第十一讲-协议安全课件(2).ppt

1、School of computer,SCUEC1Lecture 11 Protocols and securityProtocols and Security()school of School of computer,SCUEC2Lecture 11 Protocols and securityIPSecSchool of computer,SCUEC3Lecture 11 Protocols and securitySecurity Issues in IP|source spoofing|replay packets|no data integrity or confidentiali

2、ty DOS attacks Replay attacks Spying and moreFundamental Issue:Networks are not(and will never be)fully secureSchool of computer,SCUEC4Lecture 11 Protocols and securityIPSec and SSL|IPSec lives at the network layer|IPSec is transparent to applicationsapplicationtransportnetworklinkphysicalSSLOSUserN

3、ICIPSecSchool of computer,SCUEC5Lecture 11 Protocols and securityAn IPSec scenarioSchool of computer,SCUEC6Lecture 11 Protocols and securityIPSec and Complexity|IPSec is a complex protocol|Over-engineeredLots of generally useless extra features|FlawedSome serious security flaws|Interoperability is s

4、erious challengeDefeats the purpose of having a standard!|Complex|Did I mention,its complex?School of computer,SCUEC7Lecture 11 Protocols and securityIPSec ArchitectureESPAHIKEIPSec Security PolicyEncapsulating SecurityPayloadAuthentication HeaderThe Internet Key ExchangeSchool of computer,SCUEC8Lec

5、ture 11 Protocols and securityIKE and ESP/AH|Two parts to IPSec|IKE:Internet Key ExchangeMutual authenticationEstablish shared symmetric keyTwo“phases”like SSL session/connection|ESP/AHESP:Encapsulating Security Payload for encryption and/or integrity of IP packetsAH:Authentication Header integrity

6、onlySchool of computer,SCUEC9Lecture 11 Protocols and securityIPsec servicesSchool of computer,SCUEC10Lecture 11 Protocols and securityIKESchool of computer,SCUEC11Lecture 11 Protocols and securitySecurity Associations|a one-way relationship between sender&receiver that affords security for traffic

7、flowIf a peer relationship is needed,for two-way secure exchange,then two security associations are required.|uniquely identified by 3 parameters:Security Parameters Index(SPI)IP Destination AddressSecurity Protocol Identifier|has a number of other parametersseq no,AH&EH info,lifetime etc|have a dat

8、abase of Security Associations|Security services are afforded to an SA for the use of AH or ESP,but not both.School of computer,SCUEC12Lecture 11 Protocols and securityAuthentication Header(AH)|provides support for data integrity&authentication of IP packetsend system/router can authenticate user/ap

9、pprevents address spoofing attacks by tracking sequence numbers|based on use of a MACHMAC-MD5-96 or HMAC-SHA-1-96|parties must share a secret keySchool of computer,SCUEC13Lecture 11 Protocols and securityEncapsulating Security Payload(ESP)|provides message content confidentiality&limited traffic flo

10、w confidentiality|can optionally provide the same authentication services as AH|supports range of ciphers,modes,paddingincl.DES,Triple-DES,RC5,IDEA,CAST etcCBC&other modespadding needed to fill block size,fields,for traffic flowSchool of computer,SCUEC14Lecture 11 Protocols and securityIKE|IKE has 2

11、 phasesPhase 1 IKE security association(SA)Phase 2 AH/ESP security association|Phase 1 is comparable to SSL session|Phase 2 is comparable to SSL connection|Not an obvious need for two phases in IKE|If multiple Phase 2s do not occur,then it is more expensive to have two phases!School of computer,SCUE

12、C15Lecture 11 Protocols and securityIKE Phase 1|Four different“key”optionsPublic key encryption(original version)Public key encryption(improved version)Public key signatureSymmetric key|For each of these,two different“modes”Main modeAggressive mode|There are 8 versions of IKE Phase 1!|Evidence that

13、IPSec is over-engineered?School of computer,SCUEC16Lecture 11 Protocols and securityIKE Phase 1|Well discuss 6 of 8 phase 1 variantsPublic key signatures(main and aggressive modes)Symmetric key(main and aggressive modes)Public key encryption(main and aggressive)|Why public key encryption and public

