ECE 454/599 ECE 454/599 Computer and Network Computer and Network SecuritySecurity

Dr. Jinyuan (Stella) SunDept. of Electrical Engineering and Computer ScienceUniversity of Tennessee Fall 2012

1

IPsec: IKEIPsec: IKE• Photuris and SKIP• PHASE 1 IKE• PHASE 2 IKE

Security Association Security Association IssuesIssuesHow is SA established?

◦ How do parties negotiate a common set of cryptographic algorithms and keys to use?

More than one SA can apply to a packet!◦ E.g., end-to-end authentication (AH) and

additional encryption (ESP) on the public part of the network

IKE: Internet Key IKE: Internet Key ExchangeExchange

Purpose◦ Mutual Authentication◦ Shared Secret Establishment◦ Crypto Algorithms Negotiation◦ Security Association Establishment

IPsec Key ManagementIPsec Key ManagementData transmitted needs to be secured

◦ IPsec SA, session keys, AH or ESPMessages for establishing IPsec SA need

to be secured◦ IKE SA, negotiated secret

Negotiation for establishing IKE SA need to be authenticated◦ Pre-shared secret key◦ Public/private keys

Review: CookiesReview: CookiesClogging attacks

◦ An opponent forges the source address of a legitimate user and send a public Diffie-Hellman key to the victim; The victim then performs a modular exponentiation to compute the secret key; Repeated messages of this type can clog the victim’s system with useless work.

First proposed in Photuris; Cookie◦ A number chosen by responder; When

receiving a request from S, send the cookie to S in clear; start the processing after the cookie comes back from the initiator.

Stateless cookies◦ The responder does not have to remember

(store) the cookies he sent out; The cookie is a function of the IP address and a secret known to the responder

A Stateless Cookie ProtocolA Stateless Cookie Protocol

PhoturisPhoturis

Features of PhoturisFeatures of PhoturisDenial of service protection:

◦ Stateless cookie CB in message 2Signed Diffie-Hellman exchange

◦ Signature on the previous message in message 5 and 6

Identity hiding◦ Anonymous Diffie-Hellman◦ Identities are encrypted in message 5 and

6 (for active man-in-the-middle, the initiator’s identity is revealed, but not the responder)

SKIP uses Diffie-Hellman public keys◦ Alice finds Bob’s public key (gB mod p ) via a

certificate from Bob or a directory. Bob finds Alice’s public key (gA mod p ). Then they will have a common secret (gAB mod p).

Data encryption◦ The D-H common secret should not be used

to encrypt data. Instead each message has a SKIP header where the long term secret is used to encrypt a short-term data encryption key, which is used to encrypt the message.

SKIP: Simple Key Management for Internet Protocols

IKE PhasesIKE PhasesPhase One

◦ Mutual authentication◦ Session key establishment◦ ISAKMP SA/IKE SA

Phase Two◦ Negotiating IPsec SAs (AH, ESP)

Why two phases?Why two phases?ISAKMP would be used by other

protocols to set up SAs, not only to set up IPsec SAs.

Phase 1 exchange is relatively expensive. ISAKMP/IKE SA has a longer timeout period. It can be used to negotiate multiple phase 2 IPsec SAs, which reduces the usage of pre-shared secret or private key.

Phase 1 IKEPhase 1 IKETwo modesAggressive mode

◦ 3 messages◦ Mutual authentication◦ Session key establishment

Main Mode◦ 6 messages◦ Mutual authentication◦ Session key establishment◦ Hiding endpoint identity◦ Negotiating cryptographic algorithms

Phase 1: Aggressive ModePhase 1: Aggressive Mode

Phase 1: Main Mode Phase 1: Main Mode

Negotiating Cryptographic Negotiating Cryptographic ParametersParametersEncryption algorithm (e.g., DES, 3DES,

IDEA)Hash algorithm (e.g., MD5, SHA)Authentication method (e.g., pre-

shared keys, RSA public key signature, DSS, RSA public key encryption)

Diffie-Hellman group (e.g., g and p)

Crypto ProposalsCrypto ProposalsAlice sends Bob a list of proposals, each

consisting of an encryption algorithm, a hash algorithm, authentication method, and a Diffie-Hellman group.

