ipsec : key management presentation by: sneha a mittal(121427) nishu rastogi (121418) bhoomika...
TRANSCRIPT
IPSEC : KEY MANAGEMENT
PRESENTATION BY:
SNEHA A MITTAL(121427)
NISHU RASTOGI (121418)
BHOOMIKA PARMAR (121406)
MONIKA MITTAL (121414)
ROHIT JAIN (121424)
SUBMITTED TO:
Dr. C. RAMAKRISHNA
(ASSOCIATE PROFESSOR)
(CSE DEPARTMENT)
NITTTR CHANDIGARH
2
OVERVIEW
KEY MANAGEMENT FOR IPSEC
TYPES OF KEY MANAGEMENT
ISAKMP/OAKLEY
OAKLEY KEY DETERMINATION PROTOCOL
DIFFIE HELLMAN KEY EXCHANGE
FEATURES
ISAKMP
PAYLOAD TYPES
CONCLUSION
3
The key management portion of
IPSec involves the determination and
distribution of secret keys.
A typical requirement is four keys
for communication between two
applications: transmit and receive
pairs for both AH and ESP.
KEY MANAGEMENT FOR IPSEC
4
Two types of key management
according to the IPSec
Architecture document :
Manual
Automated.
TYPES
5
A system administrator manually
configures each system with its own
keys and with the keys of other
communicating systems.
This is practical for small, relatively
static environments.
MANUAL
6
An automated system enables the
on-demand creation of keys for SAs
Facilitates the use of keys in a large
distributed system with an evolving
configuration.
AUTOMATED
7
The default automated key management
protocol for IPSec is referred to as
ISAKMP/Oakley
Consists of the following elements:
Oakley Key Determination Protocol
Internet Security Association and Key
Management Protocol (ISAKMP)
ISAKMP/OAKLEY
OAKLEY KEY DETERMINATION PROTOCOL
Oakley is a refinement of the Diffie-
Hellman key exchange algorithm but
providing added security.
Oakley is generic in that it does not dictate
specific formats.
Oakley KDP = Diffie-Hellman Key Exchange
+ authentication & cookies 8
DIFFIE HELLMAN KEY EXCHANGE
A & B agree on 2 numbers n and g (g is
primitive relative mod (n))
A chooses a large random number x &
calculates
X = gx mod (n) {A Sends X, g, and n
to B}
B chooses a large random number y &
calculates
Y = gy mod (n) {Then B sends Y to A}
Finally A calculates k = Yx mod (n) & B
calculates k’ = Xy mod (n)
9
DIFFIE HELLMAN KEY EXCHANGE
Features: Secret keys are created only when
needed. Exchange requires no pre existing
infrastructure
Weaknesses: Don’t provide info about identities of
parties Man – in – the – middle attack can be
done.10
FEATURES Five main features of Oakley
Cookies help resist clogging attacks
Enables two parties to negotiate a group.
Nonce helps resist message replay attacks
Enables exchange of Diffie Helman Public key
values
Authentication helps resist man-in-the-middle
attacks 11
CLOGGING ATTACKS
A form of denial of service attacks
Attacker sends a large number of
public key Yi in crafted IP packets,
forcing the victim’s computer to
compute secret keys Ki = YiX mod p over
and over again
Diffie-Hellman is computationally
intensive because of modular
exponentiations
12
PREVENTING CLOGGING ATTACKS USING COOKIES
13
Cookies helpBefore doing computation, recipient
sends a cookie (a random number) back to source and waits for a confirmation including that cookie
This prevents attackers from making DH requests using crafted packets with crafted source addresses
GROUPS
14
o GROUPS SUPPORTED:
• Modular exponentiation with a 768-bit
modulus
• Modular exponentiation with a 1024-bit
modulus
• Modular exponentiation with a 1536-bit
modulus
• Elliptic curve group over 2155
• Elliptic curve group over 2185
NONCES
15
o NONCES:
• NONCE is a locally generated pseudo
random numbers
• Nonces appear in responses & are
encrypted during certain portions of
key exchange to secure their user
AUTHENTICATION METHODS USED IN OAKLEY
16
Digital SignaturesPublic Key EncryptionSecret Key Encryption
17
ISAKMP ISAKMP provides
A framework for Internet key management
The specific protocol support, including
formats, for negotiation of security attributes.
ISAKMP by itself does not dictate a specific
key exchange algorithm rather, ISAKMP
consists of a set of message types that
enable the18
Rather
ISAKMP consists of a set of message
types that enable the use of a variety of
key exchange algorithms.
Oakley is the specific key exchange
algorithm mandated for use with the
initial version of ISAKMP. 19
ISAKMP
ISAKMP ISAKMP: Internet Security Association and
Key Management Protocol Specifies key exchange formats Each type of payload has the same form of a payload
header
ISAKMP header20
ISAKMP PAYLOAD TYPES
SA: for establishing a security associationProposal: for negotiating an SATransform: for specifying encryption and
authentication algorithmsKey-exchange: for specifying a key-
exchange algorithm Identification: for carrying info and
identifying peersCertificate-request: for requesting a public-
key certificate 21
ISAKMP PAYLOAD TYPES
Certificate: contain a public-key certificateHash: contain the hash value of a hash
functionSignature: contain the output of a digital
signature functionNonce: contain a nonceNotification: notify the status of the other
types of payloadsDelete: notify the receiver that the sender
has deleted an SA or SAs 8-bit
Next payload8-bit
Reserved 16-bit
Payload length
22
CONCLUSION
23
The default automated key management
protocol for IPsec is referred to as
ISAKMP/Oakley
Oakley is a refinement of the Diffie-
Hellman key exchange algorithm but
providing added security.
ISAKMP provides a framework for Internet
key management
REFERENCES
24
Cryptography And Network Security - Principles And Practice, Fourth Edition, “William Stallings”
25
THANK YOU