Dunstable College

1
Dunstable College

• IPSec

2
IPSec key protocols and elements
3
IPSec key protocols and elements
www.cisco.com/warp/public/759/ ipj_3-1/ipj_3-1_ip.
html

• Authentication Header (AH) A security protocol
  that provides data authentication, data
  integrity, and optional anti-replay services. AH
  is embedded in the data to be protected.

4
IPSec key protocols and elements

• Encapsulating Security Payload. (ESP) A
  security protocol which provides data
  confidentiality, data integrity, and protection
  services, optional data origin authentication,
  and anti-replay services. ESP encapsulates the
  data to be protected.

5
IPSec key protocols and elements

• Internet Key Exchange (IKE) A hybrid protocol
  that implements Oakley key exchange and Skeme key
  exchange inside the ISAKMP framework. Oakley and
  SKEME each define a method to establish an
  authenticated key exchange. This includes payload
  construction, the information payloads carried,
  the order in which keys are processed and how the
  keys are used.

6
IPSec key protocols and elements

• Internet Security Association and Key Management
  Protocol (ISAKMP) A protocol framework that
  defines payload formats, the mechanics of
  implementing a key exchange protocol, and the
  negotiation of an SA.
• Security Association (SA) A set of policy and
  key(s) used to protect information. The ISAKMP SA
  is the shared policy and key(s) used by the
  negotiating peers in this protocol to protect
  their communication.

7
IPSec key protocols and elements

• Authentication, Authorization, and Accounting
  (AAA) The network security services that
  provide the primary framework through which
  access control is set up on routers or access
  servers. Two major alternatives for AAA are
  TACACS and RADIUS.
• Terminal Access Controller Access Control System
  Plus (TACACS) A security application that
  provides centralized validation of users
  attempting to gain access to a router or network
  access server.
• Remote Authentication Dial-In User Service
  (RADIUS) A distributed client/server system
  that secures networks against unauthorized
  access.

8
Cryptosystem overview
9
Cryptosystem overview

• There are numerous encryption technologies
  available to provide confidentiality.
• The Data Encryption Standard (DES) encrypts
  packet data with a 56 bit-length key.
• At its development in the 1970s DES was thought
  to be unbreakable.
• Todays super computers, however, can crack DES
  encryption in a few days.

10
Cryptosystem overview

• 3DES uses a double-length key of 112 bits and
  performs three DES operations in sequence.
• 3DES is 256 times stronger than DES. Advanced
  Encryption Standard (AES) currently specifies
  keys with a length of 128, 192 or 256 bits to
  encrypt blocks with a length of 128, 192 or 256
  bits (all nine combinations of key length and
  block length are possible).
• Cisco intends AES to be available on all Cisco
  products that currently have IPSec DES/3DES
  functionality such as IOS-based routers, Cisco
  Secure PIX firewalls, Cisco VPN concentrators and
  Cisco VPN clients.

11
Cryptosystem overview

• Many standards have emerged to protect the
  secrecy of keys and to facilitate the changing of
  these keys.
• Diffie-Hellman implements key exchange without
  exchanging the actual keys.
• This is the most well-known and widely used
  algorithm for establishing session keys to
  encrypt data.

12
Cryptosystem overview

• Several technologies provide authentication
  including Message Digest 5 (MD5) and Secure Hash
  Algorithm (SHA).

13
Symmetric encryption

• Symmetrical encryption, which is also known as
  secret key encryption.
• Used for large volumes of data.
• During the data exchange, the keys may change
  several times.
• Asymmetrical encryption, or public key encryption
  such as RSA, is several orders-of-magnitude more
  CPU-intensive, so it is usually used only for key
  exchanges.

14
Symmetric encryption

• The most important feature of a cryptographic
  algorithm is its security against being
  compromised.
• The security of a cryptosystem, or the degree of
  difficulty for an attacker to determine the
  contents of the ciphertext, is a function of a
  few variables.
• In most protocols, the secrecy of the key used to
  encrypt data is the basis for security.
• The DES algorithm is built so that it is nearly
  impossible to determine the clear text without
  having this key.
• In any cryptosystem, many precautions are taken
  to protect the secrecy of the encryption key.

15
Symmetric encryption

• Digital Encryption Standard (DES) is one of the
  most widely used symmetric encryption standards.
• DES turns clear text into ciphertext by using an
  encryption algorithm.
• The decryption algorithm on the remote end
  restores clear text from ciphertext.
• Keys enable the encryption and decryption.
• DES is the most widely used symmetric encryption
  scheme today.
• Triple DES (3DES) is an alternative to DES that
  preserves the existing investment in software but
  makes a brute-force attack more difficult.
• 3DES can use one, two, or three different keys.

