S1 Teknik TelekomunikasiFakultas Teknik ElektroIPSec (Internet Protocol Security)KEAMANAN JARINGAN TTH3K3 Kur. 2016 2017/2018

Outline Protocol DesignIPSec architecturePacket Encapsulation: Tunnel vs TransportAuthentication Header (AH)Encapsulating Security Payload (ESP)Key ManagementInternet Key Exchange (IKE)

Computer tection BlueprintsProtocols and policiesSSL, IPSec, accesscontrol BuildingblocksCryptographic primitivesRSA, DSS, SHA-1 Algorithmicnumber theoryComputationalcomplexity

Encapsulation vs Tunneling Encapsulation: A packet is encapsulated into the payload of a lower layerpacket; a new header is added at the lower layer. Source: IP4

Encapsulation vs Tunneling Tunneling: A packet (the payload protocol) is encapsulated intoanother protocol at the same or higher layer (the deliveryprotocol).– Example: A IP packet is encapsulated into a IPsec packet. Tunneling can be used to circumvent a firewall policy( protocol)– Example: HTTP can be used to tunnel a protocol that would otherwise beblocked by the firewall.5

IP Security Overview RFC 1636– “Security in the Internet Architecture”– Issued in 1994 by the Internet Architecture Board (IAB)– Identifies key areas for security mechanisms Need to secure the network infrastructure from unauthorized monitoringand control of network traffic Need to secure end-user-to-end-user traffic using authentication andencryption mechanisms– IAB included authentication and encryption as necessary securityfeatures in the next generation IP (IPv6) The IPsec specification now exists as a set of Internet standards

Applications of IPsec IPsec provides the capability to secure communications acrossa LAN, private and public WANs, and the InternetExamplesinclude: Secure branch officeconnectivity over the Internet Secure remote access over theInternet Establishing extranet andintranet connectivity withpartners Enhancing electroniccommerce security Principal feature of IPsec is that it can encrypt and/orauthenticate all traffic at the IP level– Thus all distributed applications (remote logon, client/server, e-mail,file transfer, Web access) can be secured

IPSec Scenario LAN-to-LAN or site-to-site Used to connect two privatenetworks to form onecombined virtual privatenetwork Remote-access client IPsec Used to allow road warriorsto be part of the trustednetwork

Benefits of IPSec Some of the benefits of IPsec:– When IPsec is implemented in a firewall or router, it provides strong security thatcan be applied to all traffic crossing the perimeter Traffic within a company or workgroup does not incur the overhead of security-relatedprocessing– IPsec in a firewall is resistant to bypass if all traffic from the outside must use IPand the firewall is the only means of entrance from the Internet into theorganization– IPsec is below the transport layer (TCP, UDP) and so is transparent to applications There is no need to change software on a user or server system when IPsec is implemented inthe firewall or router– IPsec can be transparent to end users There is no need to train users on security mechanisms, issue keying material on a per-userbasis, or revoke keying material when users leave the organization– IPsec can provide security for individual users if needed This is useful for offsite workers and for setting up a secure virtual subnetwork within anorganization for sensitive applications

Routing Applications IPsec can play a vital role in the routing architecture requiredfor internetworkingIPsec can assure that:A routeradvertisementcomes from anauthorized routerA router seeking toestablish or maintaina neighborrelationship with arouter in anotherrouting domain is anauthorized routerA redirect messagecomes from therouter to which theinitial IP packet wassentA routing update isnot forged

Encapsulating SecurityPayload (ESP) Consists of an encapsulatingheader and trailer used toprovide encryption orcombinedencryption/authentication The current specification isRFC 4303, IP EncapsulatingSecurity Payload (ESP)Internet Key Exchange (IKE) A collection of documentsdescribing the keymanagement schemes foruse with IPsec The main specification isRFC 5996, Internet KeyExchange (IKEv2) Protocol,but there are a number ofrelated RFCsAuthentication Header (AH)Cryptographic algorithms An extension header toprovide messageauthentication The current specification isRFC 4302, IPAuthentication Header This category encompassesa large set of documentsthat define and describecryptographic algorithmsfor encryption, messageauthentication,pseudorandom functions(PRFs), and cryptographickey exchangeArchitecture Covers the general concepts,security requirements,definitions, and mechanismsdefining IPsec technology The current specification isRFC4301, SecurityArchitecture for the InternetProtocolIPsecDocumentsRFC 6071 [IP Security (IPsec) andInternet Key Exchange (IKE)Document Roadmap ,February 2011].Other There are a variety ofother IPsec-related RFCs,including those dealingwith security policy andmanagementinformation base (MIB)contentFunctional areas ofIPsec : Authentication Confidentiality Key management

