete you download the appropriate client depending on your operating system; and follow the steps to complete the connection
Outline
PGP
services message format key management trust management
S/MIME
services message formats key management
What is PGP?
PGP - Pretty Good Privacy general purpose application to protect (encrypt and/or sign) files can be used to protect e-mail messages can be used by corporations as well as individuals based on strong cryptographic algorithms (IDEA, RSA, SHA-1) first version developed by Phil Zimmermann PGP is now on an Internet standards track (RFC 3156)
PGP services
messages authentication confidentiality compression e-mail compatibility segmentation and reassembly key management generation, distribution, and revocation of public/private keys generation and transport of session keys and IVs
PGP / services
Message authentication
based on digital signatures supported algorithms: RSA/SHA and DSS/SHA
Ksnd-1
sender
hash
enc
PGP / services
m
receiver
h
compare
hash
dec
Ksnd
accept / reject
Message confidentiality
symmetric key encryption in CFB mode with a random session key and IV session key and IV is encrypted with the public key of the receiver supported algorithms: symmetric: CAST, IDEA, 3DES asymmetric: RSA, ElGamal
m
s.enc
k, iv {m}k
a.enc
Compression
applied after the signature enough to store clear message and signature for later verification it would be possible to dynamically compress messages before signature verification, but then all PGP implementations should use the same compression algorithm however, different PGP versions use slightly different compression algorithms applied before encryption compression reduces redundancy makes cryptanalysis harder supported algorithm: ZIP
PGP / services
E-mail compatibility
encrypted messages and signatures may contain arbitrary octets most e-mail systems support only ASCII characters PGP converts an arbitrary binary stream into a stream of printable ASCII characters radix 64 conversion: 3 8-bit blocks 4 6-bit 0 7 0 7 0 7 blocks
0 5 0 5 0 5 0 5
PGP / services
6-bit value
0 25 26 51
character encoding
A ... Z a z
6-bit value
52 61 62 63 (pad)
character encoding
0 9 + / =
Combining services
X := file
signature?
no
yes
encryption?
yes
PGP / services
no
radix 64 X := R64(X)
timestamp
key ID of Ksnd signature leading two octets of hash hash
R64
filename
ZIP { }k
Key IDs
a user may have several public key private key pairs which private key to use to decrypt the session key? which public key to use to verify a signature? transmitting the whole public key would be wasteful associating a random ID to a public key would result in management burden PGP key ID: least significant 64 bits of the public key unique within a user with very high probability
used to generate public key private key pairs provide the initial seed for the pseudorandom number generator (PRNG) provide additional input during pseudorandom number generation
pseudo-random numbers
used to generate session keys and IVs
Pseudo-random numbers
based on the ANSI X9.17 PRNG standard K1, K2
DTi
3DES
3DES
Vi+1
Vi
3DES
Ri
Pseudo-random numbers
dtbuf
+ rseed +
E
+
E
+
rseed
E
+
E
+
+
true random bits
IV[0..7]
K[8..15]
K[0..7]
Pseudo-random numbers
dtbuf[0..3] = current time, dtbuf[4..7] = 0 pre-wash take the hash of the message this has already been generated if the message is being signed otherwise the first 4K of the message is hashed use the result as a key, use a null IV, and encrypt (rkey, rseed)previous in CFB mode if (rkey, rseed)previous is empty, it is filled up with true random bits set (rkey, rseed)current to the result of the encryption post-wash generate 24 more bytes as before but without XORing in true random bytes encrypt the result in CFB mode using K and IV set (rkey, rseed)previous to the result of the encryption
Private-key ring
used to store the public key private key pairs owned by a given user essentially a table, where each row contains the following entries: timestamp key ID (indexed) public key encrypted private key private key user ID (indexed)
passphrase
hash
enc
encrypted private key
Public-key ring
used to store public keys of other users a table, where each row contains the following entries: timestamp key ID (indexed) public key user ID (indexed) owner trust signature(s) signature trust(s) key legitimacy
Trust management
owner trust assigned by the user possible values: unknown user usually not trusted to sign usually trusted to sign always trusted to sign ultimately trusted (own key, present in private key ring) signature trust assigned by the PGP system if the corresponding public key is already in the publickey ring, then its owner trust entry is copied into signature trust otherwise, signature trust is set to unknown user
Trust management
key legitimacy computed by the PGP system if at least one signature trust is ultimate, then the key legitimacy is 1 (complete) otherwise, a weighted sum of the signature trust values is computed always trusted signatures has a weight of 1/X usually trusted signatures has a weight of 1/Y X, Y are user-configurable parameters example: X=2, Y=4 1 ultimately trusted, or 2 always trusted, or 1 always trusted and 2 usually trusted, or 4 usually trusted signatures are needed to obtain full legitimacy
C H
A E
untrusted / usually untrusted usually trusted always trusted ultimately trusted (you) signature
L
J M
legitimate
Public-key revocation
why to revoke a public key? suspected to be compromised (private key got known by someone) re-keying the owner issues a revocation certificate has a similar format to normal public-key certificates contains the public key to be revoked signed with the corresponding private key and disseminates it as widely and quickly as possible if a key is compromised: e.g., Bob knows the private key of Alice Bob can issue a revocation certificate to revoke the public key of Alice even better for Alice
What is S/MIME?
