CS 494/594 Computer and Network Security - web.eecs.utk.edu
Transcript of CS 494/594 Computer and Network Security - web.eecs.utk.edu
![Page 1: CS 494/594 Computer and Network Security - web.eecs.utk.edu](https://reader034.fdocuments.net/reader034/viewer/2022051102/6276f50aed98be5fbb170b03/html5/thumbnails/1.jpg)
CS 494/594 CS 494/594
Computer and Network SecurityComputer and Network Security
Dr. Jinyuan (Stella) Sun
Dept. of Electrical Engineering and Computer Science
University of Tennessee
Fall 2010
1
![Page 2: CS 494/594 Computer and Network Security - web.eecs.utk.edu](https://reader034.fdocuments.net/reader034/viewer/2022051102/6276f50aed98be5fbb170b03/html5/thumbnails/2.jpg)
IPsec: AH and ESPIPsec: AH and ESP
• IP security issues• IPsec security services• IPsec modes• Security association• AH• ESP• VPN
![Page 3: CS 494/594 Computer and Network Security - web.eecs.utk.edu](https://reader034.fdocuments.net/reader034/viewer/2022051102/6276f50aed98be5fbb170b03/html5/thumbnails/3.jpg)
TCP/IP Example
![Page 4: CS 494/594 Computer and Network Security - web.eecs.utk.edu](https://reader034.fdocuments.net/reader034/viewer/2022051102/6276f50aed98be5fbb170b03/html5/thumbnails/4.jpg)
IP Packet format
![Page 5: CS 494/594 Computer and Network Security - web.eecs.utk.edu](https://reader034.fdocuments.net/reader034/viewer/2022051102/6276f50aed98be5fbb170b03/html5/thumbnails/5.jpg)
IP Security Issues
� When an entity receives an IP packet, it has no assurance of:
◦ Data origin authentication / data integrity:
� The packet has actually been send by the entity which is referenced by the source address of the packet
� The packet contains the original content the sender placed into it, so that it has not been modified during transport
� The receiving entity is in fact the entity to which the sender wanted to send the packet
◦ Confidentiality:
� The original data was not inspected by a third party while the packet was sent from the sender to the receiver
![Page 6: CS 494/594 Computer and Network Security - web.eecs.utk.edu](https://reader034.fdocuments.net/reader034/viewer/2022051102/6276f50aed98be5fbb170b03/html5/thumbnails/6.jpg)
IP Security Issues (Cont’d)
� Many solutions are application-specific
◦ TLS for Web, S/MIME for email, SSH for remote login
� IPsec aims to provide a framework of open standards for secure communications over IP
◦ Protect every protocol running on top of IPv4 and IPv6
![Page 7: CS 494/594 Computer and Network Security - web.eecs.utk.edu](https://reader034.fdocuments.net/reader034/viewer/2022051102/6276f50aed98be5fbb170b03/html5/thumbnails/7.jpg)
IPsec
� IETF standard for real-time communication security
� Implemented at IP layer, all traffic can be securedno matter what application.
� Transparent to applications, no changes on upper-layer software.
� Transparent to end users, no need to train users on security mechanisms, issuing keying material on a per-user basis, or revoking keying material when users leave.
![Page 8: CS 494/594 Computer and Network Security - web.eecs.utk.edu](https://reader034.fdocuments.net/reader034/viewer/2022051102/6276f50aed98be5fbb170b03/html5/thumbnails/8.jpg)
IPsec = AH + ESP + IPcomp + IKE
IPsec: Network Layer Security
Protection for IP trafficAH provides integrity and
origin authenticationESP also confidentiality
CompressionSets up keys and algorithmsfor AH and ESP
� AH and ESP rely on an existing security association
◦ Idea: parties must share a set of secret keys and agree on each other’s IP addresses and crypto algorithms
� Internet Key Exchange (IKE)
◦ Goal: establish security association for AH and ESP
◦ If IKE is broken, AH and ESP provide no protection!
