340 likes | 527 Vues
IKE Tutorial. Agenda. Cryptography Basics IPSEC IKE IKE Hybrid Mode. Cryptography - Basics. Cryptography is used for Confidentiality Integrity Authentication (signature) 2 categories Symetric cryptography Asymetric cryptography. Symetric Cryptography.
 
                
                E N D
Agenda • Cryptography Basics • IPSEC • IKE • IKE Hybrid Mode
Cryptography - Basics • Cryptography is used for • Confidentiality • Integrity • Authentication (signature) • 2 categories • Symetric cryptography • Asymetric cryptography
Symetric Cryptography • Same Key is performing encryption and decryption Hi Bob ! *  ^1 ’’h’ Hi Bob ! BOB ALICE
Symetric Cryptography • Symetric Encryption Algorythms : • DES, 3DES • RC2, RC4, RC5 • IDEA • BlowFish • CAST • FWZ-1
Symetric Cryptography • Advantages : • Fast • Reliable (depends on the Key lenght) • Disadvantages • The Key must remain secret • Key Management • Large number of people / sites • Key changes
Asymetric Cryptography • 2 Keys • 1 Public • 1 Private • Both are linked together • Algorytms : • RSA (Rivest Shamir Adleman) • Diffie Helmann Private key Confidential Public key Published
Receiver’s Private key Sender’s Private key Receiver’s Public key Sender’s Public key Asymetric Cryptography (RSA) Confidentiality Authentication Encryption Decryption Encryption Decryption
*&^1)-h@’ Hi Bob ! Hi Bob ! Bob’s public key Bob’s private key Asymetric Cryptography • Ex. : confidentiality with RSA BOB ALICE
DH private key Bob’s DH public key Alice’s DH public key Bob’s DH public key Alice’s DH public key DH private key DH Secret key Asymetric Cryptography : DH BOB ALICE
Symetric Cryptography • Advantages : • No need to distribute Secret Keys • Disadvantages • Slow (100 to 1000 times slower than Symetric cryptography)
Agenda • Cryptography Basics • IPSEC • IKE • IKE Hybrid Mode
Encrypted New IP Header Header AH Original IP Header New IP Header Header ESP Original IP Header Authentication / Integrity Authentication / Integrity IPSEC • Tunnel mode : • AH (ip protocol 33) • ESP (ip protocol 32) AH ESP
Agenda • Cryptography Basics • IPSEC • IKE • IKE Hybrid Mode
IKE Tutorial • Before we begin, one necessary term. HMAC is an “authenticated” hash computation. It is a method to digitally sign data without using public key cryptography. HMAC(key, data) = HASH(mix(key,data))
IKE Tutorial • Basic concept in IKE: Security Association (SA). • An SA contains all information necessary for two entities to exchange secured messages. • Each SA has an identifier, sometimes called an SPI. • Example SA: SPI: 12345 Encryption algorithm: DES HMAC algorithm: MD5 Encryption key: 0x65f3dde… HMAC key: 0xa3b443d9… Expiry: 15:06:09 13Oct98
IKE Tutorial • In IP security, there are two types of SAs: • IKE SA: used for securing key negotiations. • IPSEC SA: used for securing IP data. • When two IP entities wish to secure IP data between them, the following will occur: • Negotiate IKE SA. • Use IKE SA to negotiate IPSEC SA. • Use IPSEC SA to encrypt IP data. • The IKE SA is long term. It will typically be used to secure many IPSEC SA negotiations.
IKE Tutorial • The negotiation of IKE SAs is called “Phase 1”. • Phase 1 is authenticated using either PKI, or pre-shared secrets. • There are two types of Phase 1 negotiations: “Main Mode” and “Aggressive Mode”. • Aggressive Mode is more efficient (shorter negotiation), but does not provide identity protection. • Negotiating IPSEC SAs is called “Phase 2”. • There is only one type of Phase 2 negotiation, called “Quick Mode”.
IKE TutorialPhase 1: First Message Pair • Phase 1, Main Mode consists of three pairs of messages. Remember: goal is to establish an IKE SA. • First pair: negotiation of parameters for the IKE SA: algorithms, authentication type, expiry. Simplified example: “We can do 3DES and SHA1, or DES and MD5” Alice Bob “Let’s do 3DES and SHA1”
IKE TutorialPhase 1: Second Message Pair • Second pair: exchange of cryptographic data. Goal is to establish a shared secret between two entities: • Note: the DH key is used only for this exchange, and then thrown away. “Here’s a DH public key, and some random data” Alice Bob “Here’s a DH public key, and some random data” Alice and Bob both compute a shared secret which is a function of the DH keys and the random data.
