IPSEC Overview

1 1 1 2001, Cisco Systems, Inc. All rights reserved.
Presentation_ID
2 2001, Cisco Systems, Inc. All rights reserved. 2001, Cisco Systems, Inc. All rights reserved. 2001, Cisco Systems, Inc. All rights reserved.
Overview of IPSec VPN
2001, Cisco Systems, Inc. All rights reserved. 3 2001, Cisco Systems, Inc. All rights reserved. 3 2001, Cisco Systems, Inc. All rights reserved. 3
Agenda
VPN Definitions
Cryptography Building Blocks
IPSec Protocols Overview
ISAKMP and IKE Overview
VPN Definitions

A Virtual Private Network carries private traffic
over public network.
A restricted-use, logical computer network that is
constructed from the system resources of a relatively
public, physical network (such as the Internet), often by
using encryption, and often by tunneling links of the
virtual network across the real network. (RFC2828)
VPN Definitions
Virtual
Logical Networks, independent of physical
architecture.
Private
Independent ip addressing and routing schemes
(non-cryptographic approaches)
Secure : confidentiality, message integrity,
authentication, privacy. (cryptographic approaches)
Network
VPN Technologies
Non-Cryptographic Approaches
GRE Tunneling
MPLS VPN
Cryptographic Approaches
PPTP (MPPE)
L2F / L2TP (Protected by IPSec)
GRE (Protected by IPSec)
IPSec
VPN Applications
Enterprise
DMZ
AAA
CA
Supplier
Business
Partner
Remote
Office Service
Provider A
Service
Provider B
Regional
Office
Small
Office
Mobile User
Or Corporate
Telecommuter
Secure VPN Services
Confidentiality
Authentication
Integrity
Nonrepudiation
Access Control
Secure Communications Using IPSec
VPN
B A
Needs secure communications over insecure channel
Proposals Proposals
Key generation
Key Management
Security Association
IPSec VPN Tunnel
A
B
Im A Here is my proof Im B Here is my proof
Identity
Authentication
& Trust
authority
Encryption
algorithms
& standards
Hash
algorithms
Tunneling
Technology
PKI
ISAKMP & IKE
IPSec
Cryptography
Building Blocks
Agenda
VPN Definitions
Proposals Proposals Key Management
SA
IPSec VPN Tunnel
A
B
Identity
Authenticatio
n & Trust
PKI
ISAKMP & IKE
IPSec
Encryption
algorithms
Hash
algo
Tunneling
Cryptography
Building Blocks
Encryption vs. Hash
Encryption Layers
Symmetric vs. Asymmetric Algorithms

Encryption vs. Hash
PlainText
Encryption( )
CipherText
Decryption( )
or
Encryption keeps communications
Private.
Encryption and decryption can
use same or different keys.
Achieved by various
algorithms, e.g. DES, CAST.
Need key management.
Hash transforms message into
fixed-size string.
One-way hash function.
Strongly collision-free hash.
Message digest can be viewed
as digital fingerprint.
Used for message integrity
check and digital certificate.
Hash is generally faster than
encryption.
Message
Message Digest
Hash
Message Authentication & Integrity
Check Using Hash
MAC (Message Authentication Code): cryptographic checksum
generated by passing data thru a message authentication algorithm.
MAC is often used for message authentication and integrity check.
HMAC Keyed hashed-based MAC.
Message
MAC
Hash
Message
MAC
MAC
Message
Hash output
Hash
?
insecure channel
Sender Receiver
Secret key only known by sender and receiver.
Commonly Used Hash Functions
(MD5 and SHA)
Both MD5 and SHA are derived based on MD4.
MD5 provides 128-bit output, SHA provide 160-bit output.
Both of MD5 and SHA are considered one-way strongly collision-free hash
functions.
SHA is computationally slower than MD5, but more secure
Message
padding
Block1
(512 bits)
Block2
(512 bits)
Block n
(512 bits)
H H H
H
IV
Last
Block
Hash
128 bits
128 bits
Network Layer Encryption
Encrypt traffic flow between specific users, applications or IP subnet
pairs.
Transparent to intermediate network devices,independent to network
topology.
Network Layer Encryption
Application Layer Encryption
Link-Layer
Encryption
Link-Layer
Encryption
Symmetric vs. Asymmetric Encryption
Algorithms
PlainText
Encryption( )
CipherText
Decryption( )
PlainText
Encryption( )
CipherText
Decryption( )
Secret-key cryptography

Encryption and decryption use
the same key.