IPsec Services IPsec provides security services at the IP layer by enabling asystem to:– Select required security protocols– Determine the algorithm(s) to use for the service(s)– Put in place any cryptographic keys required to provide the requestedservices– RFC 4301 lists the following services:– Access control– Connectionless integrity– Data origin authentication– Rejection of replayed packets (a form of partial sequence integrity)– Confidentiality (encryption)– Limited traffic flow confidentiality

Modes of IP Sec Services

Transport and Tunnel ModesTransport Mode Provides protection primarily forupper-layer protocols– Examples include a TCP or UDPsegment or an ICMP packet Typically used for end-to-endcommunication between two hosts ESP in transport mode encrypts andoptionally authenticates the IPpayload but not the IP header AH in transport mode authenticatesthe IP payload and selectedportions of the IP headerTunnel Mode Provides protection to the entire IPpacket Used when one or both ends of a securityassociation (SA) are a security gateway A number of hosts on networks behindfirewalls may engage in securecommunications without implementingIPsec ESP in tunnel mode encrypts andoptionally authenticates the entire innerIP packet, including the inner IP header AH in tunnel mode authenticates theentire inner IP packet and selectedportions of the outer IP header

Transport Mode & Tunnel Mode In transport mode, IPSec protects what is delivered from the transportlayer to the network layer. In tunnel mode, IPSec protects the entire IP packet. It takes an IP packet,including the header, applies IPSec security methods to the entire packet,and then adds a new IP header

Transport & Tunnel Mode In transport mode, IPSec protectswhat is delivered from the transportlayer to the network layer. In tunnel mode, IPSec protects theentire IP packet. It takes an IPpacket, including the header, appliesIPSec security methods to the entirepacket, and then adds a new IPheader

Tunnel Mode and Transport ModeFunctionality

IPSec Protocol Encapsulating Security Payload (ESP) protocol For encrypting, authenticating, and securing data IP protocol 50 See RFC 4303, IP Encapsulating Security Payload (ESP) Authentication Header (AH) protocol For authenticating and securing data IP protocol 51 now deprecated see RFC 4302, IP Authentication Header

Authentication Header (AH) Provide support for data integrityand authentication of IP packets End system/router can authenticateuser/app Prevents address spoofing attacks bytracking sequence numbers Based on use of MAC HMAC-MD5-96 or HMAC-SHA1-96 Parties must share a secret key

Encapsulating Security Payload(ESP) Provide message contents confidentiality and (limited) traffic flowconfidentiality Can (optionally) provide the same authentication services as AH Supports range of ciphers, modes, padding DES, 3DES, RC5, IDEA, 3IDEA, CAST, etc. CBC most common pads to meet block size, for traffic flow

Encapsulating Security Payload (ESP) Used to encrypt the Payload Data, Padding, Pad Length, and Next Header fields– If the algorithm requires cryptographic synchronization data then these data may be carriedexplicitly at the beginning of the Payload Data field An optional ICV field is present only if the integrity service is selected and is providedby either a separate integrity algorithm or a combined mode algorithm that uses an ICV– ICV is computed after the encryption is performed– This order of processing facilitates reducing the impact of DoS attacks– Because the ICV is not protected by encryption, a keyed integrity algorithm must beemployed to compute the ICV The Padding field serves several purposes:– If an encryption algorithm requires the plaintext to be a multiple of some number of bytes,the Padding field is used to expand the plaintext to the required length– Used to assure alignment of Pad Length and Next Header fields– Additional padding may be added to provide partial traffic-flow confidentiality by concealingthe actual length of the payload

ESP Packet Format

Anti Replay Mechanism ESP A replay attack is one inwhich an attacker obtains acopy of an authenticatedpacket and later transmits it tothe intended destination. The receipt of duplicate,authenticated IP packets maydisrupt service in some way ormay have some otherundesired consequence.

IP Secuirty Policy Fundamental to the operation of IPsec is the concept of asecurity policy applied to each IP packet that transits froma source to a destination. IPsec policy is determined primarily by the interaction oftwo databases,– the security association database (SAD)– security policy database (SPD) .

