1 / 19

Internet Key Exchange (IKE) protocol vulnerability risks

Internet Key Exchange (IKE) protocol vulnerability risks. Master's thesis seminar 18.5.2004 HUT, Networking Laboratory Composed by Ari Muittari at Nokia Networks Supervisor: Prof. Raimo Kantola Instructor: M.Sc. Jussi Kohonen. Contents. Background Research methods

nuwa
Télécharger la présentation

Internet Key Exchange (IKE) protocol vulnerability risks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Internet Key Exchange (IKE) protocol vulnerability risks Master's thesis seminar 18.5.2004 HUT, Networking Laboratory Composed by Ari Muittari at Nokia Networks Supervisor: Prof. Raimo Kantola Instructor: M.Sc. Jussi Kohonen

  2. Contents • Background • Research methods • Network security concepts • IPsec and IKE protocols • Experimental part • Conclusions

  3. Background • New types of uses for the Internet are emerging and amount of IP traffic is growing; an ever increasing amount of attacks can be expected • Lack of security is a major hindrance to the widespread use of the Internet • IPsec (and IKE as its key exchange protocol) promises network level IP security • Attacking on IKE is presumably difficult because it has been designed to be robust • Few studies analyze the weaknesses of IKE • A couple of experimental attack programs are available (in contrast to the tool arsenal targeted to TCP/IP) Research problem: Is it feasible to successfully attack IKE protocol?

  4. Research methods • Modeling network security concepts • Reviewing the cryptography used, IPsec and IKE protocol • Analyzing the papers written of IKE weaknesses • Analyzing the existing IKE attack programs • Applying selected theoretical attack scenarios into practise by implementing them into attack programs • Experimenting these attacks in a test environment

  5. Green circle: Security is retained inspite of the mounted attacks Red circle: Security threats are realized by successful attacks Attacker tries to adversely affect the information flow: A basic model for network security concepts constructed Helps to form a general view of the related concepts and their relations Network security concepts 1(2)

  6. Network security concepts 2(2) Cryptographic methods are the building blocks of IPSec and IKE • Secret and Public key encryption • Provides confidentiality • Digital signature and hash functions, MAC (Message Authentication Code) • Provides integrity • Random numbers • Add unpredictability to cryptographic algorithms and protocols • Used for example for creating keys, nonces and cookies • Diffie-Hellman key exchange protocol • Two parties agree over an insecure channel on a shared secret • Shared secret is used to protect the following traffic

  7. IPsec and IKE protocols 1(2) Internal structure of IPsec protocol suite AH = Authentication Header API = Application Programming Interface DOI = Domain of Interpretation ESP = Encapsulated Security Payload ISAKMP = Internet Security Association and Key Management Protocol Oakley = Key Exchange Protocol SA = Security Association SAD = Security Association Database SKEME = Secure Key Exchange Mechanism SPD = Security Policy Database

  8. IKE SA and IPsec SA establisment Main mode : IPsec and IKE protocols 2(2) Aggressive mode: HDR = ISAKMP Header, HDR* = Payloads are encrypted SA = Security Association payload KE = Key Exchange payload (Diffie-Hellman public value) Ni, Nr = Nonce payload (of Initiator, Responder) IDii, Idir = Identification payload HASH_I, HASH_R = Hash payload (of Initiator, Responder)

  9. Experimental part 1(6) Test network • Three hosts in a LAN (Local Area Network) running FreeBSD OS (operating system) • Hosts are operated via a switch matrix • Software of the IPsec hosts • IPsec: KAME • IKE: racoon • Software of the Attacker’s host • ettercap for enabling Man-in-the-middle (MITM) attacks by using ARP tables poisoning technique • ike-scan for discovering IKE services • ikeprobe for IKE packet fabrication • ikecrack for pre-shared key cracking • Installation of OS and software • Configuration of IPsec policies

  10. Experimental part 2(6) Attacks on IKE are diverse: • Exploit weaknesses of a protocol or an implementation by applying various techniques • Active or passive, specific to an exchange (main or aggressive mode) or parameters used • Differ in terms of required effort and level of difficulty to implement and mount • The implications induced by an attack vary as do the benefits the attacker is able to gain Categorization of demonstrated attacks • Discovery of IKE service • Denial-of-Service (DoS) attacks • Authentication attacks