14、key signatures?Always know your own private keyMay not(initially)know other sides public keySchool of computer,SCUEC17Lecture 11 Protocols and securityIKE Phase 1|Uses ephemeral Diffie-Hellman to establish session keyAchieves perfect forward secrecy(PFS)|Let a be Alices Diffie-Hellman exponent|Let b

15、 be Bobs Diffie-Hellman exponent|Let g be generator and p prime|Recall p and g are publicSchool of computer,SCUEC18Lecture 11 Protocols and securityIKE Phase 1:Digital Signature(Main Mode)|CP=crypto proposed,CS=crypto selected|IC=initiator“cookie”,RC=responder“cookie”|K=h(IC,RC,gab mod p,RA,RB)|SKEY

16、ID=h(RA,RB,gab mod p)|proofA=h(SKEYID,ga,gb,IC,RC,CP,“Alice”)AliceAliceBobIC,CPIC,RC,CSIC,RC,ga mod p,RAIC,RC,E(“Alice”,proofA,K)IC,RC,gb mod p,RBIC,RC,E(“Bob”,proofB,K)School of computer,SCUEC19Lecture 11 Protocols and securityIKE Phase 1:Public Key Signature(Aggressive Mode)|Main difference from m

17、ain modeNot trying to protect identitiesCannot negotiate g or pAliceBobIC,“Alice”,ga mod p,RA,CPIC,RC,“Bob”,RB,gb mod p,CS,proofBIC,RC,proofASchool of computer,SCUEC20Lecture 11 Protocols and securityMain vs Aggressive Modes|Main mode MUST be implemented|Aggressive mode SHOULD be implementedIn other

18、 words,if aggressive mode is not implemented,“you should feel guilty about it”|Might create interoperability issues|For public key signature authenticationPassive attacker knows identities of Alice and Bob in aggressive modeActive attacker can determine Alices and Bobs identity in main modeSchool of

19、 computer,SCUEC21Lecture 11 Protocols and securityIKE Phase 1:Symmetric Key(Main Mode)|Same as signature mode except KAB=symmetric key shared in advance K=h(IC,RC,gab mod p,RA,RB,KAB)SKEYID=h(K,gab mod p)proofA=h(SKEYID,ga,gb,IC,RC,CP,“Alice”)AliceBobIC,CPIC,RC,CSIC,RC,ga mod p,RAIC,RC,E(“Alice”,pro

20、ofA,K)IC,RC,gb mod p,RBIC,RC,E(“Bob”,proofB,K)School of computer,SCUEC22Lecture 11 Protocols and securityProblems with Symmetric Key(Main Mode)|Catch-22Alice sends her ID in message 5Alices ID encrypted with KTo find K Bob must know KABTo get KAB Bob must know hes talking to Alice!|Result:Alices ID

21、must be IP address!|Useless mode for the“road warrior”|Why go to all of the trouble of trying to hide identities in 6 message protocol?School of computer,SCUEC23Lecture 11 Protocols and securityIKE Phase 1:SymmetricKey(Aggressive Mode)|Same format as digital signature aggressive mode|Not trying to h

22、ide identities|As a result,does not have problems of main mode|But does not(pretend to)hide identitiesAliceBobIC,“Alice”,ga mod p,RA,CPIC,RC,“Bob”,RB,gb mod p,CS,proofBIC,RC,proofASchool of computer,SCUEC24Lecture 11 Protocols and securityIKE Phase 1:Public Key Encryption(Main mode)|CP=crypto propos

23、ed,CS=crypto selected|IC=initiator“cookie”,RC=responder“cookie”|K=h(IC,RC,gab mod p,RA,RB)|SKEYID=h(RA,RB,gab mod p)|proofA=h(SKEYID,ga,gb,IC,RC,CP,“Alice”)AliceBobIC,CPIC,RC,CSIC,RC,ga mod p,RABob,“Alice”BobIC,RC,E(proofA,K)IC,RC,gb mod p,RBAlice,“Bob”AliceIC,RC,E(proofB,K)School of computer,SCUEC2

24、5Lecture 11 Protocols and securityIKE Phase 1:Public Key Encryption(Aggressive Mode)|K,proofA,proofB computed as in main mode|Note that identities are hiddenThe only aggressive mode to hide identitiesThen why have main mode?AliceBobIC,CP,ga mod p,“Alice”Bob,RABobIC,RC,CS,gb mod p,“Bob”Alice,RBAlice,

