Network Security - PowerPoint PPT Presentation

1 / 49
About This Presentation
Title:

Network Security

Description:

Network Security Chapter 3. Security and Layered Architecture Why not establish and use one `master key`? Ensure reliable, secure separation of sessions In particular ... – PowerPoint PPT presentation

Number of Views:319
Avg rating:3.0/5.0
Slides: 50
Provided by: kowonDon
Category:

less

Transcript and Presenter's Notes

Title: Network Security


1
Network Security
  • Chapter 3. Security and Layered Architecture

2
Objectives
  • Security at Layer 1
  • Security at Layer 2
  • Extensible Authentication Protocol(EAP)
  • EAPoL EAP Over LAN
  • EAP-TLS TLS Handshake Over EAP
  • Security at Layer 3 IPSec
  • Security at Layer 4 SSL/TLS

3
Security at Layer 1
  • Physical transmission of the bits over the
    medium.
  • Provide certain amount of security.
  • Direct Sequence Spread Spectrum(DSSS)
  • Frequency Hopping Spread Spectrum(FHSS)
  • Security provided by these protocols stems from
    keeping the codes(chip sequence or frequency
    hopping sequence) secret.
  • The codes are not cryptographically protected
  • are usually well known or easy to figure out.
  • Keep out of the most casual of eavesdroppers.

4
HFSS system
5
DSSS (CDMA Example)
6
Security at layer 2
  • Extensible Authentication Protocol (EAP)
  • Point-to-Point Protocol(PPP)
  • used for connecting to the internet over phone
    line using modem.
  • lt Authentication Model for Dial-In
    Internet Accessgt
  • Three entities
  • Supplicant (user)
  • Authenticator (Point-of-Presence) decision
    implementer
  • Authentication Server ( authenticating the user)
    decision maker

7
PPP connection procedure
  • PPP connection procedure

PPP client
PPP Server (ex Switch)
(1) LCP PPP connection option negotiation
(2) Authentication Procedure
Authentication Server
(3) IP address Allocation
DHCP Server
(4) IP packet exchange using PPP Frame
8
PPP
  • Two Authentication protocol for PPP
  • PAP(password Authentication Protocol)
  • CHAP(challenge handshaking Authentication
    Protocol)

9
EAP(Extensible Authentication Protocol)
  • PAP username and password is transmitted in
    plain text
  • CHAP challenge-response-based mechanism
  • Cheating CHAP (refer to handout)
  • When new protocol is developed, it should be
    registered to IANA(Internet Assigned Numbers
    Authority).
  • Also NAS should update software module to
    identity the new authentication protocol.
  • Idea
  • EAP header identify various authentication
    method
  • NAS do not process Authentication, instead relay
    EAP message to authentication server.
  • Authentication is processed between user and
    Authentication server
  • EAP-MD5, EAP-TSL is well known.

10
Problem of authentication in PPP
11
The EAP Architecture
  • Advantage
  • Allows Arbitrary authentication protocol between
    supplicants and the authentication server.
  • just act as pass through agent for back-end
    authentication server.
  • Separation of authenticator and authentication
    server allows for higher flexibility and simple,
    low-cost authenticators.
  • Disadvantage
  • No mechanism to tie the two authentications
    together as part of a session.
  • Do not provide protection against a forged
    EAP-success
  • does not provide any mechanism to link the
    authentication procedure to the following session.

12
EAPoL EAP over LAN
  • 802.1X definition - mechanism for port-based
    network access control that make use of the
    physical access characteristics of IEEE 802 LAN
    .

13
EAP-TLS TLS Handshake Over EAP
  • Authentication category
  • establish security context such as session key
    TLS and so on.
  • dose not establish security context MD5, SHA
    and so on.
  • EAP-TLS
  • RFC 2716 www.faqs.org/rfc/rfc2409.html
  • TLS(Transport Layer Security) sits over EAP.
  • Use DH protocol to establish a premaster key.
  • for more real authentication case, see the
    documents.

14
Security at Layer 3 (IP network Layer)
  • L3 responsible for providing end-to-end
    connectivity
  • IPSec (Internet Protocol Security)
  • general IP Security mechanisms
  • provides
  • authentication
  • confidentiality
  • key management
  • applicable to use over LANs, across public
    private WANs, for the Internet

15
IPSec Uses
16
IPSec Services
  • Access control
  • Integrity
  • Data origin authentication
  • Rejection of replayed packets
  • Confidentiality (encryption)
  • Limited traffic flow confidentiality - padding

17
IP Security Architecture
  • specification is quite complex
  • defined in numerous RFCs
  • RFC 2401 - 2412 (1998)
  • RFC 4301 4309 (2005)
  • mandatory in IPv6, optional in IPv4
  • have two security header extensions
  • Authentication Header (AH)
  • Encapsulating Security Payload (ESP)