16
Asymmetric encryption
17
Asymmetric encryption

• Asymmetric encryption is often referred to as
  public key encryption.
• It can use either the same algorithm, or
  different but complementary algorithms to
  scramble and unscramble data.
• Two different, but related, key values are
  required.
• These values are referred to as the public key
  and private key.
• For example, if Alice and Bob want to communicate
  using public key encryption, both need a public
  key and private key pair.
• Alice has to create her public key/private key
  pair, and Bob has to create his own public
  key/private key pair.
• When communicating with each other securely,
  Alice and Bob use different keys to encrypt and
  decrypt data.

18
Asymmetric encryption

• The mechanisms used to generate these
  public/private key pairs are complex.
• They result in the generation of two very large
  random numbers.
• One of the random numbers becomes the public key
  and the other becomes the private key.
• Generating these numbers is processor intensive.
• The numbers, as well as their product, must
  adhere to stringent mathematical criteria to
  preserve the uniqueness of each public/private
  key pair.
• Public key encryption algorithms are rarely used
  for data confidentiality because of their
  performance constraints.
• Instead, public key encryption algorithms are
  typically used in authentication applications
  involving digital signatures and key management.
• Some of the more common public key algorithms are
  the Ron Rivest, Adi Shamir, and Leonard Adleman
  (RSA) algorithm and the El Gamal algorithm.

19
Key Exchange Diffie-Hellman algorithm
20
Key Exchange Diffie-Hellman algorithm

• One of the most important aspects of creating a
  secure VPN involves exchanging the keys.
• The Diffie-Hellman algorithm provides a way for
  two users, A and B, to establish a shared secret
  key that only they know.
• The shared secret key can be established even
  though users A and B are communicating over an
  insecure channel.
• This secret key is then used to encrypt data
  using the secret key encryption algorithm
  selected by A and B.
• Two numbers which are shared are p, a prime
  number and g, a number less than p with some
  restrictions.

21
Key Exchange Diffie-Hellman algorithm

• A and B each create a large random number that is
  kept secret, called XA and XB.
• The Diffie-Hellman algorithm is now performed.
• Both A and B carry out computations and exchange
  results.
• The final result is a common value K".
• A user who knows p or g cannot easily
  calculate the shared secret value, because of the
  difficulty in factoring large prime numbers.

22
Key Exchange Diffie-Hellman algorithm

• It is important to note that A and B have no
  method for determining each others identity.
• The exchange is vulnerable to a man-in-the-middle
  attack.
• Diffie-Hellman provides for confidentiality but
  does not provide for authentication.
• Authentication is achieved by the use of digital
  signatures in the Diffie-Hellman message
  exchanges.

23
Hashing
24
Hashing

• Hashing guarantees the integrity of the message.
• At the local end, the message and a shared secret
  key are sent through a hash algorithm.
• A hash algorithm is a formula used to convert a
  variable length message into a single string of
  digits of a fixed length, called a hash value.
• A hash algorithm is a one-way algorithm, which
  means a message can produce a hash but a hash
  cannot produce the original message.
• It is analogous to dropping a plate on the floor.
  
• The plate can produce many pieces, but the pieces
  cannot be recombined to reproduce the original
  plate.

25
Hashing

• At the remote end, there is a two-step process.
• First, the received message and shared secret key
  are sent through the hash algorithm, resulting in
  a re-calculated hash value.
• Second, the receiver compares the re-calculated
  hash with the hash that was attached to the
  message.
• If the original hash and re-calculated hash
  match, the integrity of the message is
  guaranteed.
• If any of the original message is changed while
  in transit, the hash values are different.

26
Hashing

• There are two common hashing algorithms
• HMAC-MD5 Uses a 128-bit shared secret key.
• The variable length message and 128-bit shared
  secret key are combined and run through the
  HMAC-MD5 hash algorithm.
• The output is a 128-bit hash.
• The hash is appended to the original message and
  forwarded to the remote end.
• HMAC-SHA-1 Uses a 160-bit secret key.
• The variable length message and the 160 bit
  shared secret key are combined and run through
  the HMAC-SHA-1 hash algorithm.
• The output is a 160-bit hash.
• The hash is appended to the original message and
  forwarded to the remote end.
• HMAC-SHA-1 is considered cryptographically
  stronger than HMAC- MD5.

27
(No Transcript)
28
IPSec

• RFC 2401 describes the general framework for this
  architecture.
• Like all security mechanisms, RFC 2401 helps to
  enforce a security policy.
• The policy defines the need for security on
  various connections.
• These connections will be IP sessions.
• The framework provides
• data integrity
• data authentication
• data confidentiality
• security association
• key management.