![Page 9: CS 494/594 Computer and Network Security - web.eecs.utk.edu](https://reader034.fdocuments.net/reader034/viewer/2022051102/6276f50aed98be5fbb170b03/html5/thumbnails/9.jpg)
IPsec Security Services
� Authentication and integrity for packet sources
◦ Ensures connectionless integrity (for a single packet) and partial sequence integrity (prevent packet replay)
� Confidentiality (encapsulation) for packet contents
◦ Also partial protection against traffic analysis
� Authentication and encapsulation can be used separately or together
� Either provided in one of two modes
� These services are transparent to applications above transport (TCP/UDP) layer
![Page 10: CS 494/594 Computer and Network Security - web.eecs.utk.edu](https://reader034.fdocuments.net/reader034/viewer/2022051102/6276f50aed98be5fbb170b03/html5/thumbnails/10.jpg)
IPsec Modes
� Transport mode
◦ Used to deliver services from host to host or from host to gateway
◦ Usually within the same network, but can also be end-to-end across networks
� Tunnel mode
◦ Used to deliver services from gateway to gateway or from host to gateway
◦ Usually gateways owned by the same organization
� With an insecure network in the middle
![Page 11: CS 494/594 Computer and Network Security - web.eecs.utk.edu](https://reader034.fdocuments.net/reader034/viewer/2022051102/6276f50aed98be5fbb170b03/html5/thumbnails/11.jpg)
IPsec in Transport Mode
� End-to-end security between two hosts
◦ Typically, client to gateway (e.g., PC to remote host)
� Requires IPsec support at each host
![Page 12: CS 494/594 Computer and Network Security - web.eecs.utk.edu](https://reader034.fdocuments.net/reader034/viewer/2022051102/6276f50aed98be5fbb170b03/html5/thumbnails/12.jpg)
IPsec in Tunnel Mode
� Gateway-to-gateway security◦ Internal traffic behind gateways not protected
◦ Typical application: virtual private network (VPN)
� Only requires IPsec support at gateways
![Page 13: CS 494/594 Computer and Network Security - web.eecs.utk.edu](https://reader034.fdocuments.net/reader034/viewer/2022051102/6276f50aed98be5fbb170b03/html5/thumbnails/13.jpg)
Tunnel Mode Illustration
IPsec protects communication on the insecure part of the network
Implements
IPSec
Implements
IPSec
![Page 14: CS 494/594 Computer and Network Security - web.eecs.utk.edu](https://reader034.fdocuments.net/reader034/viewer/2022051102/6276f50aed98be5fbb170b03/html5/thumbnails/14.jpg)
� Transport mode secures packet payload and leaves IP header unchanged
� Tunnel mode encapsulates both IP header and payload into IPsec packets
Transport Mode vs. Tunnel Mode
IP header(real dest)
IPsec header TCP/UDP header + data
IP header(gateway)
IPsec header TCP/UDP header + dataIP header(real dest)
![Page 15: CS 494/594 Computer and Network Security - web.eecs.utk.edu](https://reader034.fdocuments.net/reader034/viewer/2022051102/6276f50aed98be5fbb170b03/html5/thumbnails/15.jpg)
Security Association (SA)
� One-way sender-recipient relationship
� SA determines how packets are processed
◦ Cryptographic algorithms, keys, IVs, lifetimes, sequence numbers, mode (transport or tunnel)
◦ SA is identified by SPI (Security Parameters Index)…
◦ Each IPsec keeps a database of SAs
◦ SPI is sent with packet, tells recipient which SA to use
� SA is defined by the triple <SPI, destination address, flag for whether it’s AH or ESP>
![Page 16: CS 494/594 Computer and Network Security - web.eecs.utk.edu](https://reader034.fdocuments.net/reader034/viewer/2022051102/6276f50aed98be5fbb170b03/html5/thumbnails/16.jpg)
SA Components
� Each IPsec connection is viewed as one-way so two SAs required for a two-way conversation
◦ Hence need for Security Parameter Index
� Security association (SA) defines
◦ Protocol used (AH, ESP)
◦ Mode (transport, tunnel)
◦ Encryption or hashing algorithm to be used
◦ Negotiated keys and key lifetimes
◦ Lifetime of this SA
◦ … plus other info
![Page 17: CS 494/594 Computer and Network Security - web.eecs.utk.edu](https://reader034.fdocuments.net/reader034/viewer/2022051102/6276f50aed98be5fbb170b03/html5/thumbnails/17.jpg)
Security Association Issues
� How is SA established?
◦ How do parties negotiate a common set of cryptographic algorithms and keys to use?
� More than one SA can apply to a packet!