18
IPSec overview
  • IKE(Internet Key Exchange Protocol) Protocol
  • responsible for authentication and session key
    establishment between the two communicating
    parties.
  • RFC 2409 IKEv1, RFC 4306 IKEv2
  • AH(Authentication Header), ESP(Encapsulation
    Security Payload)
  • IP Header extensions are used for
    confidentiality, integrity, and authentication.
  • AH standard - 2402(1998), 4302(2005)
  • ESP standard 2406(1998), 4303(2005)

19
Security Associations
  • Specifies completely all the cryptographic
    information required in one direction of
    communication
  • defined by 3 parameters
  • Security Parameters Index (SPI)
  • IP Destination Address
  • Security Protocol Identifier(AH or ESP)
  • other parameters
  • Seq no, anti-reply window, lifetime of SA, IPSec
    mode
  • AH info algorithm, Key, key lifetime
  • ESP info encryption algorithm, key, key
    lifetime authentication
    algorithm, key, key lifetime

20
Anti-Reply Mechanism
  • Sequence number starts at 1 and cannot go past
    232-1
  • receiver keeps a window of min size 32 (64
    preferred, larger is ok)
  • packets to left of window are discarded
  • repeated packets within window are discarded
  • authentic packets to right of window cause window
    to move right

21
Encapsulated Security Payload (ESP)
  • provides message content confidentiality
    limited traffic flow confidentiality
  • can optionally provide the same authentication
    services as AH
  • supports range of ciphers, modes, padding
  • incl. DES, Triple-DES, RC5, IDEA, CAST etc
  • CBC other modes
  • padding needed to fill block size, fields, for
    traffic flow confidentiality

22
IPSec Encapsulating Security Payload (ESP) in
Transport Mode
23
IPSec ESP Tunnel Mode
24
Encryption and MAC algorithm for ESP
25
Authentication Header (AH)
  • Authentication is applied to the entire packet,
    with the mutable fields(change hop-by-hop) in the
    IP header zeroed out
  • Data origin authentication, data integrity, reply
    prevention
  • If both ESP and AH are applied to a packet, AH
    follows ESP

26
IPSec Authentication Header (AH)in Transport Mode
27
IPSec AH Tunnel Mode
28
MAC Algorithms for AH
29
Combining Security Associations
30
Introduction to IKE
  • A mature, complex protocol for securely setting
    up keyed sessions, in particular IP-Sec SA.
  • Evolved over several years from multiple
    proposals IKEv2 is now draft standard
    (http//tools.ietf.org/html/rfc4306)
  • Runs over UDP (port 500 detect NAT 4500)
  • One IKE message per UDP datagram
  • Uses (only) exchanges (request/response)
  • Initiator (Alice) makes request, Responder (Bob)
    responses
  • Initiator (only) retransmits/aborts for
    reliability
  • Not necessarily client/server! But usually Alice
    is client.

31
IKE advanced features(design goals)-IKEv2
  • Cryptographic negotiation
  • Efficient, secure, robust, flexible
  • Robustness against Denial Of Service
  • NAT/NAPT-friendly
  • Strong (Perfect) Forward Secrecy (PFS)
  • Whats this?

32
Strong (Perfect) Forward Security(PFS)
  • Protect traffic of period i from exposure of all
    keys of all periods j?i, as long as exposure
    happens after (refresh phase of) period i1
  • Active adversary - can always inject/eavesdrop
    etc.
  • Motivation attacker may eventually expose some
    old keys, by cryptanalysis, reading erased data,

33
Internet Key Exchange (IKE) ver. 1
  • Phase I Establish a secure channel
  • ISAKMP(Internet Security Association and Key
    Management Protocol) SA.
  • Authenticate computer identity
  • Algorithms, keys, etc. to be used by IKE (not
    AH/ESP!)
  • Perfect forward secrecy (PFS)
  • Phase II Generate IP-Sec SA
  • Establishes a secure channel between computers
    intended for the transmission of data.
  • Protected using the ISAKMP SA
  • Many 2nd phases may share ISAKMP SA (1st phase)
  • PFS optional

34
Why derive many session keys?
  • Why not establish and use one master key?
  • Ensure reliable, secure separation of sessions
  • In particular prevent IP spoofing in
    ESP/Transport
  • Restrict use of a single key
  • Make cryptoanalysis harder
  • Less available ciphertext
  • Some sessions may be easier to attack
  • (chosen/known plaintext)
  • Restrict damage of known key attack session key
    exposure does not expose past or future messages,
    session keys, or master key
  • Strong (Perfect) Forward Secrecy (PFS)

35
Why Two IKE Phases?
  • To fulfill the PFS requirement, every phase I
    exchange, performs a DH exchange
  • In phase II, DH execution is optional phase II
    and the IPsec keys can be derived from phase I
    exchange
  • Phase II is more efficient
  • Many phase II exchanges can use the same set of
    phase I keys
  • Why derive different keys and not?

36
IKE Denial Of Service Attacks
  • IKE DOS Attack flood victim with IKE requests
    (fake source IP addr) ? victim performs expensive
    computations in vain
  • Solution before performing expensive
    computations (e.g. DH), verify that the other
    party is indeed located in the IP address that
    appears in the header
  • How ? Cookies mechanism (next)
  • Note requires the main mode of IKEv1 (6
    flows, cf. to aggressive mode of 3 flows),
    also optional exchange in IKEv2.