Bob replies one as the accepted proposal.

The parameters in the proposal are used in Phase 1 and Phase 2 (IKE SA), with hash algorithm used for various purposes.

Key TypesKey TypesMutual authentication based on

◦Pre-shared secret key◦Public encryption key

Original protocol design Improved Protocol design

◦Public signature key

Cookie IssuesCookie Issues

IKE is stateful, starting from the first message.◦Alice’s crypto proposal is in the identity

proof◦ISAKMP requires randomly chosen

cookiesIdentifier: <initiator cookie,

responder cookie>

Session KeysSession KeysAfter Diffie-Hellman key exchange,

each side knows gxy mod p

Encryption key and Integrity key for the rest of IKE SA

Keys for IPSec SAs

Session KeysSession KeysPseudo Random function – prf(key, data), e.g.,

CBC residue, HMACSKEYID

◦ For signature public keys, prf(nonces, gxy)◦ For encryption public keys, prf(hash(nonces), cookies)◦ For pre-shared secret keys, prf(pre-shared secret key,

nonces)SKEYID_d: secret bits used to create other keys

◦ prf(SKEYID, gxy | cookies | 0)SKEYID_a: the integrity protection key

◦ prf(SKEYID, SKEYID_d | gxy | cookies | 1)SKEYID_e: the encryption key

◦ prf(SKEYID, SKEYID_d | gxy | cookies | 2)

Proof of IdentityProof of Identity

Proof of the key associated with the identity ◦ pre-shared secret key◦ private encryption key◦ private signature key

Integrity-check on the previous messages, such as identity, Diffie-Hellman values, nonce, Alice’s crypto proposal, and the cookies.

Proof of Identity (ContProof of Identity (Cont’’d)d)Alice’s proof of identity

◦prf ( SKEYID, gx | gy | cookies | Alice’s initial proposals | Alice’s identity )

Bob’s proof of identity◦prf ( SKEYID, gx | gy | cookies | Alice’s

initial proposal | Bob’s identity )

IKE phase 1 protocolsIKE phase 1 protocols8 phase-1 protocols

◦2 modes◦4 types of keys

Common features◦Message 1 starts with Alice’s cookie◦All other messages start with

(initiator cookie, responder cookie), which serves as the IKE connection identifier

Phase 1: Public Signature Keys, Main Phase 1: Public Signature Keys, Main ModeMode

Phase 1: Public Signature Keys, Phase 1: Public Signature Keys, Aggressive ModeAggressive Mode

Phase 1: Public Encryption Keys, Phase 1: Public Encryption Keys, Main Mode, OriginalMain Mode, Original

Phase 1: Public Encryption Keys, Phase 1: Public Encryption Keys, Aggressive Mode, OriginalAggressive Mode, Original

Phase 1: Public Encryption Keys, Phase 1: Public Encryption Keys, Main Mode, RevisedMain Mode, Revised

Phase 1: Public Encryption Keys, Phase 1: Public Encryption Keys, Aggressive Mode, RevisedAggressive Mode, Revised

Phase 1: Pre-Shared Secret Keys, Phase 1: Pre-Shared Secret Keys, Main ModeMain Mode

Phase 1: Pre-Shared Secret Keys, Phase 1: Pre-Shared Secret Keys, Aggressive ModeAggressive Mode

Phase 2, Quick ModePhase 2, Quick ModeEstablish IPSec SAs (e.g., ESP and/or AH)

◦ Crypto parameters◦ Diffie-Hellman numbers (optional)◦ Traffic type (optional)

All messages (except X,Y) encrypted and integrity protected

Reading AssignmentReading Assignment

[Kaufman] Chapter 18