Typically used to encrypt the
content of a message.

Examples: DES

Public-key Cryptography.

Encryption and decryption use
different keys.

Typically used in digital cert
-ification and key management.

Examples: Diffie-Hellman, RSA
Data Encryption Standard
(DES)
Symmetric key encryption algorithm
Block cipher: works on 64-bit data block, use 56-
bit key.
Mode of operation: how to apply DES to encrypt
blocks of data
Electronic Code Book (ECB)
Cipher Block Chaining (CBC)
K-bit Cipher FeedBack (CFB)
K-bit Output FeedBack (OFB)
DES CBC Mode
DES Encrypt( ) DES Encrypt( )
Encrypt( )
DES Encrypt( )
K
K K
m
1 m
2
m
n
C
1 C
2
C
n
IV
XOR
XO
R
XOR
C
n-1

m
n
DES Decrypt( )
Encrypt( )
DES Decrypt( )
K
K K
m
1
m
2
C
1
C
2
C
n
IV
XOR XOR XOR
DES Decrypt( )
C
n-1

Triple-DES
168-bit total key length
Mode of operation decides how to process DES
three times.
More secure than DES
DES DES DES
64-bit
plaintext block
56-bit
56-bit 56-bit
64-bit
Cipher text
Diffie-Hellman Key Agreement
Protocol
Private Value, X
A

Public Value, Y
A
Private Value, X
B

Public Value, Y
B
Y
B
Y
B

= g

mod p
X
B
Y
A
=g mod p
X
A
Y
A
Shared secret key
Y
B
X
A
mod p Y
A

X
B
mod p
p (prime number) and g (integer <p) are public system parameters.
For every number n in {1 ,, p-1} , there is a power k of g such that n = g
k
mod p.
X
A
and X
B
are drawn from the set of integers {1, . p-2}

Protocol security : assume computationally infeasible to calculate the shared secret
given the two public value Y
A
and Y
B.
Diffie-Hellman Key Exchange
Asymmetric key algorithm.
The protocol allows two users to exchange secret key (used by
symmetric algorithms) over an insecure channel without prior
secrets.
Diffie-Hellman (DH) groups: size of modulus p, for examples:
DH group 1 (768-bit)
p= 2^
768
- 2^
704
- 1 + 2^
64
* { [2^
638
pi] + 149686 }
g= 2
DH group 2 (1024-bit)
Vulnerable to man-in-the-middle attack.

RSA Algorithm
Developed by Ronald Rivest, Adi Shamir, and
Leonard Adleman in 1977.
Public-key cryptosystem.
Each end system generates a pair of keys.
Public key is published to public domain.
Corresponding private key is kept private.
Used for both encryption and digital signatures
(authentication).
Defined in PKCS #1.

How RSA can be Used
PlainText
CipherText
Encryption( )
RSA
Bob
Mike
Joe
Alices
Pub key
Ring
Decryption( )
Bobs public
key
Bobs private
key
PlainText
Transmit
Cipher text
Encryption
PlainText
CipherText
Encryption( )
RSA
Alice
Mike
Joe
Bobs
Pub key
Ring
Decryption( )
Alices private
key
Alices public
key
PlainText
Transmit
ciphertext
together with
plaintext
Authentication
IPSec
Agenda
VPN Definitions
SA
IPSec VPN Tunnel
A
B
Identity
Authenticatio
n & Trust
PKI
ISAKMP & IKE
Encryption
algorithms
Hash
algo
Tunneling
Cryptography
Building Blocks
IPSec Protocol Overview
IPSec Definition and Services
IPSec Modes
AH and ESP
IPSec Security Association
IPSec Definition and Services
IPSec Stands for IP Security.
A security protocol in the network layer
will be developed to provide cryptographic
security services that will flexibly support
combinations of authentication, integrity,
access control, and confidentiality (IETF).

