Crossing the Styx: Taming the Underworld Using Cerberus and PlutoPlus ITLs Contributions in the Area - PowerPoint PPT Presentation
1 / 37
Title:
Crossing the Styx: Taming the Underworld Using Cerberus and PlutoPlus ITLs Contributions in the Area
Description:
1. Crossing the Styx: Taming the Underworld. Using Cerberus and PlutoPlus ... Implement once, in a consistent manner, for multiple applications ... – PowerPoint PPT presentation
Number of Views:139
Avg rating:3.0/5.0
Title: Crossing the Styx: Taming the Underworld Using Cerberus and PlutoPlus ITLs Contributions in the Area
1
Crossing the StyxTaming the Underworld Using
Cerberus and PlutoPlus(ITLs Contributions in
the Area of Internet Security)
- Sheila Frankel
- Systems and Network Security Group, ITL
2
Unsolved Problems of the 1990s
- World Peace
- A Drinkable Diet Cola
- Secure Communications over an Insecure Network
3
Types of Security Protection
- Data Origin Authentication
- Connectionless Integrity
- Replay Protection
- Confidentiality (Encryption)
- Traffic Flow Confidentiality
4
At Which Network Layer Should Security Be
Provided?
- Application Layer
- Transport (Sockets) Layer
- Internet Layer
5
Why Internet Layer Security?
- Implement once, in a consistent manner, for
multiple applications - Centrally-controlled access policy
- Enable multi-level, layered approach to security
6
Internet Packet Format
IP Header
Upper Protocol Headers and Packet Data
7
Authentication Header (AH)
- Data origin authentication
- Connectionless integrity
- Replay protection (optional)
- Transport or tunnel mode
- Mandatory algorithms
- HMAC-MD5
- HMAC-SHA1
- Other algorithms optional
8
Internet Packet Format with AH
IP Header
AH Header
Upper Protocol Headers and Packet Data
Transport Mode
Tunnel Mode
9
Encapsulating Security Payload (ESP)
- Confidentiality
- Limited traffic flow confidentiality (tunnel mode
only) - Data origin authentication
- Connectionless integrity
- Replay protection (optional)
- Transport or tunnel mode
10
Encapsulating Security Payload (ESP) (contd)
- Mandatory algorithms
- DES-CBC
- HMAC-MD5
- HMAC-SHA1
- Other algorithms optional
11
Internet Packet Format with ESP
IP Header
ESP Header
Upper Protocol Headers and Packet Data
Transport Mode
New IP Header
Old IP Header
ESP Header
Upper Protocol Headers and Packet Data
Tunnel Mode
12
Transport vs. Tunnel Mode
13
Constructs Underlying IP Security
- Security Association (SA)
- Security Association Database (SAD)
- Security Parameter Index (SPI)
14
Internet Key Exchange (IKE)
- Negotiate
- Communication Parameters
- Security Features
- Authenticate Communicating Peer
- Protect Identity
- Generate, Exchange, and Establish Keys in a
Secure Manner - Delete Security Associations
15
Internet Key Exchange (IKE) (contd)
- Threat Mitigation
- Denial of Service
- Replay
- Man in Middle
- Perfect Forward Secrecy
- Usable by Ipsec and other domains (e.g., private
keys for VPNs)
16
Internet Key Exchange (IKE) (contd)
- Components
- Internet Security Association and Key Management
Protocol (ISAKMP) - Internet Key Exchange (IKE, aka ISAKMP/Oakley)
- IP Security Domain of Interpretation (IPsec DOI)
17
IKE Negotiations - Phase 1
- Purpose
- Establish ISAKMP SA (Secure Channel)
- Steps (4-6 messages exchanged)
- Negotiate Security Parameters
- Diffie-Hellman Exchange
- Authenticate Identities
- Main Mode vs. Aggressive Mode
18
IKE Negotiations - Phase 2
- Purpose
- Establish IPsec SA
- Steps (3-5 messages exchanged)
- Negotiate Security Parameters
- Optional Diffie-Hellman Exchange
- Final Verification
- Quick Mode
19
IKE Network Placement
Application Process
DOI Definition
Application Protocol
IKE
Security Protocol (IPsec)
20
IKE Peer Negotiation
Application
Application
5
1
IKE
Application Space
Application Space
IKE
Kernel Space
4
2
Kernel Space
4
3
3
IPSEC
IPSEC
5
Physical Network
21
Current Status of IPsec
- Most documents in Internet-Draft last call,
headed for RFC status - IPsec Working Group disbanded
- IPsecond Working Group starting up
- Multiple implementations (Sun, IBM, Microsoft,
DEC, Cisco, Telebit, others) deployed, in beta
test, or under development
22
Current Status of Ipsec (contd)
- Periodic interoperability/conformance testing
using reference implementations - Auto Industry eXchange (ANX) pushing for early
deployment - PKI work underway in IETF, industry, government
(NIST et. al.)