Secure / Multipurpose Internet Mail Extension a security enhancement to MIME provides similar services to PGP based on technology from RSA Security industry standard for commercial and organizational use RFC 2630, 2632, 2633
RFC 822
defines a format for text messages to be sent using email Internet standard structure of RFC 822 compliant messages header lines (e.g., from: , to: , cc: ) blank line body (the text to be sent) example
S/MIME / introduction
Date: Tue, 16 Jan 1998 10:37:17 (EST) From: abc <abc@wce.ac.in> Subject: Test To: bvs@bvbs.ac.in Blablabla
S/MIME / introduction
MIME
defines new message header fields defines a number of content formats (standardizing representation of multimedia contents) defines transfer encodings that protects the content from alteration by the mail system
S/MIME / introduction
S/MIME / introduction
S/MIME / introduction
S/MIME / introduction
MIME Example
MIME-Version: 1.0 From: Nathaniel Borenstein <nsb@nsb.fv.com> To: Ned Freed <ned@innosoft.com> Date: Fri, 07 Oct 1994 16:15:05 -0700 (PDT) Subject: A multipart example Content-Type: multipart/mixed; boundary=unique-boundary-1 This is the preamble area of a multipart message. Mail readers that understand multipart format should ignore this preamble. If you are reading this text, you might want to consider changing to a mail reader that understands how to properly display multipart messages. --unique-boundary-1 Content-type: text/plain; charset=US-ASCII Some text --unique-boundary-1 Content-Type: multipart/parallel; boundary=unique-boundary-2
S/MIME / introduction
--unique-boundary-2 Content-Type: audio/basic Content-Transfer-Encoding: base64 ... base64-encoded 8000 Hz single-channel mu-law-format audio data goes here ... --unique-boundary-2 Content-Type: image/jpeg Content-Transfer-Encoding: base64 ... base64-encoded image data goes here ... --unique-boundary-2--
S/MIME / introduction
S/MIME services
enveloped data (application/pkcs7-mime; smime-type = enveloped-data) standard digital envelop signed data (application/pkcs7-mime; smime-type = signed-data) standard digital signature (hash and sign) content + signature is encoded using base64 encoding clear-signed data (multipart/signed) standard digital signature only the signature is encoded using base64 recipient without S/MIME capability can read the message but cannot verify the signature signed and enveloped data signed and encrypted entities may be nested in any order
S/MIME / services
Cryptographic algorithms
message digest must: SHA-1 should (receiver): MD5 (backward compatibility) digital signature must: DSS should: RSA asymmetric-key encryption must: ElGamal should: RSA symmetric-key encryption sender: should: 3DES, RC2/40 receiver: must: 3DES should: RC2/40
S/MIME / services
S/MIME / services
Content type
Content Info
Content
Set of certificates Version Set of CRLs Signer ID (issuer and ser. no.) Digest Algorithm Signer Info Authenticated Attributes Digest Encryption Alg. Encrypted digest (signature)
Version Originator Info Recipient Info Version Recipient ID (issuer and s.no.) Key Encryption Algorithm Encrypted Key
Encrypted Content
--boundary42--
Key management
S/MIME certificates are X.509 conformant key management scheme is between strict certification hierarchy and PGPs web of trust certificates are signed by certification authorities (CA) key authentication is based on chain of certificates users/managers are responsible to configure their clients with a list of trusted root keys
S/MIME / key management