Short introduction to IPSec (very high level) Some crypto aspects of IPSec Introduction to IKE functionality
(IKE = Internet Key Exchange)
cryptographic core of the main authenticated Diffie-Hellman exchange of IKE (v1 and v2)
2
IPSec: IP Security
[RFC2401-12]
(Internet Protocol)
layer
SA (Security Association) creation & management Application independent: security for the Internet infrastructure
03Crypto - Hugo Krawczyk 3
Network Layers
Applications
APIs TCP/UDP/ IP/IPSEC Network Device Drivers IP Secure Tunnel
Applications
APIs TCP/UDP/ IP/IPSEC Network Device Drivers
5 Source: www.vpn-technology.com
Two IP devices A and B want to communicate securely under the protection of IPSec First a Security Association (SA) between A and B is established
SA:
a set of parameters, algs, & shared keys agreed between A and B, and locally stored by each party
Then, A and B secure the IP traffic by applying ENC and MAC on each IP packet they exchange Omitted: many details, system issues, implementation,
complexities, controversies, etc
6
IP HDR
ESP HDR
Encrypted Payload
MAC
IP HDR
ESP HDR
Payload
MAC
Encrypted Payload
MAC
Integrity:
encrypt-then-authenticate
type of key exchange, credentials, crypto algorithms, crypto strength, traffic to protect, etc
Key
Exchange: share keys between parties (1998): ISAKMP for mgmt, IKE for KE (2003): IKE specifies it all
10
Session Mgmt
SPI Application Kernel (OS) ADDR ALG KEY
. . .
IPSec
. . .
. . .
. . .
. . .
We omit discussion of broad mgmt functions focus on the cryptography of IKE key exchange Driving cryptographic requirements
Authenticated Perfect
forward secrecy (PFS): exposure of long term keys does not compromise security of past sessions
Diffie-Hellman (optional for fast re-key functionality)
Identity
IKEv1 [RFC2409]
With and without identity protection Modes designed to share as many elements as possible (e.g., authd info, nonces, key derivation)
14
IKEv1
Many cryptographic elements taken from SKEME [K95] and OAKLEY [Orman98]
Uniform Key But
Authentication
for Photuris signature-based DH which used an (insecure) variant of the STS protocol
15
rid of many of the authentication options: e.g., the PK Encryption and aggressive modes signature mode: kept SIGMA design setting [HK99]
Single
(v1&v2)
The focus for the rest of this talk A paper containing the detailed rationale for SIGMA design contributed to the proceedings
Intended A
to a broad audience of crypto designers and security engineers formal analysis presented last year [Canetti-K02]
The name SIGMA is relatively recent (used in SIGMA stands for SIGn-and-MAc the main IKEv2 revision to differentiate from other proposals) authentication elements in the protocol
18
Identity Protection
possible: both ids protected against passive attacks but only one against active attacks
identity should get active defense?
Whose
Initiator:
Responder:
principle: id protection as an added value (KE must be secure also w/o the id protection part)
19
By learning from the good and bad aspects of previous protocols Here is the story
We
start with core security issues and then add identity protection
20
B, gy
SIGA(gy,gx)
Each party signs its own DH value to prevent m-i-t-m attack (and
Identity-Misbinding Attack*[DVW92]
(a.k.a. Unknown Key-Share attack)
A, gx B, gy, SIGB(gx,gy)
E, gx B, gy, SIGB(gx,gy)
SIGA(gy,gx)
Any
A: Shared K=gxy with B (KB)
SIGE(gy,gx)
B: Shared K=gxy with E (KE)
E, gx B, gy, SIGB(gx,gy,E)
The ISO protocol thus avoids the misbinding attack; but is it secure??
26
B needs to know As identity before he can authenticate to A; same for A Protection against active attackers is not possible Another privacy concern: leaving a signed proof of communication (signing the peers identity) Letting each party sign its own identity rather than the peers solves the privacy issues but makes the protocol insecure (the identity-misbinding attack again)
27
A, gx
B, gy, {SIGB(gx,gy)}K {SIGA(gy,gx )}K
28
29
if Eve can register As public-key under her name she can mount the I-M attack (w/o even knowing gxy!)
A E
30
Identity-Misbinding on STS
certification settings check for identity of registrant but not for possession (PoP) of private key (in particular, in common IPSec settings)
The attack is trivial if certs not encrypted and trivial too if encrypted with a stream cipher First issue is debatable but enough to show that proof of knowledge of gxy via encryption is not enough. Moreover
31
(instead of encryption) gx
[DVW]
E A, SIGA(gy,gx ), MACK(SIGA) /
MACK better suited to provide Proof of Knowledge of K Yet: same attack as w/ encryption is possible! Can be mounted even if priv-key PoP is required!!! [BM99] Even if id put under sig (on-line registration attack)
32
The point is that proof of knowledge of K=gxy is not the issue What is required is: binding the key K with the peer identities Which brings us to the SIGMA design
SIGn
and MAc-your-own-identity!!
another STS variant: Sign K=gxy as proof of knowledge; also insecure (see the SIGMA paper)
33
Does not require knowing the peers id for own authentication Great for id protection 03Crypto - Hugo Krawczyk
34
gx
gy, {B, SIGB (gx,gy), MACKm(B) }Ke {A, SIGA(gy,gx), MACKm (A) }Ke
*Ke and Km derived from gxy via pseudorandom function
35
gx
gy { A, SIGA (gy,gx), MACKm (A) }Ke
gx
SIGMA Summary
With
or without ID Protection
Provides best possible protection (I or R protected against active attacks depending on application) The intelligent passport application
Standardized:
Guarantees Secure
Specification, implementation, DETAILS (see full fledge appendix in paper -- web version) DoS defenses: selective (IKEv2), integral (JFK-R) RCCA [Thu] ID Protn: Encryption secure against active attackers (CCA) X Certificates,
40
key authentication
protocol IKEv2 (asym. model [HK99])
Password-based
derivation from DH: over non-DDH groups, and the use of Public PRFs as Universal Hashing
Analysis: work in progress
Many aspects of SIGMA design and properties not covered (see proceedings url for full version) Biggest missing piece in this presentation: formalizing KE and analysis
41
Final Remark
The KE area has matured to the point in which there is no reason to use unproven protocols
Addressing Proofs It
practicality does not require (or justify) giving up on rigorous analysis not an absolute guarantee (relative to the security model), but the best available assurance is easy to design simple and secure key-exchange protocols, but it is easier to get them wrong
42
ThAnKs