Internet Key Exchange (IKE) protocol vulnerability risks - PowerPoint PPT Presentation

About This Presentation
Title:

Internet Key Exchange (IKE) protocol vulnerability risks

Description:

New types of uses for the Internet are emerging and amount of IP traffic is ... IPsec: KAME. IKE: racoon. Software of the Attacker's host ... – PowerPoint PPT presentation

Number of Views:541
Avg rating:3.0/5.0
Slides: 20
Provided by: muit
Category:

less

Transcript and Presenter's Notes

Title: Internet Key Exchange (IKE) protocol vulnerability risks


1
Internet Key Exchange (IKE) protocol
vulnerability risks
  • Master's thesis seminar 18.5.2004
  • HUT, Networking Laboratory
  • Composed by Ari Muittari at Nokia Networks
  • Supervisor Prof. Raimo Kantola
  • Instructor M.Sc. Jussi Kohonen

2
Contents
  • Background
  • Research methods
  • Network security concepts
  • IPsec and IKE protocols
  • Experimental part
  • Conclusions

3
Background
  • New types of uses for the Internet are emerging
    and amount of IP traffic is growing an ever
    increasing amount of attacks can be expected
  • Lack of security is a major hindrance to the
    widespread use of the Internet
  • IPsec (and IKE as its key exchange protocol)
    promises network level IP security
  • Attacking on IKE is presumably difficult because
    it has been designed to be robust
  • Few studies analyze the weaknesses of IKE
  • A couple of experimental attack programs are
    available (in contrast to the tool arsenal
    targeted to TCP/IP)
  • Research problem Is it feasible to successfully
    attack IKE protocol?

4
Research methods
  • Modeling network security concepts
  • Reviewing the cryptography used, IPsec and IKE
    protocol
  • Analyzing the papers written of IKE weaknesses
  • Analyzing the existing IKE attack programs
  • Applying selected theoretical attack scenarios
    into practise by implementing them into attack
    programs
  • Experimenting these attacks in a test environment

5
Network security concepts 1(2)
  • Green circle Security is retained inspite of the
    mounted attacks
  • Red circle Security threats are realized by
    successful attacks
  • Attacker tries to adversely affect the
    information flow
  • A basic model for network security concepts
    constructed
  • Helps to form a general view of the related
    concepts and their relations

6
Network security concepts 2(2)
  • Cryptographic methods are the building blocks of
    IPSec and IKE
  • Secret and Public key encryption
  • Provides confidentiality
  • Digital signature and hash functions, MAC
    (Message Authentication Code)
  • Provides integrity
  • Random numbers
  • Add unpredictability to cryptographic algorithms
    and protocols
  • Used for example for creating keys, nonces and
    cookies
  • Diffie-Hellman key exchange protocol
  • Two parties agree over an insecure channel on a
    shared secret
  • Shared secret is used to protect the following
    traffic

7
IPsec and IKE protocols 1(2)
  • Internal structure of IPsec protocol suite
  • AH Authentication Header
  • API Application Programming Interface
  • DOI Domain of Interpretation
  • ESP Encapsulated Security Payload
  • ISAKMP Internet Security Association
  • and Key Management Protocol
  • Oakley Key Exchange Protocol
  • SA Security Association
  • SAD Security Association Database
  • SKEME Secure Key Exchange Mechanism
  • SPD Security Policy Database

8
IPsec and IKE protocols 2(2)
  • IKE SA and IPsec SA establisment
  • Main mode

Aggressive mode
HDR ISAKMP Header, HDR Payloads are
encrypted SA Security Association payload KE
Key Exchange payload (Diffie-Hellman public
value) Ni, Nr Nonce payload (of Initiator,
Responder) IDii, Idir Identification
payload HASH_I, HASH_R Hash payload (of
Initiator, Responder)
9
Experimental part 1(6)
  • Test network
  • Three hosts in a LAN (Local Area Network) running
    FreeBSD OS (operating system)
  • Hosts are operated via a switch matrix
  • Software of the IPsec hosts
  • IPsec KAME
  • IKE racoon
  • Software of the Attackers host
  • ettercap for enabling Man-in-the-middle (MITM)
    attacks by using ARP tables poisoning technique
  • ike-scan for discovering IKE services
  • ikeprobe for IKE packet fabrication
  • ikecrack for pre-shared key cracking
  • Installation of OS and software
  • Configuration of IPsec policies

10
Experimental part 2(6)
  • Attacks on IKE are diverse
  • Exploit weaknesses of a protocol or an
    implementation by applying various techniques
  • Active or passive, specific to an exchange (main
    or aggressive mode) or parameters used
  • Differ in terms of required effort and level of
    difficulty to implement and mount
  • The implications induced by an attack vary as do
    the benefits the attacker is able to gain
  • Categorization of demonstrated attacks
  • Discovery of IKE service
  • Denial-of-Service (DoS) attacks
  • Authentication attacks

