Internet Security CSCE 813 IPsec

1
Internet Security CSCE 813IPsec
2
Reading

• Today IPSec Chapters 4, 5, 6
• Next ClassIPSec Chapter 7

3
Benefits of IPSec

• When implemented in a firewall or router, IPSec
  provides strong security to ALL TRAFFIC crossing
  the perimeter. Traffic within the perimeter does
  not incur security overhead.
• Cannot be bypassed (if all traffic must go
  through the firewall implementing IPSec)
• Transparent to applications
• Transparent to end users

4
IP Security Architecture
RFC 2401 Overview of Security Architecture RFC
2402 Desc. Of packet authentication extension to
IPv4 and IPv6 RFC 2406 Desc. Of packet
encryption extension to IPv4 and IPv6 RFC 2408
Specification of key management capabilities
5
IPSec Document OverviewRFC 2401
6
IPSec Services
7
Security Association

• One-way relationship
• Identified by
• Security parameters indes (SPI)
• IP destination address
• Security protocol identifier
• Security Association Database
• SA parameters sequence number counter, sequence
  number overflow, anti-replay window, AH
  information, ESP information, lifetime of SA,
  IPSec protocol mode, path MTU
• Security Policy Database
• SA selectors destination IP address, source IP
  address, UserID, Data Sensitivity Level,
  transport layer protocol, source and destination
  port

8
Modes
9
Encapsulating Security Payload(ESP)
10
ESP

• Confidentiality Encryptor
• Integrity Authenticator
• Algorithm is determined by the Security
  Association (SA)
• Each ESP has at most
• One cipher and one authenticator or
• One cipher and zero authenticator or
• Zero cipher and one authenticator or
• Disallowed zero cipher and zero authenticator or

11
ESP Protected IP packet
encrypted
Protected data
ESP Trailer
ESP header
IP header
authenticated

• ESP goals
• Authenticate as much information as possible
• Allow efficient processing

12
ESP Format
IV
Payload data
Authenticity protected
Confidentiality protected
padding
Next header
Pad length
padding
13
ESP Header

• SPI
• Combined with the destination address and
  protocol in the preceding IP header identifies
  the SA
• Authenticated but not encrypted
• Sequence number
• Used for anti-replay
• Monotonically increasing number
• Authenticated but not encrypted

14
Payload Data Field

• Data to be protected
• Length depends on the length of data to be
  protected
• Contains
• Initialization Vector (IV)
• Protected Data
• Pad
• Pad Length
• Next Header

15
Initialization Vector

• Specific algorithm must define location of IV
• DES-CBC location first 8 octets of protected data
  field
• Authenticated but not encrypted

16
Padding

• Needed for encryption (input data multiple of
  block size)
• Hide actual data length
• Padding values
• Algorithm may specify
• ESP default values start with 1 and
  monotonically increases
• Used for checking proper decryption by recipient

17
Padding

• Padding Length
• Needed for restoring actual length of payload
  data
• Mandatory (even if there is no padding)
• Additional padding maybe added to provide traffic
  flow confidentiality
• Next header
• Defines that type of protected data
• Transport mode type of upper-level protocol
  (e.g., TCP 6)
• Tunnel mode 4 (IP-in-IP)

18
Authentication Data Field

• Used for data integrity check
• Usually keyed hash function
• Length depends on the authentication algorithm
  defined in SA
• If no authenticator is specified there is no
  authentication data

19
ESP Processing

• Depends on mode in which ESP is employed
• Both modes
• Cipher is authenticated
• Authenticated plain text is not encrypted
• Outbound encryption happens first
• Inbound authentication happens first

20
Protected Data

• Depends on the mode of ESP
• Transport mode Upper-layer protocol packet
• Tunnel mode entire IP packet is protected

21
Scope of ESP Encryption and Authentication
Transport mode
Authenticate
Encrypt
IPv4
Tunnel mode
Authenticate
Encrypt
22
Outbound Processing

• ESP header inserted into the outgoing IP packet
• Protocol field of IP header copied into Next
  header field of ESP
• Remaining fields of ESP filled (SPI, sequence
  number, pad, pad length)
• Protocol number of IP header is given the value
  ESP (50)
• Encrypt packet from the beginning of payload data
  to the next header field
• Authenticate packet form the ESP header, through
  the encrypted ciphertext to the ESP trailer and
  insert authentication data into ESP trailer
• Packet is routed to the destination

23
Inbound Processing

• Check for SA of the packet
• If no SA ? drop packet
• Otherwise use valid SA to process the packet
• Check sequence number
• Invalid number ? drop packet
• Authenticate cipher text
• Entire packet (without the authentication data)
  is processed by the authenticator
• Match generated data with authentication data
• No match ? drop packet

24
Inbound Processing

• Decrypt ESP packet (from beginning on payload to
  the next header field)
• Check pad integrity
• Validate ESP mode using Next header field and
  decrypted payload

25
Authentication Header
26
Authentication Header (AH)

• Does NOT provide confidentiality
• Provides
• Data origin authentication
• Connectionless data integrity
• Prevents spoofing attack
• May provide
• Non-repudiation (depends on cryptographic alg.)
• Anti-replay protection
• Precision of authentication granularity of SA
• Protocol number 51

27
AH Header
Reserved
Payload length
Next header
32 bit
28
Authentication Data

• AH protects outer IP header (unlike ESP)
• Computed by using
• Authentication algorithm (MD5, SHA-1)
• Cryptographic key (secret key)
• Sender computes authentication data
• Recipient verifies data

29
Scope of Authentication
Transport Mode
Authenticates except for mutable fields
IPv4
Tunnel Mode
Authenticates except for mutable fields in NEW IP
hdr
IPv4
30
Integrity Check Values

• Message Authentication Code is Calculated from
• IP header fields that either do not change in
  transit or are predictable upon arrival Fields
  that change and cannot be predicted are set to
  zero for the MAC calculation
• AH header -- other than the authentication data
  field
• Entire upper level protocol data
• Note both source and destination address fields
  are protected

31
Combining Security Associations
32
SA Bundle

• Individual SA either AH or ESP but NOT BOTH
• Some traffic flow needs both HOW?
• Some traffic between host and security gateway
  requires different services than flow between
  security gateways HOW?
• Security Association Bundle
• sequence of SAs through which traffic must be
  processed to provide a desired set of IPSec
  services
• SAs within a bundle may terminate at different
  end points

33
SA Combinations

• Transport adjacency
• Applying more than one security protocol to the
  same IP packet without invoking tunneling.
• Allows 1 level of combination (all IPSec
  processing are performed at one IPSec instance)
• Iterated tunnelingL
• Multiple layers of security protocols efected
  through IP tunneling
• Multiple levels of nesting (each tunnel may
  originate and terminate at different IPSec site)
• Combination of the two approaches above.

34
Next Class Key ManagementISAKMPExchanges