29
IPSecAuthentication Header

• The IP Authentication Header (AH) is used to
  provide connectionless integrity and data origin
  authentication for IP datagrams, and to provide
  protection against replays.
• Replay protection is an optional service that may
  be selected by the receiver when a security
  association is established.
• Although the default calls for the sender to
  increment the sequence number used for
  anti-replay, the service is effective only if the
  receiver checks the sequence number.
• AH provides authentication for as much of the IP
  header as possible, as well as for upper level
  protocol data.
• However, some IP header fields may change in
  transit.
• When the packet arrives at the receiver, the
  value of these IP header fields may not be
  predictable by the sender.
• The values of such fields cannot be protected by
  AH.
• AH does not provide complete protection to the IP
  header.

30
IPSecAuthentication Header

• AH may be applied alone, in combination with the
  IP ESP, or in a nested fashion through the use of
  tunnel mode.
• Security services can be provided between a pair
  of communicating hosts, between a pair of
  communicating security gateways, or between a
  security gateway and a host.
• ESP may be used to provide the same security
  services, and it also provides a confidentiality
  (encryption) service.
• The primary difference between the authentication
  services provided by ESP and AH is the extent of
  the coverage.
• Specifically, ESP does not protect any IP header
  fields unless those fields are encapsulated by
  ESP (tunnel mode).

31
IPSecEncapsulating Security Payload

• The ESP header is inserted after the IP header,
  and before the upper layer protocol header in
  transport mode or before an encapsulated IP
  header in tunnel mode.
• ESP is used to provide the following services
• Confidentiality
• Data origin authentication
• Connectionless integrity
• Anti-replay service, a form of partial sequence
  integrity
• Limited traffic flow confidentiality, by
  defeating traffic flow analysis

32
IPSecEncapsulating Security Payload

• The set of services provided depends on options
  selected at the time of security association
  establishment and on the placement of the
  implementation.
• Confidentiality may be selected independently of
  all other services.
• However, use of confidentiality without
  integrity/authentication, either in ESP or
  separately in AH, may make certain traffic
  vulnerable to certain forms of active attacks
  that could undermine the confidentiality service.

33
IPSecEncapsulating Security Payload

• Data origin authentication and connectionless
  integrity are joint services and are offered as
  an option in conjunction with optional
  confidentiality.
• The anti-replay service may be selected only if
  data origin authentication is selected, and its
  election is solely at the discretion of the
  receiver.
• Although the default calls for the sender to
  increment the sequence number used for
  anti-replay, the service is effective only if the
  receiver checks the sequence number.
• Traffic flow confidentiality requires selection
  of tunnel mode.
• Traffic flow confidentiality is most effective if
  implemented at a security gateway, where traffic
  congestion may be able to mask true
  source-destination patterns.
• Although both confidentiality and authentication
  are optional, at least one of them must be
  selected.

34
Tunnel versus transport mode

• ESP and AH can be applied to IP packets in two
  different ways, which are referred to as modes
• Tunnel mode provides security for the whole
  original IP packet.
• The original IP packet is encrypted.
• Next, the encrypted packet is encapsulated in
  another IP packet.
• The outside IP address is used to route the
  packet through the Internet.

35
Security association
36
Security association

• Security associations (SAs) are one of the most
  basic concepts of IPSec.
• They represent a policy contract between two
  peers or hosts, and describe how the peers will
  use IPSec security services to protect network
  traffic.
• SAs contain all the security parameters needed to
  securely transport packets between the peers or
  hosts, and define the security policy used in
  IPSec.

37
Security association

• The routers in the picture use IPSec to protect
  traffic between hosts A and B.
• The routers need two SAs that describe traffic
  protection in both directions.
• Establishment of SAs is a prerequisite for IPSec
  traffic protection to work.
• When relevant SAs are established, IPSec refers
  to them for all parameters needed to protect a
  particular traffic flow.
• An SA might enforce the following policy with
  this terminology, For traffic between hosts A
  and B use ESP 3DES with keys K1, K2 and K3 for
  payload encryption, SHA-1 with K4 for
  authentication.

38
Security association

• SAs always contain one-way, or unidirectional,
  specifications.
• SAs are also encapsulation protocol specific.
• There is a separate SA for each encapsulation
  protocol, AH and ESP, for a given traffic flow.
• If two hosts A and B are communicating securely
  using both AH and ESP, then each host builds
  separate SAs, inbound and outbound, for each
  protocol.
• VPN devices store all their active SAs in a local
  database called the SA database (SADB).