IPSec Architectureoverview of these two databases and then summarizes their use during IPsec operation

Security Association (SA) IPSec requires a logical relationshipbetween two hosts, that relationshipcalled SA. In any IP packet, the SA is uniquelyidentified by the Destination Addressin the IPv4 or IPv6 header and the SPIin the enclosed extension header (AHor ESP)Uniquely identified by three parametersSecurity ParametersIndex (SPI) A 32-bit unsigned integerassigned to this SA andhaving local significanceonlySecurity protocolidentifier Indicates whether theassociation is an AH orESP security associationIP DestinationAddress Address of thedestination endpointof the SA, which maybe an end-user systemor a network systemsuch as a firewall orrouter

Security Association Database (SAD) Defines the parameters associated with each SA Security Association Database (SAD)––one for Outbound SAone for Inbound SA Normally defined by the following parameters in a SAD entry:–––––––––Security parameter indexSequence number counterSequence counter overflowAnti-replay windowAH informationESP informationLifetime of this security associationIPsec protocol modePath MTU

Security Policy Database (SPD) Defines the type of security applied to a packet .– Security Policy Database (SPD)one for Outbound SP, one for Inbound SP– Contains entries, each of which defines a subset of IP traffic and points toan SA for that traffic In more complex environments, there may be multiple entries thatpotentially relate to a single SA or multiple SAs associated with asingle SPD entry– Each SPD entry is defined by a set of IP and upper-layer protocol fieldvalues called selectors– These are used to filter outgoing traffic in order to map it into a particularSA

SPD Entries The following selectors determine an SPD entry:Remote IPaddressLocal IPaddressThis may be asingle IPaddress, anenumerated listor range ofaddresses, or awildcard (mask)addressThis may be asingle IPaddress, anenumerated listor range ofaddresses, or awildcard (mask)addressThe latter twoare required tosupport morethan onedestinationsystem sharingthe same SAThe latter twoare required tosupport morethan one sourcesystem sharingthe same SANext layerprotocolNameLocal andremote portsA user identifierfrom theoperatingsystemThe IP protocolheader includesa field thatdesignates theprotocoloperating overIPNot a field in theIP or upper-layerheaders but isavailable if IPsecis running on thesame operatingsystem as theuserThese may beindividual TCPor UDP portvalues, anenumerated listof ports, or awildcard port

Table 20.2Host SPD Example

IP Traffic Processing IPsec is executed on a packet-by-packet basis If IPsec is implemented, each outbound IP packet is processed bythe IPsec logic before transmission Each inbound packet is processed by the IPsec logic after receptionand before passing the packet contents on to the next higher layer(e.g., TCP or UDP). There are two processing model in IP Sec:– Outbound Packet– Inbound Packet

Combining Security Associations An individual SA can implement either the AH or ESP protocol but not both Security association bundle– Refers to a sequence of SAs through which traffic must be processed to provide adesired set of IPsec services– The SAs in a bundle may terminate at different endpoints or at the same endpoint May be combined into bundles in two ways:TransportadjacencyIterated tunneling Refers to applying more than one security protocol to thesame IP packet without invoking tunneling This approach allows for only one level of combination Refers to the application of multiple layers of securityprotocols effected through IP tunneling This approach allows for multiple levels of nesting

ESP with Authentication Option In this approach, the first user applies ESP to the data to beprotected and then appends the authentication data fieldTransport mode ESP Authentication and encryption apply to the IP payload delivered tothe host, but the IP header is not protectedTunnel mode ESP Authentication applies to the entire IP packet delivered to the outerIP destination address and authentication is performed at thatdestination The entire inner IP packet is protected by the privacy mechanism fordelivery to the inner IP destination For both cases authentication applies to the ciphertextrather than the plaintext

Transport Adjacency Another way to apply authentication after encryption is touse two bundled transport SAs, with the inner being anESP SA and the outer being an AH SA– In this case ESP is used without its authentication option– Encryption is applied to the IP payload– AH is then applied in transport mode– Advantage of this approach is that the authentication coversmore fields– Disadvantage is the overhead of two SAs versus one SA

Transport-Tunnel Bundle The use of authentication priorto encryption might bepreferable for several reasons:– It is impossible for anyone tointercept the message and alter theauthentication data withoutdetection– It may be desirable to store theauthentication information with themessage at the destination for laterreference One approach is to use a bundleconsisting of an inner AHtransport SA and an outer ESPtunnel SA– Authentication is applied to the IPpayload plus the IP header– The resulting IP packet is thenprocessed in tunnel mode by ESP The result is that the entireauthenticated inner packet isencrypted and a new outer IP headeris added

Four examplesof combinationsof SA

Internet Key Exchange Negotiates IPsec tunnel characteristics between two IPsec peers Negotiates IPsec protocol parameters Exchanges public keys Authenticates both sides Manages keys after the exchange Automates entire key-exchange process RFC4306 Internet Key Exchange (IKEv2) Protocol

