Jason Detchevery
With slides adapted from Lawrie Brown
April 1st 2009
IP Security
Chapter 16
IP Security
• Chapter Goals
• Understand why we use IP Security (IPSec)
• To learn how IP Security works
• Gain insight on the specific sections
• The pros and cons of IP Security
• Learn of specific implementations IP Security
• Learn of IP Security Architecture and Standers
IP Security
• Purpose of IP Security
• Application specific security measures insufficient
• Organizations have needs of security which cut layers
• IP-level security enhances both application security
already in place, and provides to security to applications
lacking security
• What an IP Security system should provide
• Three functional areas
• Authentication
• Confidentiality
• Key management
• Look at security architecture, then each of the functional areas
IP Security Overview
• IP Security: Known as “IPSec”
• IPv6 (successor to IPv4) has authentication and
encryption
• IPSec was designed to be work with both IPv4 and IPv6
• In v6, IPSec’s implementation is mandatory
• For IPv4, it’s still optional
• Benefit is v6 security can be rolled out immediately,
before v6 is mainstream
IPSec Applications
• Secure communications across a LAN
• Indented uses of IPSec:
• Companies can use Internet for secure intra-office
communication
• Secure remote access (VPN, dial systems) from
external computer to secured network
• Secure connectively of terminals between
companies
• Adding security to E – commerce (which as
application level security)
IPSec Applications
IPSec Benefits
• Applied on a router level to all traffic
• Hard to bypass when used for firewall implementation
• Below the transport layer: software is unaffected
• Transparent to users
• Can be customized to specific users
• IPSec used in routing:
• router advertisements are authentic
• neighbor advertisements are authentic
• verification of redirect messages
• prevents update forges
IP Security Architecture
• Complex specification (many documents/specs)
• Protocols specify:
• Architecture
• Encapsulating Security Payload (ESP)
• Authentication Header (AH)
• Encryption Algorithm
• Authentication Algorithm
• Key Management
• Domain of Interpretation
IPSec Services
• Services at the IP Layer
• Selecting protocols, algorithms, crypto-keys
• Important security protocols: ESP and AH
• ESP and AH services:
• Access control
• Connectionless integrity
• Data origin authentication
• Rejection of replayed packets
• Confidentiality (cipher text)
• Confidentiality with limited cipher text
IPSec Services
Security Associations
• Very important concept (used throughout)
• Association: one-way relationship between sender
and receiver
• Provides security on traffic between it
• Can use two Security Associations (SA’s) for two way
communication
• Services provided to AH, ESP, but not both
simultaneously (but can be combined, as seen later)
• SA uniquely identified by three parameters: Security
Parameters Index (SPI), IP Destination Address, Security
Protocol Identifier
SA Parameters
• An SA must carry with it a number of important values
• Sequence Number Counter
• Sequence Counter Overflow
• Anti-replay window
• AH, ESP Information
• Lifetime of the SA
• Protocol mode (Tunnel/Transport, see in a moment)
• MTU: Maximum transmission unit
SA Selectors
• IPSec: Flexibility on application of services to traffic
• How to relate IP traffic to an SA?
• Security Policy Database:
• Simple idea: Table to relate subset of IP traffic to a
specific SA
• Becomes very complex (many to many relationship)
• An entry: IP and upper-layer protocol field values
• Known as selectors (filter outgoing traffic to SA)
• Outgoing traffic: 1) compares fields of packet against
SPD, finds match. 2) Determine the SA (if exists) 3) Do
IPSec (AH ESP)
SPD Entry
• What does an SPD entry look like?
• Destination IP Address – Single or Range (mask)
• Source IP Address
• UserID
• Data Sensitivity Level
• Transport Layer Protocol
• Source and Destination Ports
Transport and Tunnel Mode
• Another important concept reused:
• Transport mode: Protection of packet payload
• Tunnel mode: Protection of entire packet
• Transport mode used in end to end communication
between hosts.