11
Experimental part 3(6)
  • Discovery of IKE service
  • If the attacker knows a specific IPsec
    implementation on the network, he can focus his
    effort on its known vulnerabilities
  • As IKE runs over UDP protocol, it needs a
    retransmission strategy
  • Time to wait before resending the packet
  • Time to wait (delay) between subsequent packets
  • Count of packets to be resent before giving up
  • IPsec implementations tend to have an individual
    IKE retransmission strategy which forms a kind of
    pattern (fingerprint)
  • ike-scan discovers and identifies IPsec
    implementations
  • A publicly available C program
  • Sends an initial main mode packet to the
    specified hosts
  • Collects timing information from responses
  • Matches that information against a database of
    the known implementations patterns
  • Concludes the IPsec/IKE implementation (vendor)

12
Experimental part 4(6)
  • Denial-of-Service (DoS) attacks
  • The attackers aim is to disable the Responder by
    exploiting IKE protocol or implementation flaws
  • Force Responder to spend computing or memory
    resources
  • Force Responder to crash or jam by sending a
    malformed packet
  • ikeprobe.pl, IKE packet fabrication tool
  • Largely rewritten and enhanced from the
    IKEProber.pl
  • Aggressive and main mode packet flooding
  • Initiates an IKE negotiation without trying to
    complete it
  • DoS protection means of IKE
  • Cookies (IKE fails to protect against even simple
    DoS attacks)
  • Discarding of malformed packets
  • Limited logging of abnormal events

13
Experimental part 5(6)
  • DoS attacks classified according to a
    mechanism they effect on the IKE service

14
Experimental part 6(6)
  • Authentication attacks
  • Cracking a weak pre-shared key
  • ikecrack.pl, IKE message parser and pre-shared
    key cracking tool
  • Largely rewritten and enhanced from the
    ikecrack-snarf-1.00.pl
  • The attacker captures the exchange by tcpdump
    nxq s 600 gt file
  • ikecrack parses the capture file, computes needed
    keying material and MAC values and starts
    dictionary, hybrid and brute-force cracking
  • In aggressive mode only a capture of an exchange
    needed
  • In main mode also a MITM attack needed to forge a
    DH public key by using an ettercap plug-in
    program developed
  • Use of degenerated DH public keys
  • racoon accepts degenerated DH public keys and
    thus allows revealing of DH shared secret
    (implementation flaw)

15
Conclusions
  • IKE is a complex protocol. Security suffers from
    complexity
  • Attacking on IKE is feasible, although not
    trivial
  • Serious vulnerabilities demonstrated in various
    areas, including
  • Denial-of-Service
  • Resources can be exhausted (computing, memory and
    disk)
  • Implementation flaws (crashes and endless loops)
  • Authentication
  • Cracking a pre-shared key (aggressive and main
    mode)
  • MITM attacks on DH
  • It is only a matter of time when there are
    advanced attack tools available
  • IKE will probably remain in use for years (IKEv2
    is an Internet-draft)
  • Still, IPsec is the current best practice in IP
    security
  • Realize the weaknesses and enforce respective
    countermeasures
  • Focus on security testing (traditionally
    inter-operation testing)
  • Further research
  • Test other IPsec implementations
  • Verify the robustness of the forthcoming IKEv2
  • Develop a security testing tool suite (move from
    Perl to C)

16
Additional material 1(4)
  • An example of a DoS attack which floods responder
    with expensive modular exponentiation
    computations in aggressive mode
  • perl ikeprobe.pl d 10.0.0.2 s 1112 ip
    10.0.0.3 k user 99 n user 77 c 30000 wait b
    8
  • racoon uses all the available processing capacity
    (95 CPU usage)
  • Disk storage is exhausted at the rate of 10
    Mbytes/hour
  • Virtual memory is exhausted at the rate of 30
    Mbytes/hour (the memory remains
    reserved until racoon has been killed)

17
Additional material 2(4)
  • An example of a MITM attack (cracking a
    pre-shared key in main mode)
  • To decrypt the HASH_I the MITM has to know the
    encryption key which is derived from DH shared
    secret
  • MITM forges Responders DH public key gy to a
    value of which DH private key y he knows, and can
    compute DH shared secret (gx)y
  • g is defined to be 2, so if gy 2 then y 1 and
    DH shared secret is (gx)y gx
  • Main mode exchange and a respective ettercap
    snapshot

18
Additional material 3(4)
  • Diffie Hellman (DH) Key Exchange protocol

19
Additional material 4(4)
  • RFC 2409 The Internet Key Exchange (IKE)
  • IKE keying material and MACs in a pre-shared key
    authentication
Write a Comment
User Comments (0)
About PowerShow.com