39
Security association

• An SA contains the following security parameters
• Authentication/encryption algorithm, key length
  and other encryption parameters such as key
  lifetime used with protected packets
• Session keys for authentication (HMACs) and
  encryption fed to the above algorithms
• A specification of network traffic to which the
  SA will be applied, for example all IP traffic,
  only TELNET sessions, and so on
• IPSec encapsulation protocol (AH or ESP) and mode
  either tunnel or transport

40
Five steps to IPSec

• The goal of IPSec is to protect the desired data
  with the needed security and algorithms.
• The IPSec process can be broken down into five
  primary stepS.

41
Five steps to IPSec

• Step 1
• Interesting traffic initiates the IPSec process.
• Traffic is deemed interesting when the VPN device
  recognizes that the data needs to be protected.
• Step 2
• IKE Phase 1 authenticates IPSec peers and
  negotiates IKE SAs during this phase.
• This creates a secure communications channel for
  negotiating IPSec SAs in Phase 2.

42
Five steps to IPSec

• Step 3
• IKE Phase 2 negotiates IPSec SA parameters and
  creates matching IPSec SAs in the peers.
• These security parameters are used to protect
  data and messages exchanged between endpoints.
• Step 4
• Data transfer occurs between IPSec peers based on
  the IPSec parameters and keys stored in the SA
  database.
• Step 5
• IPSec tunnel termination occurs by SAs through
  deletion or by timing out.

43
How IPSec uses IKE
44
How IPSec uses IKE

• Internet Key Exchange (IKE) enhances IPSec by
  providing additional features, flexibility, and
  ease of configuration for the IPSec standard.
• IKE is a hybrid protocol that implements the
  Oakley key exchange and Skeme key exchange inside
  the Internet Security Association and Key
  Management Protocol (ISAKMP) framework.
• ISAKMP, Oakley, and Skeme are security protocols
  implemented by IKE.
• IKE provides authentication of the IPSec peers,
  negotiates IPSec keys, and negotiates IPSec
  security associations.

45
How IPSec uses IKE

• The IKE tunnel protects the SA negotiations.
• After the SAs are in place, IPSec protects the
  data that A and B exchange.
• IKE Mode configuration allows a gateway to
  download an IP address (and other network-level
  configuration) to the client as part of an IKE
  negotiation.
• Using this exchange, the gateway gives IP
  addresses to the IKE client to be used as an
  inner IP address encapsulated under IPSec.
• This provides a known IP address for the client,
  which can be matched against IPSec policy.

46
How IPSec uses IKE

• This feature implements IKE Mode Configuration
  into existing Cisco IOS IPSec software images.
• Using IKE Mode Configuration, a Cisco access
  server can be configured to download an IP
  address to a client as part of an IKE
  transaction.
• IKE automatically negotiates IPSec SAs and
  enables IPSec secure communications without
  costly manual preconfiguration.

47
How IPSec uses IKE

• IKE provides these benefits
• Eliminates the need to manually specify all the
  IPSec security parameters in the crypto maps at
  both peers.
• Allows the user to specify a lifetime for the
  IPSec security association.
• Allows encryption keys to change during IPSec
  sessions.
• Allows IPSec to provide anti-replay services.
• Permits certification authority (CA) support for
  a manageable, scalable IPSec implementation.
• Allows dynamic authentication of peers.

48
How IPSec uses IKE

• The component technologies implemented for use by
  IKE include the following
• The Data Encryption Standard (DES) is used to
  encrypt packet data. IKE implements the 56-bit
  DES-CBC with Explicit IV standard.
• 3DES. 168-bit encryption.
• Cipher Block Chaining (CBC) requires an
  initialization vector (IV) to start encryption.
  The IV is explicitly given in the IPSec packet.
• Diffie-Hellman is a public-key cryptography
  protocol that allows two parties to establish a
  shared secret over an unsecured communications
  channel. Diffie-Hellman is used within IKE to
  establish session keys. Diffie-Hellman 768-bit
  and 1024-bit groups are supported.
• Message Digest 5 (MD5), HMAC variant, is a hash
  algorithm used to authenticate packet data. HMAC
  is a variant that provides an additional level of
  hashing.
• Secure Hash Algorithm SHA, HMAC variant, is a
  hash algorithm used to authenticate packet data.
  HMAC is a variant that provides an additional
  level of hashing.
• RSA signatures and RSA encrypted uniquely
  occuring numbers (nonces)--RSA is the public key
  cryptographic system developed by Ron Rivest, Adi
  Shamir, and Leonard Adleman. RSA signatures
  provide non-repudiation while RSA are encrypted
  nonces.

49
How IPSec uses IKE

• The IKE protocol uses X.509v3 certificates when
  authentication requires public keys.
• This certificate support allows the protected
  network to scale by providing the equivalent of a
  digital ID card to each device.
• When two devices wish to communicate, they
  exchange digital certificates to prove their
  identity.
• This removes the need to exchange public keys
  manually with each peer, or to specify a shared
  key manually at each peer.