23
The IETFs Direction in IP Security
- IETF has mandated use of IPsec and IKE wherever
feasible - Testing support needed for emerging
implementations - Need publicly-available sites that are willing to
provide IPsec testing - Requested at 38th IETF meeting
24
NISTs Contributions to IPsec
- Cerberus - Linux-based reference implementation
of Ipsec - (http//snad.ncsl.nist.gov/cerberus)
- PlutoPlus - Linux-based reference implementation
of IKE - IPsec-WIT - Web-based IPsec interoperability test
facility - (http//ipsec-wit.antd.nist.gov)
25
NISTs Contributions to IPsec (contd)
- Goals
- Enable smaller industry vendors to jump-start
their entry into IPsec - Facilitate ongoing interoperability testing of
multiple IPsec implementations
26
IPsec - Missing Pieces
- Policy specification and control
- Communication with CAs
27
IPsec Internet Drafts - Basic Documents
- IP Security Document Roadmap
- (draft-ietf-ipsec-doc-roadmap-02.txt)
- Security Architecture for the Internet Protocol
(draft-ietf-ipsec-arch-sec-04.txt) - IP Authentication Header
- (draft-ietf-ipsec-auth-header-05.txt)
- IP Encapsulating Security Payload (ESP)
(draft-ietf-ipsec-esp-v2-04.txt)
28
IPsec Internet Drafts - Authentication
Algorithms
- The Use of HMAC-MD5-96 within ESP and AH
(draft-ietf-ipsec-auth-hmac-md5-96-03.txt) - The Use of HMAC-SHA-1-96 within ESP and AH
(draft-ietf-ipsec-auth-hmac-sha1-96-03.txt) - The Use of HMAC-RIPEMD-160-96 within ESP and AH
- (draft-ietf-ipsec-auth-hmac-ripemd-160-96-01.txt)
29
IPsec Internet Drafts -Cryptographic Transforms
- The ESP ARCFOUR Algorithm
- (draft-ietf-ipsec-ciph-arcfour-00.txt)
- The ESP Blowfish-CBC Algorithm Using an Explicit
IV - (draft-ietf-ipsec-ciph-blowfish-cbc-00.txt)
- The ESP CAST128-CBC Algorithm
- (draft-ietf-ipsec-ciph-cast128-cbc-00.txt)
- The ESP CAST5-128-CBC Transform
- (draft-ietf-ipsec-ciph-cast-div-00.txt)
30
IPsec Internet Drafts - Cryptographic Transforms
(contd)
- The ESP CBC-Mode Cipher Algorithms
- (draft-ietf-ipsec-ciph-cbc-02.txt)
- ESP with Cipher Block Chaining (CBC)
- (draft-ietf-ipsec-cbc-00.txt)
- The ESP DES-CBC Transform
- (draft-ietf-ipsec-ciph-des-derived-00.txt)
- The ESP DES-CBC Cipher Algorithm With Explicit
IV - (draft-ietf-ipsec-ciph-des-expiv-02.txt)
31
IPsec Internet Drafts - Cryptographic Transforms
(contd)
- The ESP Triple DES Transform
- (draft-ietf-ipsec-ciph-des3-00.txt)
- The ESP 3DES-CBC Algorithm Using an Explicit IV
(draft-ietf-ipsec-ciph-3des-expiv-00.txt) - The ESP DES-XEX3-CBC Transform
- (draft-ietf-ipsec-ciph-desx-00.txt)
- The ESP IDEA-CBC Algorithm Using Explicit IV
(draft-ietf-ipsec-ciph-idea-cbc-00.txt)
32
IPsec Internet Drafts - Cryptographic Transforms
(contd)
- The ESP RC5-CBC Algorithm
- (draft-ietf-ipsec-ciph-rc5-cbc-00.txt)
- The NULL Encryption Algorithm and Its Use With
Ipsec - (draft-ietf-ipsec-ciph-null-00.txt)
33
IPsec Internet Drafts -Key Management
- Internet Security Association and Key Management
Protocol (ISAKMP) - (draft-ietf-ipsec-isakmp-09.txt, .ps)
- The OAKLEY Key Determination Protocol
- (draft-ietf-ipsec-oakley-02.txt)
- The Internet Key Exchange (IKE)
- (draft-ietf-ipsec-isakmp-oakley-07.txt)
34
IPsec Internet Drafts - Key Management (contd)
- The Internet IP Security Domain of Interpretation
for ISAKMP - (draft-ietf-ipsec-ipsec-doi-08.txt)
- Inline Keying within the ISAKMP Framework
- (draft-ietf-ipsec-inline-isakmp-01.txt)
35
IPsec Internet Drafts -Additional Key Management
Modes
- Extended Authentication Within ISAKMP/Oakley
- (draft-ietf-ipsec-isakmp-xauth-01.txt)
- A GSS-API Authentication Mode for ISAKMP/Oakley
- (draft-ietf-ipsec-isakmp-gss-auth-00.txt)
- The ISAKMP Configuration Method
- (draft-ietf-ipsec-isakmp-mode-cfg-02.txt)
36
IPsec Internet Drafts - Additional Key Mgmt
Modes (contd)
- A revised encryption mode for ISAKMP/Oakley
- (draft-ietf-ipsec-revised-enc-mode-01.txt)
- Revised SA negotiation mode for ISAKMP/Oakley
- (draft-ietf-ipsec-isakmp-SA-revised-00.txt)
37
IPsec Internet Drafts -Additional Documents
- Implementation of Virtual Private Network (VPNs)
with IP Security - (draft-moskowitz-ipsec-vpn-00.txt)
- Dynamic remote host configuration over IPSEC
using DHCP - (draft-ietf-ipsec-dhcp-00.txt)
- IPSec Policy Data Model
- (draft-ietf-ipsec-policy-model-00.txt)
Recommended
CrystalGraphics Presentations
![HRW7 23.CQ.01. [406131] A surface has the area vector A = (6 i 3 j) m2. PowerPoint PPT Presentation](https://s3.amazonaws.com/images.powershow.com/5427104.th0.jpg?_=20140909056)