IPSec Services
Data Origin Authentication
Data Integrity
Confidentiality
Replay Detection
Access control and Traffic flow
confidentiality
IPSec Modes
A->B Data
A->B Data
A
B C
D
IPSec Tunnel
A->B Data
IPSec Tunnel
A
B C
D
IPSec Tunnel
A-B
Data
A->B Data
Encrypt IP traffic flowing
through IPSec peers
Original IP header is encrypted
Traffic flow confidentiality
Tunnel Mode
Encrypt IP traffic between IPSec
peers
Less overhead
Some portion of original IP
packet is visible
Transport Mode
A->B
Data
C->D
IPSec header
Authentication Header (AH)
Data Integrity data has no
been modified during
transmission.
Origin authentication data is
indeed coming from IPSec peer.
Anti-replay detection
Data in cleartext NO
confidentiality.
Use IP protocol 51
Defined in RFC 2402
HMAC-MD5-96
HMAC-SHA-1-96
AH-HMAC
Hash
Most part
Of IP header
+AH header
+ data
AH-HMAC
IP Hdr
Data
Sequence no.
& Sliding window
Authentication Header
Original
IP Header
TCP Data
Original
IP Header
AH TCP Data
Authenticated except
mutable field
Transport Mode
Original
IP Header
TCP Data
New IP
Header
AH
Original
IP Header
TCP Data
Authenticated except mutable
field in new ip header
Tunnel Mode
Encapsulating Security Payload (ESP)
Data confidentiality
Data integrity (does not cover
ip header)
Data origin authentication
Anti-replay detection
Traffic flow confidentiality
Use IP protocol 50
Defined in RFC 2406
DES-CBC
3DES
HMAC-MD5-96
HMAC-SHA-1-96
Sequence no.
& Sliding window
Encapsulating Security Payload
(ESP)
Original
IP Header
TCP Data
Encrypted
Transport Mode
Original
IP Header
ESP
Header
TCP Data
ESP
trlr
ESP
auth
Authenticated
Original
IP Header
TCP Data
New IP
hdr
ESP
hdr
Orig
IP hdr
TCP
Data
ESP
trlr
ESP
auth
Tunnel Mode
Authenticated
Encrypted
IPSec Overhead
Example: ESP Tunnel Mode
DES encryption (ESP-DES)
HMAC-SHA1-96 authentication (ESP-SHA-HMAC)
New IP Header 20bytes
SPI 4 bytes
Sequence no 4 bytes
IV 8 bytes
Padding 1~8bytes
Pad len 1 bytes
Next Payload 1 bytes
HMAC-SHA1-96 12bytes

51~58bytes
Total Overhead
Original IP packet 1400 bytes
(1400+8+1+1) mod 8 = 2

Padding = 8-2 = 6 bytes
ESP Packet size : 1456 bytes
DES 64-bit block cipher
Security Association
Defines one-way relation between IPSec peers which
apply security services to the traffic carried.
Two SAs are needed for two-way secure
communication.
Dst: 1.1.1.1
SPI: 4D01013D
ESP-DES-MD5

Dst: 2.2.2.2
SPI: 57F8DA80
AH-HMAC-MD5
Lifetime

IPSec Security Association
AH (ESP)Information
IPSec Protocol Mode
Path MTU
Sequence no. counter
Lifetime of the SA
SA Parameters
A security association is uniquely
Identified by three parameters:

Security Parameter Index (SPI)

IP Destination Address

Security Protocol Identifier (AH
or ESP SA)

inbound esp sas:
spi: 0xCAFDEBF8(3405638648)
transform: esp-des esp-md5-hmac ,
in use settings = {Tunnel, }
slot: 0, conn id: 2002, flow_id: 3, crypto map: vpn
sa timing: remaining key lifetime (k/sec):
(4607998/3434)
IV size: 8 bytes
replay detection support: Y

outbound esp sas:
spi: 0xE8559075(3897921653)
transform: esp-des esp-md5-hmac ,
in use settings = {Tunnel, }
slot: 0, conn id: 2003, flow_id: 4, crypto map: vpn
sa timing: remaining key lifetime (k/sec):
(4607999/3434)
IV size: 8 bytes
replay detection support: Y

IPSec Security Association (A
Snapshot)
interface: Ethernet4/0
Crypto map tag: vpn, local addr.
172.16.172.69
local ident (addr/mask/prot/port):
(20.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port):
(10.1.1.0/255.255.255.0/0/0)
current_peer: 172.16.172.10
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts
digest 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts
verify 4

local crypto endpt.: 172.16.172.69,
remote crypto endpt.: 172.16.172.10
path mtu 1500, media mtu 1500
current outbound spi: E8559075

Key Management Requirement
Need secure key determination and distribution
methods:
Manual
Need Automatic methods
Key and SA management
Negotiate SA parameters
Dynamic rekeying
No human intervention
SA
IPSec VPN Tunnel
ISAKMP & IKE
IPSec
Agenda
VPN Definitions
SA
IPSec VPN Tunnel
A
B
Identity
Authenticatio
n & Trust
PKI
ISAKMP & IKE
IPSec
Encryption
algorithms
Hash
algo
Tunneling
Cryptography
Building Blocks
ISAKMP
ISAKMP: Internet Security Association and Key
Management Protocol.
Define procedure and packet format to establish,
negotiate, modify and delete security association:
Standardized payload
Exchange types
Payload Processing rules
Domain of Interpretation defines the syntax and
semantics.
Defined in RFC 2408.