◦ E.g., end-to-end authentication (AH) and additional encryption (ESP) on the public part of the network
![Page 18: CS 494/594 Computer and Network Security - web.eecs.utk.edu](https://reader034.fdocuments.net/reader034/viewer/2022051102/6276f50aed98be5fbb170b03/html5/thumbnails/18.jpg)
AH: Authentication Header
� Sender authentication
� Integrity for packet contents and IP header
� Sender and receiver must share a secret key
◦ This key is used in HMAC computation
◦ The key is set up by IKE key establishment protocol and recorded in the Security Association (SA)
� SA also records protocol being used (AH) and mode (transport or tunnel) plus hashing algorithm used
� MD5 or SHA-1 supported as hashing algorithms
![Page 19: CS 494/594 Computer and Network Security - web.eecs.utk.edu](https://reader034.fdocuments.net/reader034/viewer/2022051102/6276f50aed98be5fbb170b03/html5/thumbnails/19.jpg)
IP Headers
VersionHeaderLength
TOSPacket length
Packet IdFlags
Fragmentoffset
TTLProtocolnumber
ChecksumSource IPaddress
DestinationIP address
Options
PredictableImmutableMutable
AH sets mutable fields to zero and predictable fields to final value and then uses this header plus packet contents as input to HMAC
![Page 20: CS 494/594 Computer and Network Security - web.eecs.utk.edu](https://reader034.fdocuments.net/reader034/viewer/2022051102/6276f50aed98be5fbb170b03/html5/thumbnails/20.jpg)
AH in Transport Mode
Before AH is applied
![Page 21: CS 494/594 Computer and Network Security - web.eecs.utk.edu](https://reader034.fdocuments.net/reader034/viewer/2022051102/6276f50aed98be5fbb170b03/html5/thumbnails/21.jpg)
AH in Tunnel Mode
Before AH is applied
![Page 22: CS 494/594 Computer and Network Security - web.eecs.utk.edu](https://reader034.fdocuments.net/reader034/viewer/2022051102/6276f50aed98be5fbb170b03/html5/thumbnails/22.jpg)
� Provides integrity and origin authentication
� Authenticates portions of the IP header
� Anti-replay service (to counter denial of service)
� No confidentiality
AH Format
Next header(TCP)
Payload length Reserved
Security parameters index (SPI)
Sequence number
ICV: Integrity Check Value
(HMAC of IP header, AH, TCP payload)
Identifies securityassociation (sharedkeys and algorithms)
Anti-replay
Authenticates source,verifies integrity of
payload
![Page 23: CS 494/594 Computer and Network Security - web.eecs.utk.edu](https://reader034.fdocuments.net/reader034/viewer/2022051102/6276f50aed98be5fbb170b03/html5/thumbnails/23.jpg)
Prevention of Replay Attacks� When SA is established, sender initializes 32-bit counter to 0, increments by 1 for each packet
◦ If wraps around 232-1, new SA must be established
� Recipient maintains a sliding 64-bit window
◦ If a packet with high sequence number is received, do not advance window until packet is authenticated
![Page 24: CS 494/594 Computer and Network Security - web.eecs.utk.edu](https://reader034.fdocuments.net/reader034/viewer/2022051102/6276f50aed98be5fbb170b03/html5/thumbnails/24.jpg)
Forms of AH-Based Authentication
![Page 25: CS 494/594 Computer and Network Security - web.eecs.utk.edu](https://reader034.fdocuments.net/reader034/viewer/2022051102/6276f50aed98be5fbb170b03/html5/thumbnails/25.jpg)
ESP: Encapsulating Security Payload
� Adds new header and trailer fields to packet
� Transport mode
◦ Confidentiality of packet between two hosts
◦ Complete hole through firewalls
◦ Used sparingly
� Tunnel mode
◦ Confidentiality of packet between two gateways or a host and a gateway
◦ Implements VPN tunnels
![Page 26: CS 494/594 Computer and Network Security - web.eecs.utk.edu](https://reader034.fdocuments.net/reader034/viewer/2022051102/6276f50aed98be5fbb170b03/html5/thumbnails/26.jpg)
New IPheader
� Confidentiality and integrity for packet payload
◦ Symmetric cipher negotiated as part of security assoc
� Optionally provides authentication (similar to AH)
� Can work in transport…
� …or tunnel mode
ESP Security Guarantees
Original IPheader
ESP header TCP/UDP segment ESP trailer ESP auth
encrypted
authenticated
Original IPheader
ESP header TCP/UDP segment ESP trailer ESP auth
![Page 27: CS 494/594 Computer and Network Security - web.eecs.utk.edu](https://reader034.fdocuments.net/reader034/viewer/2022051102/6276f50aed98be5fbb170b03/html5/thumbnails/27.jpg)
ESP Packet
Identifies securityassociation (sharedkeys and algorithms)
Anti-replay
TCP segment (transport mode)or
entire IP packet (tunnel mode)
Pad to block size for cipher,also hide actual payload length
Type of payload
HMAC-based IntegrityCheck Value (similar to AH)
![Page 28: CS 494/594 Computer and Network Security - web.eecs.utk.edu](https://reader034.fdocuments.net/reader034/viewer/2022051102/6276f50aed98be5fbb170b03/html5/thumbnails/28.jpg)
Virtual Private Networks (VPN)
� ESP is often used to implement a VPN ◦ Packets go from internal network to a gateway with TCP / IP headers for address in another network
� Entire packet hidden by encryption◦ Including original headers so destination addresses are hidden
◦ Receiving gateway decrypts packet and forwards original IP packet to receiving address in the network that it protects
� This is known as a VPN tunnel◦ Secure communication between parts of the same organization over public untrusted Internet
![Page 29: CS 494/594 Computer and Network Security - web.eecs.utk.edu](https://reader034.fdocuments.net/reader034/viewer/2022051102/6276f50aed98be5fbb170b03/html5/thumbnails/29.jpg)
ESP Together With AH
� AH and ESP are often combined
� End-to-end AH in transport mode◦ Authenticate packet sources
� Gateway-to-gateway ESP in tunnel mode◦ Hide packet contents and addresses on the insecure part of the network
� Significant cryptographic overhead◦ Even with AH
![Page 30: CS 494/594 Computer and Network Security - web.eecs.utk.edu](https://reader034.fdocuments.net/reader034/viewer/2022051102/6276f50aed98be5fbb170b03/html5/thumbnails/30.jpg)
Reading Assignment
� [Kaufman] Chapters 17