• ESP: encrypts (+ authenticate) payload, not header
• AH: Authenticates payload, selected header bits
• Tunnel mode: new routing info added
• ESP: encrypts (+ authenticate) packet(not outer
header)
• AH: authenticates entire packet, selected outer bits
Authentication Header
• Adds data integrity and authentication to IP packets
• Integrity: avoid alteration of packets
• Authentication: filter traffic correctly
• Prevent spoof attacks and replay attacks
• Uses a message authentication code (MAC)
• Required shared secret key
• Uses the following fields:
• Next Header, Payload Length
• Reserved, SPI
• Sequence Number, Authentication Data
Authentication Header
Preventing Replays
• Attacker grabs authentic packet, transmits later
• Sequence Number tries to prevent this
• Sequence Number is generated by sender for a new SA
• Starts and 0 and increments to 232 – 1
• Incremented for each new packet, thus first value, 1
• Cannot be allowed to cycle. Passing limit must
negotiate NEW SA with a NEW secret key
• Since IP does not guarantee packet delivery order
(or at all for that matter), the receiver uses the
familiar sliding window concept for data
transmission.
Integrity Check Value
• ICV value in the Authentication Data
• Authentication code from a MAC algorithm
• Can use HMAC-MD5-96 or HMAC-SHA-1-96
• Calculation of the MAC code:
• Includes immutable fields and predictable fields
• Other fields set to 0
• Authentication Data field = 0
• Includes all additional protocol information
(TCP/IP), which should be immutable
• Recalculated and destination
Transport and Tunnel Modes
Encapsulating Security Payload
• Confidentiality services
• ESP can optionally provide authentication
• Parameters in an ESP Packet:
• Security Parameters Index
• Sequence Number
• Payload Data
• Padding
• Pad Length
• Next Header
• Authentication Data (e.g. ICV value)
Encapsulating Security Payload
Encryption and Decryption
• Uses any number symmetric encryption algorithms
• Three-key DES
• RC5
• Blowfish
• More
• Specified by the DOI
• Padding:
• Padding can indicate cipher text length, make plain
text long enough
• Used to align fields
• Conceal actual payload length
Transport and Tunnel Modes
• Transport Mode
• IP Header removed. Payload (including TCP header)
encrypted/replaced by cipher text
• Header attached/sent to destination
• Destination detaches and decrypts payload
• Tunnel Mode
• Entire packet is encrypted
• New IP Header added to cipher text and routed
• Decrypts the packet at destination
• Secondary header used for final routing
Combining Security Associates/Keys
• Can combine security associates (4 cases)
• IPSec requires management of secret keys
• Two types of key management: auto and manual
• Oakley Key Determination Protocol (like Diffie-Hellman,
but more secure)
• Cookies against clog attacks
• nonces to prevent replays
• authenticate against man in the middle
• Internet Security Association and Key Management
Protocol (allows various key exchange algorithms)
Web Security
Chapter 17
Web Security Introduction
• Need for security on the Transport Control Protocol
(TCP) Layer
• Uses Secure Socket Layer (SSL) and Internet standard
SSL called Transport Layer Service
• Allows TCP users to indentify security mechanisms
• Particularly concerted with E – commerce security:
Secure Electronic Transaction (SET)
Web Security Considerations
• Room for nearly all levels of security in the Web
• E.g. previous considerations
• Nevertheless: Web presents unique challenges
• All communication two way thus doubling the
opportunity for attack
• Web integrated into business: high losses if security
compromised
• Security flaws in complex software
• Web Servers may provide access to local intranet
• Users not aware of security risks
Threats Classifications
Web Security Approaches
• Different ways of implementing security
• Similar in services and (to an extent) mechanisms
• Differ with respect to scope and location with TCP/IP
stack
• Simple security: Use IP Security! IPSec runs over TCP
• Another solution: Run security just above TCP, below IP
• Basis of SSL and TLS
• Choice: Make SSL/TLS transparent or integrate into
applications? (advantage: tailored to needs,
disadvantage: complexity)
SSL and TLS
• Current version is SSL v3. TLS is essentially SSLv3.1
• Not a “successor” exactly, just a different standard
• SSL Architecture
• Make TCP reliable/secure
• Higher level protocols operate (HTTP for instance)
on SSL
• SSL uses three protocols: Handshake Protocol,
Change Cipher Spec Protocol, Alter Protocol
• Also a special “record” protocol
• Used in management of SSL exchanges
SSL Architecture
SSL Session and Connection
• Connection: A transport (recall OSI layers) providing
suitable service types. Here, these are peer-to-peer
connections and are transient (short lived). That is,
connections associated with one session.