  11. Experimental part 3(6) Discovery of IKE service • If the attacker knows a specific IPsec implementation on the network, he can focus his effort on its known vulnerabilities • As IKE runs over UDP protocol, it needs a retransmission strategy: • Time to wait before resending the packet • Time to wait (delay) between subsequent packets • Count of packets to be resent before giving up • IPsec implementations tend to have an individual IKE retransmission strategy which forms a kind of pattern (fingerprint) • ike-scan discovers and identifies IPsec implementations: • A publicly available C program • Sends an initial main mode packet to the specified hosts • Collects timing information from responses • Matches that information against a database of the known implementation’s patterns • Concludes the IPsec/IKE implementation (vendor)

  12. Experimental part 4(6) Denial-of-Service (DoS) attacks • The attacker’s aim is to disable the Responder by exploiting IKE protocol or implementation flaws • Force Responder to spend computing or memory resources • Force Responder to crash or jam by sending a malformed packet • ikeprobe.pl, IKE packet fabrication tool • Largely rewritten and enhanced from the IKEProber.pl • Aggressive and main mode packet flooding • Initiates an IKE negotiation without trying to complete it • DoS protection means of IKE • Cookies (IKE fails to protect against even simple DoS attacks) • Discarding of malformed packets • Limited logging of abnormal events

  13. Experimental part 5(6) DoS attacks classified according to a mechanism they effect on the IKE service

  14. Experimental part 6(6) Authentication attacks • Cracking a weak pre-shared key • ikecrack.pl, IKE message parser and pre-shared key cracking tool • Largely rewritten and enhanced from the ikecrack-snarf-1.00.pl • The attacker captures the exchange by “tcpdump –nxq –s 600 > file” • ikecrack parses the capture file, computes needed keying material and MAC values and starts dictionary, hybrid and brute-force cracking • In aggressive mode only a capture of an exchange needed • In main mode also a MITM attack needed to forge a DH public key by using an ettercap plug-in program developed • Use of degenerated DH public keys • racoon accepts degenerated DH public keys and thus allows revealing of DH shared secret (implementation flaw)

  15. Conclusions • IKE is a complex protocol. Security suffers from complexity • Attacking on IKE is feasible, although not trivial • Serious vulnerabilities demonstrated in various areas, including • Denial-of-Service • Resources can be exhausted (computing, memory and disk) • Implementation flaws (crashes and endless loops) • Authentication • Cracking a pre-shared key (aggressive and main mode) • MITM attacks on DH • It is only a matter of time when there are advanced attack tools available • IKE will probably remain in use for years (IKEv2 is an Internet-draft) • Still, IPsec is the current best practice in IP security • Realize the weaknesses and enforce respective countermeasures • Focus on security testing (traditionally inter-operation testing) Further research • Test other IPsec implementations • Verify the robustness of the forthcoming IKEv2 • Develop a security testing tool suite (move from Perl to C)

  16. Additional material 1(4) An example of a DoS attack which floods responder with expensive modular exponentiation computations in aggressive mode • perl ikeprobe.pl –d 10.0.0.2 –s 1:1:1:2 –ip 10.0.0.3 –k user 99 –n user 77 –c 30000 –wait –b 8 • racoon uses all the available processing capacity (95 % CPU usage) • Disk storage is exhausted at the rate of 10 Mbytes/hour • Virtual memory is exhausted at the rate of 30 Mbytes/hour (the memory remains reserved until racoon has been killed)

  17. Additional material 2(4) An example of a MITM attack (cracking a pre-shared key in main mode) • To decrypt the HASH_I the MITM has to know the encryption key which is derived from DH shared secret • MITM forges Responder’s DH public key gy to a value of which DH private key y he knows, and can compute DH shared secret (gx)y • g is defined to be 2, so if gy = 2 then y = 1 and DH shared secret is (gx)y = gx Main mode exchange and a respective ettercap snapshot:

  18. Additional material 3(4) Diffie Hellman (DH) Key Exchange protocol

  19. Additional material 4(4) RFC 2409 The Internet Key Exchange (IKE) • IKE keying material and MACs in a pre-shared key authentication

More Related