Internet Key Exchange The key management portion of IPsec involves the determination anddistribution of secret keys– A typical requirement is four keys for communication between two applications Transmit and receive pairs for both integrity and confidentiality The IPsec Architecture document mandates support for two types of keymanagement: A system administratormanually configures eachsystem with its own keys andwith the keys of othercommunicating systems This is practical for small,relatively static environmentsManualAutomated Enables the on-demandcreation of keys for SAs andfacilitates the use of keys in alarge distributed system withan evolving configuration

ISAKMP/Oakley The default automated key management protocol of IPsec Consists of:– Oakley Key Determination Protocol A key exchange protocol based on the Diffie-Hellman algorithm but providingadded security Generic in that it does not dictate specific formats– Internet Security Association and Key Management Protocol(ISAKMP) Provides a framework for Internet key management and provides the specificprotocol support, including formats, for negotiation of security attributes Consists of a set of message types that enable the use of a variety of keyexchange algorithms

Internet Security Association KeyManagement Protocol (ISAKMP) Provide framework for key management Defines procedures and packet formats to establish, negotiate,modify, and delete SAs Independent of key exchange protocol, encryption algorithm, andauthentication method

Oakley Protocol A key exchange protocol based on Diffie-Hellman algorithm Provide added security Cookies exchanges, to thwart clogging attacks Hash(src IP addr, dst IP addr, src UDP port, dst UDP port, local secret) Local secret periodically changed Uses nonces to detect replay attacks Authenticates DH-exchange, to thwart MITM attacks Based on digital signature, public key encryption, or symmetric key encription Parties negotiate the global parameters of DH-exchange (e.g., the prime p that defines the group andthe generator q of the group) Determines AH/ESP keying material for each IPSec SA (automatically)

IKE’s improvement on DH Uses cookies, to protect againts clogging attack Uses nonces, to protect against replay attack requires that each party shows that it posseses a secret key, toprotect against MITM attack

DH with cookies

IKE Phase & Mode IKE has two phases: Phase one Uses main or aggressivemode exchange Negotiates IKE SA Phase two Uses quick mode exchange Negotiates IPSec SAs

IKE Phase 1 Two modes: main mode aggressive mode Four Authentication methods: Pre-shared keys Digital signatures Public key encryption Revised public key encryption Agreeing on a set of parameters that are to be used to authenticate the two peers Agreeing on parameters used to encrypt a portion of the main mode and all of the quick mode messages None of the aggressive mode messages are encrypted Authenticate the two peers to each other Generate keys used to generate keying material for subsequent encryption of data All of the parameters negotiated and the keys used to generate keys for encryption are stored as IKE or ISAKMPsecurity association (SA

IKE Phase 2 One mode: Quick mode Involves exchange of 3 messages To have two peers agree on a set of attributes for creating the IPsec security associations that could beused by ESP to encrypt the data To redo Diffie-Hellman (DH) exchange so that new keying material can be used to generate IPsecencryption keys Negotiate parameters of IPsec SA Perfect Forward Secrecy (PFS) may be used by initiator to request that a new DH secret be generated overan encrypted channel New nonces generated: Ni and Nr New DH public values: Xa ga mod p Xb gb mod p

IKEv2 ExchangeHDR IKE headerSAx1 offered and chosen algorithms, DH groupKEx Diffie–Hellman public keyNx noncesCERTREQ Certi cate requestIDx identityCERT certi cateSK {.} MAC and encryptAUTH AuthenticationSAx2 algorithms, parameters for IPsec SATSx traffic selectors for IPsec SAN NotifyD DeleteCP Configuration

Table 20.3IKE Payload Types

Summary IP security overview––––––Applications of IPsecBenefits of IPsecRouting applicationsIPsec documentsIPsec servicesTransport and tunnelmodes IP security policy– Security associations– Security associationdatabase– Security policy database– IP traffic processing–Cryptographic suites Encapsulating securitypayload– ESP format– Encryption and authenticationalgorithms– Padding anti-replay service– Transport and tunnel modes Combining securityassociations– Authentication plusconfidentiality– Basic combinations of securityassociations Internet key exchange– Key determination protocol– Header and payload formats

References W. Stallings, “Cryptography and Network Security: Principles and Practice”, 8th ed., Pearson, 2016 E. Gean, “Chapter 13 IPSec”, California State University, 2015 X. Y. Li, “IPSec”, Illinois Institute of Technology, 2014 V. Shmatikov, “IP security. Internet Key Exchange (IKE) protocol”, 2004

Security Policy Database (SPD) Defines the type of security applied to a packet . –Security Policy Database (SPD) one for Outbound SP, one for Inbound SP –Contains entries, each of which defines a subset of IP traffic and points to an SA for that traffic In more complex environments, there may be multiple entries that