• Session: An association between client and a server.
The Handshake protocol initiates sessions, which define
cryptographic parameters. The parameters may be
shared: in fact we use sessions to avoid negotiation of
new security parameters for each connection
(expensive)
Session and Connection States
• Session state has following parameters
•Session Identifier, Peer certificate (X509, etc)
• Compression Method
• Cipher spec (data encryption) and hash
• Master secret
• Is resumable?
• Connection state:
•Server and client randomness
• Keys: Server/Client MAC, Server/Client Write
• Initialization vectors
• Sequence numbers
SSL Record Protocol
• SSL Record protocol provides two services:
• Confidentiality
• Using symmetric encryption with a shared secret
key defined by Handshake Protocol
•AES, IDEA, RC2-40, DES-40, DES, 3DES, Fortezza,
RC4-40, RC4-128
• Message is compressed before encryption
• Message integrity
• Using a MAC with shared secret key
• Similar to HMAC but with different padding
• Concerns itself with: fragmentation, compression,
authentication (MAC), encryption, header
SSL Record Appearance
Handshake Protocol
• Allows server & client to:
• Authenticate each other
• To negotiate encryption & MAC algorithms
• To negotiate cryptographic keys to be used
•Comprises a series of messages in phases
• Establish Security Capabilities
• Server Authentication and Key Exchange
• Client Authentication and Key Exchange
• Finish
Handshake Protocol
SSL Change Cipher Spec Protocol
• One of 3 SSL specific protocols which use the SSL
Record protocol
• A single message
• Causes pending state to become current
• Hence updating the cipher suite in use
SSL Alert Protocol
• Conveys SSL-related alerts to peer entity
• Severity
• Warning or fatal
• Specific Alert
• Fatal: unexpected message, bad record mac,
decompression failure, handshake failure, illegal
parameter
• Warning: close notify, no certificate, bad certificate,
unsupported certificate, certificate revoked,
certificate expired, certificate unknown
• Compressed & encrypted like all SSL data
Transport Layer Security
• As stated, standard similar to SSL
• Some differences:
• Un record format version number
• Uses HMAC for MAC
• A pseudo-random function expands secrets
• Has additional alert codes
• Some changes in supported ciphers
• Changes in certificate types & negotiations
• Changes in crypto computations & padding
Secure Electronic Transactions
• Open encryption & security specification
• To protect Internet credit card transactions
• Developed in 1996 by Mastercard, Visa etc
• Not a payment system
• Rather a set of security protocols & formats
• Secure communications amongst parties
• Trust from use of X.509v3 certificates
• Privacy by restricted info to those who need it
SET Components
SET Transaction
• Customer opens account
• Customer receives a certificate
• Merchants have their own certificates
• Customer places an order
• Merchant is verified
• Order and payment are sent
• Merchant requests payment authorization
• Merchant confirms order
• Merchant provides goods or service
• Merchant requests payment
Purchase Request
• SET purchase request exchange consists of four
messages
• Initiate Request - get certificates
• Initiate Response - signed response
• Purchase Request - of OI & PI
• Purchase Response - ack order
Payment Gateway Authorization
• Verifies all certificates
• Decrypts digital envelope of authorization block to
obtain symmetric key & then decrypts authorization
block
• Verifies merchant's signature on authorization block
• Decrypts digital envelope of payment block to obtain
symmetric key & then decrypts payment block
• Verifies dual signature on payment block
• Verifies that transaction ID received from merchant
matches that in PI received (indirectly) from customer
• Requests & receives an authorization from issuer
• Sends authorization response back to merchant
Payment Capture
• Merchant sends payment gateway a payment capture
request
• Gateway checks request
• Then causes funds to be transferred to merchants
account
• Notifies merchant using capture response