IKE TutorialPhase 1 • Some notes before the third pair of messages: • Alice and Bob now have a shared secret, and they can use it to encrypt the third pair of messages. • First and second pairs do not provide any authentication. Alice and Bob could be masquerading, or Eve could be attacking using the “man-in-the-middle” technique. • Furthermore, Alice and Bob do not know who they are negotiating with. All they know is an IP address from which the messages are arriving.
IKE TutorialPhase 1: Third Message Pair • Third pair of messages is encrypted. The goal is to exchange identities, prove the identities, and retroactively authenticate all the previous messages. The authentication can be based on either pre-shared secrets, or on PKI. Example: Alice I’m alice@wonderland.com. Here’s an HMAC over all the data we exchanged, using our pre-shared secret. Bob I’m 204.53.10.4. Here’s an HMAC over all the data we exchanged, using our pre-shared secret.
IKE TutorialPhase 1 • Some remarks: • How does this work with PKI? Addressed in PKI presentation. • Identity types include X.500 Distinguished Names, E-mail addresses, IP addresses and more. • Result of negotiation is a single, bi-directional IKE SA. • Authentication with pre-shared secrets allows dictionary attacks on the pre-shared secret.
IKE TutorialPhase 2 • Phase 2 is always secured by an IKE SA. The IKE SA provides secrecy, authentication, and data integrity. • Remember: the goal is to establish an IPSEC SA. • Three messages in Phase 2: • Message 1: Suggestion of parameters, and identities for whom we’re negotiating. • Message 2: Choice of parameters, and HMAC signature on first message. • Message 3: HMAC signature on previous messages. • HMAC signatures use a key from the IKE SA.
IKE TutorialPhase 2 • Example Phase 2 (simplified) exchange: Alice Let’s do either ESP DES/MD5, or AH SHA1. I’m negotiating on behalf of subnets 189.63.71.0 and 204.53.10.0. Here’s some random data. Bob Let’s use AH SHA1. Here’s an HMAC of the previous message using our IKE SA HMAC key. Here’s some random data Here’s an HMAC of the previous messages using our IKE SA HMAC key.
IKE TutorialPhase 2 • Remarks: • The keys in the resulting IPSEC SA are a function of the IKE SA key and the random data. • The result of the negotiation are two uni-directional IPSEC SAs, each with a distinct SPI (SPI are also part of the negotiation). • The SAs can only be used to encrypt IPSEC traffic between the negotiated identities. • Identity types are IP addresses, IP ranges, IP subnets.
IKE TutorialPhase 2 • More Remarks: • Perfect Forward Secrecy (PFS) can be turned on to provide additional security. It includes an additional exchange of DH keys. • When an SA is about to expire, the entities can start a new negotiation. If the IKE SA is valid, only Phase 2 is required. Otherwise, both Phase 1 and Phase 2 are required. • One other types of IKE message: “informational”. Examples: error messages, requests to delete Sas.
Agenda • Cryptography Basics • IPSEC • IKE • IKE Hybrid Mode
Hybrid Mode IKE - What is it? • A method of using Authentication Schemes other than a Pre-shared Secret, or a Digital Certificate with IKE • IKE Standard did not originally allow for authentication schemes like: • Token Cards - SecurID, etc. • LDAP • RADIUS • NT Domain • Firewall-1 Password • etc
Hybrid Mode • Challenge: integrate all FW-1 authentication schemes with IKE • Standards based solution does not exist • Requirements: • Open: integrates well with all authentication schemes • Secure: mutual (user vs. gateway) authentication • Standards based: suggest solution to IETF (draft-ietf-ipsec-isakmp-hybrid-auth-03) • Existing solutions are: • Proprietary (hard to determine their security) • Or, insecure suggested standards (XAUTH)
Hybrid Mode • Solution: • Gateway cannot use an “interactive” authentication scheme, unlike a user: • Gateway uses PKI • User uses of the FW-1 authentication schemes • FW-1 Password, LDAP, TACACS+, RADIUS, etc. • CP management station includes simple PKI abilities • Sufficient to deploy certificates to the gateways • NOT a full blown PKI for users
SA Negotiation Establish encrypted channel Establish encrypted channel A’s certificate + A’s signature over previous data Radius challenge (“enter password”) Password 1232456 User identity, hash of previous data Hybrid Mode Example (Radius) User GW Check identity in certificate and validate Check identity Validate password