37
The Cookies Mechanism
  • The recipient sends a pseudo random string
    (Cookie) to the other party
  • The other party return the cookie, proving it can
    receive from its IP address
  • Compute cookie
  • Cookie ltVersionIDofSecretgt Hash(Ni IPi
    SPIi ltsecretgt)
  • ltsecretgt a randomly generated secret known
    only to the responder and periodically changed
  • ltVersionIDofSecretgt should be changed whenever
    ltsecretgt is regenerated.
  • Efficient generation, memory less verification
  • Expensive calculations will be performed, and
    state kept, only if valid cookie is received

38
IKEv2 Exchanges
39
IKEv2 IKE_SA_Init exchange
  • Negotiate crypto-suites
  • Exchange gi, gr (Diffie-Hellman public values)
  • Exchange nonces
  • Identities (and certificates) not exposed yet!

40
Key Derivation in IKE
41
IKEv2 IKE_Auth exchange
  • Authenticate IKE_SA_Init exchange
  • Exchange identities and certificates (encrypted
    for privacy but client identity has weaker
    protection)
  • Exchange traffic selectors
  • Establish 1st child SA
  • Encrypted and authenticated (MAC) using SK
  • Like in ESP encrypt then MAC use keys
    SK_a/ei/r.

42
Reuse of Diffie-Hellman Exponentials
  • IKE generates keying material using an ephemeral
    Diffie-Hellman exchange in order to gain the
    property of "perfect forward secrecy". This means
    that once a connection is closed and its
    corresponding keys are forgotten, even someone
    who has recorded all of the data from the
    connection and gets access to all of the
    long-term keys of the two endpoints cannot
    reconstruct the keys used to protect the
    conversation without doing a brute force search
    of the session key space.
  • Achieving perfect forward secrecy requires that
    when a connection is closed, each endpoint MUST
    forget not only the keys used by the connection
    but also any information that could be used to
    recompute those keys. In particular, it MUST
    forget the secrets used in the Diffie-Hellman
    calculation and any state that may persist in the
    state of a pseudo-random number generator that
    could be used to recompute the Diffie-Hellman
    secrets. Since the computing of Diffie-Hellman
    exponentials is computationally expensive, an
    endpoint may find it advantageous to reuse those
    exponentials for multiple connection setups.
    There are several reasonable strategies for doing
    this. An endpoint could choose a new exponential
    only periodically though this could result in
    less-than- perfect forward secrecy if some
    connection lasts for less than the lifetime of
    the exponential. Or it could keep track of which
    exponential was used for each connection and
    delete the information associated with the
    exponential only when some corresponding
    connection was closed. This would allow the
    exponential to be reused without losing perfect
    forward secrecy at the cost of maintaining more
    state.
  • Decisions as to whether and when to reuse
    Diffie-Hellman exponentials is a private decision
    in the sense that it will not affect
    interoperability. An implementation that reuses
    exponentials MAY choose to remember the
    exponential used by the other endpoint on past
    exchanges and if one is reused to avoid the
    second half of the calculation.

43
Security at Layer 4 SSL/TLS
  • Secure Socket Layer(SSL)/Transport layer
    Security(TLS) incompatible but similar.
  • A protocol developed by Netscape for transmitting
    private documents via the Internet.
  • Sits between application layer and transport
    layer, so applications use SSL sockets.
  • Authenticate the communicating party and
    establish a session key.
  • By convention, URLs that require an SSL
    connection start with https instead of http

44
TLS Message flow
45
When Key Exchange Message is sent?
46
TLS Hand shaking
master_secret PRF(pre_master_secret, "master
secret", ClientHello.random ServerHello.random)

Encrypted with master secret
Signed hash
47
SSL/TLS Security
  • Session-Id used in TLS
  • Become valid only when shaking is completed and
    persists until it is removed due to aging or
    session error.
  • The whole session messages are protected(signed
    hash) by the Finished message.
  • Can not be spoofed by a malicious Eve.

48
SSL DoS attack loop hole
  • SSL runs on top of TCP.
  • TCP checks transmission error not protected
    cryptographically.
  • SSL does not have API to tell vague packet to TCP
  • Scenario
  • Insert malicious data packet into a packet stream
    which is protected by SSL.
  • SSL drops the packet
  • When real packet arrive, TCP will drop the packet
    since duplicate packet.
  • SSL is missing a packet it is expecting.
  • SSL close the connection after timeout. ? DoS
    attack!

49
Resources
  • EAP-TLS deployment CISCO documents.
  • IPSec PPTs - Stalling Book(Chapt 16)
  • A Cryptographic tour of the IPSec Standards
    K.G. Paterson
  • Alcatel IPSec White Paper(IKEv1)
  • New efficient, DoS Resistant IKE(paper, 2002)
Write a Comment
User Comments (0)
About PowerShow.com