ISAKMP Header
ISAKMP Cookies
Provides some protection against denial-of-sevice attack.
The responder demands confirmation of the genuineness of a negotiation
from supposed initator before committing computationally expensive
resources.
{md5(src_ip, dest_ip), random number}
Cookie pairs identify an ISAKMP SA.
Message ID identifies messages of a particular phase II negotiation.
Initiator
<cookie-I

, 0>
<cookie-I

, cookie-R>
<cookie-I

, cookie-R>
Responder
ISAKMP Payload Types
Internet Key Exchange
(IKE)
Hybrid protocol: combination of ISAKMP, Oakley
Key exchange and SKEME protocols.
Define the mechanism to derive authenticated
keying material and negotiate security
associations (used for AH, ESP)
Uses UDP port 500
Defined in RFC 2409
IKE (Two-Phase Protocol)
Two-phase protocol:
Phase I exchange: two peers establish a secure, authenticated
channel with which to communicate. Main mode or aggressive mode
accomplishes a phase I exchange.
Phase II exchange: security associations are negotiated on behalf of
IPSec services. Quick mode accomplishes a phase II exchange.
Each phase has its SAs: ISAKMP SA (phase I) and IPSec SA
(phase II).

IKE
IPSec
Data
IKE Two-Phase Protocol
Main Mode Aggressive Mode
Quick Mode Quick Mode
Protected Data Protected Data
Phase I SA (ISAKMP SA)
Phase II SA
(IPSec SA)
Phase II SA
(IPSec SA)
New IPSec tunnel or rekey
A B C D
Advantage of Two-Phase Approaches
Multiple Phase 2 SAs can be established
between peers over time without having to start
over for each communication.
Security services negotiated during Phase I
provide security properties for the Phase II.
Having an ISAKMP SA in place considerably
reduces the cost of ISAKMP management
activity.
IKE Key Agreement Mechanism
Diffie-Hellman Key agreement protocol
(establish a shared secret)
Security improvement:
ISAKMP cookies to thwart clogging attack.
Two peers can negotiate DH group.
DH exchange is authenticated to thwart man-
in-the-middle attack.
IKE Authentication
Device or host identity authentication.
Extended Authentication (Xauth) add legacy
user authentication.
Liveness
What are authenticated ?
IKE Authentication Methods
Pre-shared secret
Easy to deploy, not scalable
Public-key signatures (rsa-signature)
Most secure, require infrastructure.
Public-key encryption (rsa-nonce)
Similar security to rsa-sig, requires prior knowledge
of peers public key, limited support.

IKE Negotiation Case Studies
Phase I (Main mode) negotiation using
pre-shared key
Phase I (Main mode) negotiation using
signature
Phase I (Aggressive) negotiation using
pre-shared key.
Phase II Quick mode negotiation.
Main Mode with Pre-shared Key
IKE
Initiator
Responder
HDR, SA
Proposal

HDR, SA
choice

DES
MD5
DH 1
Preshare
ESP
MD5
DH 1
Pre-share
DES
SHA
DH 2
Preshare
Phase I SA parameter negotiation complete
HDR*, ID
R
, HASH
R

HDR*, ID
I
, HASH
I

IDs are exchanged, HASH is verified for authentication.
ID and HASH are encrypted by derived shared secret
HASH
I
=HMAC(SKEYID,
KE
I
|KE
R
|cookie
I
|
cookie
R
|SA|ID
I
)
HASH
R
=HMAC(SKEYID,
KE
R
|KE
I
|cookie
R
|
cookie
I
|SA|ID
R
)
HDR, KE
I,
Nonce
I

HDR, KE
R
, Nonce
R

DH key exchange complete, share secret SKEYID
e
derived.
Nonce exchange defeat replay
Generate
DH public value
& Nonce
Generate
DH public value
& Nonce
Main Mode Using Pre-shared Key
SKEYID = HMAC (preshared-key, NOUNCE
I
|NOUNCE
R
)

preshared-key is the key for HMAC

Message
Hash output
Hash
SKEYID
d
is used to derive other keys in IKE phase I & II:

SKEYID
d
= HMAC(SKEYID, KE
I
KE
R
|cookie
I
|cookie
R
|0)

SKEYID
a
is used for authenticating IKE phase II messages

SKEYID
a
= HMAC(SKEYID,SKEYID
d
|KE
I
KE
R
|cookie
I
|cookie
R
|1)

SKEYID
e
is used to encrypt message 5,6 in Main mode and all
Phase II messages:

SKEYID
e
= HMAC(SKEYID,SKEYID
a
|KE
I
KE
R
|cookie
I
|cookie
R
|2)

| means concatenation
Main Mode Using Signature
IKE
Initiator
Responder
HDR, SA
Proposal

HDR, SA
choice

DES
MD5
DH 1
Rsa-sig
DES
MD5
DH 1
Rsa-sig
DES
SHA
DH 2
Preshare
Phase I SA parameter negotiation complete
HDR*, ID
R
[,cert
R
],signature

HDR*, ID
I
[,cert
I
], Signature
I

IDs are exchanged, Signature is verified for authentication.
ID and Signature are encrypted by derived shared secret
HASH
I
=HMAC(SKEYID,
KE
I
|KE
R
|cookie
I
|
cookie
R
|SA|ID
I
)
HASH
R
=HMAC(SKEYID,
KE
R
|KE
I
|cookie
R
|
cookie
I
|SA|ID
R
)
HDR, KE
I,
Nonce
I
[,cert_req]
HDR, KE
R
, Nonce
R
[,cert_req]
DH key exchange complete, share secret derived.
Nonce exchange defeat replay, optional cert_req
Generate
DH public value
& Nonce
Generate
DH public value
& Nonce
Aggressive Mode Using Pre-shared
Key
IKE
Initiator
Responder
HDR, SA
Proposa
,

KE
I
, Nonce
I
, ID
I

HDR ,SA
choice
, KE
R
, Nonce
R
,ID
R
,HASH
R

DES
MD5
DH 1
Pre-share
DES
SHA
DH 2
Preshare
HDR, HASH
I

DES
MD5
DH 1
Preshare
Three message compared to the 6 messages in Main Mode.
Less secure. ID is not protected (except RSA encryption).
More vulnerable to DOS attack.
Phase II Quick Mode Negotiation
Initiator
Responder
IPSec
HDR*, HASH
2
, SA
choice
, Nonce
R
, [,KE
R
] [,ID
CI
,ID
CR
]
ESP
DES
SHA
PFS 1
ESP
DES
SHA
PFS 1
HDR*, HASH
1
, Sa
proposal
, Nonce
I
[,KE
I
] [,ID
CI
,ID
CR
]
HDR*, HASH
3

Protected by Phase I SA
Optional DH exchange for Perfect forward secrecy (PFS).
Negotiate IPSec SA parameters, including proxy identities [ID
CI
, ID
CR
].
Two unidirectional IPSec SA established with unique SPI number.
Nonce exchanged for generating session key.
KEYMAT = HMAC (SKEYID
d
,[KE
I
KE
R
|]protocol|SPI|Nonce
I
|Nonce
R
)
ISAKMP Informational Exchange
Used to send notification and delete
payload between two peers.
Protected by phase I SA if phase I SA has
been established.
Cleartext along with HASH if no phase I
SA.
Add Legacy Authentication to
Remote-Access IPSec VPN
IKE authenticates host
Also need to authenticates the user who uses the
IPSec enabled host.
Legacy authentication
User authentication using AAA
IP/DNS/WINS assignment
Extended authentication (Xauth) and Mode
Configuration .
Add Legacy Authentication to
Remote-Access IPSec VPN
IKE Phase I SA
AAA
IPSec SA
Mode Config
Xauth
AAA
A : IP address client gets from Internet ISP
B : IP address of routers outgoing interface
C
i
: ith IP address in IP pool defined on router
D : IP address of hosts behind router
A->B
ESP
hdr
C
i
->D TCP Data
ESP
trlr
ESP
auth
C
i
->D TCP Data
Q&A

IPSEC Overview

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

IPSEC Overview

Caricato da

Copyright:

Formati disponibili

1 1 1 2001, Cisco Systems, Inc. All rights reserved.

Potrebbero piacerti anche