25、proofBIC,RC,proofASchool of computer,SCUEC26Lecture 11 Protocols and securityPublic Key Encryption Issue?|Public key encryption,aggressive mode|Suppose Trudy generatesExponents a and bNonces RA and RB|Trudy can compute“valid”keys and proofs:gab mod p,K,SKEYID,proofA and proofB|Also true of main mode

26、School of computer,SCUEC27Lecture 11 Protocols and securityPublic Key Encryption Issue?Trudyas AliceTrudyas Bob|Trudy can create exchange that appears to be between Alice and Bob|Appears valid to any observer,including Alice and Bob!IC,RC,CS,gb mod p,“Bob”Alice,RBAlice,proofBIC,RC,proofAIC,CP,ga mod

27、 p,“Alice”Bob,RABobSchool of computer,SCUEC28Lecture 11 Protocols and securityPlausible Deniability|Trudy can create“conversation”that appears to be between Alice and Bob|Appears valid,even to Alice and Bob!|A security failure?|In this mode of IPSec,it is a featurePlausible deniability:Alice and Bob

28、 can deny that any conversation took place!|In some cases it might be a security failureIf Alice makes a purchase from Bob,she could later repudiate it(unless she had signed)School of computer,SCUEC29Lecture 11 Protocols and securityIKE Phase 1 Cookies|Cookies(or“anti-clogging tokens”)supposed to ma

29、ke denial of service more difficult|No relation to Web cookies|To reduce DoS,Bob wants to remain stateless as long as possible|But Bob must remember CP from message 1(required for proof of identity in message 6)|Bob must keep state from 1st message on!|These cookies offer little DoS protection!Schoo

30、l of computer,SCUEC30Lecture 11 Protocols and securityIKE Phase 1 Summary|Result of IKE phase 1 is Mutual authenticationShared symmetric keyIKE Security Association(SA)|But phase 1 is expensive(in public key and/or main mode cases)|Developers of IKE thought it would be used for lots of things not ju

31、st IPSec|Partly explains over-engineeringSchool of computer,SCUEC31Lecture 11 Protocols and securityIKE Phase 2|Phase 1 establishes IKE SA|Phase 2 establishes IPSec SA|Comparison to SSL SSL session is comparable to IKE Phase 1SSL connections are like IKE Phase 2|IKE could be used for lots of things|

32、But in practice,its not!School of computer,SCUEC32Lecture 11 Protocols and securityIKE Phase 2|Key K,IC,RC and SA known from Phase 1|Proposal CP includes ESP and/or AH|Hashes 1,2,3 depend on SKEYID,SA,RA and RB|Keys derived from KEYMAT=h(SKEYID,RA,RB,junk)|Recall SKEYID depends on phase 1 key method

33、|Optional PFS(ephemeral Diffie-Hellman exchange)AliceBobIC,RC,CP,E(hash1,SA,RA,K)IC,RC,CS,E(hash2,SA,RB,K)IC,RC,E(hash3,K)School of computer,SCUEC33Lecture 11 Protocols and securityIPSec|After IKE Phase 1,we have an IKE SA|After IKE Phase 2,we have an IPSec SA|Both sides have a shared symmetric key|

34、Now what?We want to protect IP datagrams|But what is an IP datagram?From the perspective of IPSecSchool of computer,SCUEC34Lecture 11 Protocols and securityIP Review|Where IP header is IP headerdata|IP datagram is of the form School of computer,SCUEC35Lecture 11 Protocols and securityIP and TCP|Cons

35、ider HTTP traffic(over TCP)|IP encapsulates TCP|TCP encapsulates HTTPIP headerTCP hdrHTTP hdrapp dataIP headerdata|IP data includes TCP header,etc.School of computer,SCUEC36Lecture 11 Protocols and securityIPSec Transport Mode|IPSec Transport ModeIP headerdataIP headerESP/AHdata|Transport mode desig

36、ned for host-to-host|Transport mode is efficientAdds minimal amount of extra header|The original header remainsPassive attacker can see who is talkingSchool of computer,SCUEC37Lecture 11 Protocols and securityIPSec Tunnel Mode|IPSec Tunnel ModeIP headerdatanew IP hdrESP/AHIP header data|Tunnel mode

37、for firewall to firewall traffic|Original IP packet encapsulated in IPSec|Original IP header not visible to attackerNew header from firewall to firewallAttacker does not know which hosts are talkingSchool of computer,SCUEC38Lecture 11 Protocols and securityComparison of IPSec Modes|Transport Mode|Tu

38、nnel ModeIP headerdataIP headerESP/AHdataIP headerdatanew IP hdrESP/AHIP header data|Transport ModeHost-to-host|Tunnel ModeFirewall-to-firewall|Transport mode not necessary|Transport mode is more efficientSchool of computer,SCUEC39Lecture 11 Protocols and securityCombining Security Associations|SAs

39、can implement either AH or ESP|to implement both need to combine SAsform a security association bundlemay terminate at different or same endpointscombined by transport adjacency iterated tunneling|issue of authentication&encryption order School of computer,SCUEC40Lecture 11 Protocols and securityIPS

40、ec ModesSchool of computer,SCUEC41Lecture 11 Protocols and securityTransport Mode vs.Tunnel Mode EncryptionSchool of computer,SCUEC42Lecture 11 Protocols and securityTransport Mode vs.Tunnel Mode EncryptionSchool of computer,SCUEC43Lecture 11 Protocols and securityCombining Security AssociationsScho

41、ol of computer,SCUEC44Lecture 11 Protocols and securityCombining Security AssociationsSchool of computer,SCUEC45Lecture 11 Protocols and securityCombining Security AssociationsSchool of computer,SCUEC46Lecture 11 Protocols and securityCombining Security AssociationsSchool of computer,SCUEC47Lecture

42、11 Protocols and securityIPSec Security|What kind of protection?Confidentiality?Integrity?Both?|What to protect?Data?Header?Both?|ESP/AH do some combinations of theseSchool of computer,SCUEC48Lecture 11 Protocols and securitySSL vs IPSec|IPSec discussed in next sectionLives at the network layer(part

43、 of the OS)Has encryption,integrity,authentication,etc.Is overly complex(including serious flaws)|SSL(and IEEE standard known as TLS)Lives at socket layer(part of user space)Has encryption,integrity,authentication,etc.Has a simpler specificationSchool of computer,SCUEC49Lecture 11 Protocols and secu

44、ritySSL vs IPSec|IPSec implementationRequires changes to OS,but no changes to applications|SSL implementationRequires changes to applications,but no changes to OS|SSL built into Web application early on(Netscape)|IPSec used in VPN applications(secure tunnel)|Reluctance to retrofit applications for S

45、SL|Reluctance to use IPSec due to complexity and interoperability issues|Result?Internet less secure than it should be!School of computer,SCUEC50Lecture 11 Protocols and securityKerberosSchool of computer,SCUEC51Lecture 11 Protocols and securityKerberos trusted key server system from MIT provides ce

46、ntralised symmetric encryption third-party authentication in a distributed networkl allows users access to services distributed through networkl without needing to trust all workstationsl rather all trust a central authentication server two versions in use:4&5School of computer,SCUEC52Lecture 11 Pro

47、tocols and securityKerberos Requirements its first report identified requirements as:l securel reliablel transparentl scalable implemented using an authentication protocol based on Needham-SchroederSchool of computer,SCUEC53Lecture 11 Protocols and securityMotivation for Kerberos|Authentication usin

48、g public keysN users N key pairs|Authentication using symmetric keysN users requires about N2 keys|Symmetric key case does not scale!|Kerberos based on symmetric keys but only requires N keys for N usersBut must rely on TTPAdvantage is that no PKI is requiredSchool of computer,SCUEC54Lecture 11 Prot

49、ocols and securityKerberos KDC|Kerberos Key Distribution Center or KDCActs as a TTPTTP must not be compromised!KDC shares symmetric key KA with Alice,key KB with Bob,key KC with Carol,etc.Master key KKDC known only to KDCKDC enables authentication and session keysKeys for confidentiality and integri

50、tyIn practice,the crypto algorithm used is DESSchool of computer,SCUEC55Lecture 11 Protocols and securityKerberos Tickets|KDC issues a ticket containing info needed to access a network resource|KDC also issues ticket-granting tickets or TGTs that are used to obtain tickets|Each TGT containsSession k