Professional Documents
Culture Documents
Securing real time communication
8. SSL/TLS
8.1 Overview
8 1 Overview
8.2 Design
8.3 Known attacks in v2
9. IPSec
9.1 Overview/comparison with SSL
/ p
9.2 Design
9.3 Remark/Limitations
9.4 Tunneling and VPN (Virtual Private Network)
9.5 VPN implementation
10. WEP/WPA
10.1 Overview
10.2 Flaw in WEP
10.3 State‐of‐the‐art attack
Chapter 16,17,18
A summary of IPSec
http://www.unixwiz.net/techtips/iguide‐ipsec.html
Quick Overview
http://en.wikipedia.org/wiki/Ipsec
9 IPSec
9. IPSec
9.1 Overview/comparison with SSL
9.2 Design
9.3 Remark/Limitations
9.3 Remark/Limitations
9.4 Tunneling and VPN (Virtual Private Network)
9.5 VPN implementation
2
9.1 Overview/comparison with SSL
3
IPSec ‐ History
• 1994, Internet Architecture Board (IAB) prepared a report RFC1636 stated
the general consensus that the Internet need better security.
• IAB includes authentication, integrity‐check and encryption in the next
IAB i l d h i i i i h k d i i h
generation IP, which is IPv6. The protocols that provide security is called
IP Security (IPSec). The security related services can be added one by one
o cu e 6 us suppo
into current IP. IPv6 must support all of them. IPv4
a o e may support some of
ay suppo so e o
them.
• The needs of better security were “confirmed” in 1997, when Computer
y p
Emergency Response Team (CERT) lists over 2500 reported incidents. The
serious types of attack include IP spoofing & IP sniffing
Related RFC on IPSec are RFC1825 to 1829 which are published in 1995.
LAN
LAN
Protecting the IP layer
Applications
SSL
Transport (UDP,TCP)
Transport (UDP,TCP)
Network IPsec
WEP/WPA Data link & Physical
SSL vs IPSec (page 403‐406)
Applications
A li ti
Applications
SSL
TCP/UDP TCP/UDP
OS
IP IP protected by
db
IPsec
Data link & Data link &
physical physical
To introduce SSL, To introduce IPSec,
• OS no need to be modified, but • OS has to be modified, but
• network applications have to be
t k li ti h t b • Network applications no
Network applications no
modified need to be modified.
7
Diagram reproduced from Figure 16.1 in Chapter 16, page 404
Writing an applications using SSL (for example, setting up a typical client‐
server) is not straightforward.
Below are examples of SSL/TLS programming from a site on SSL
programming tutorial:
http://h71000.www7.hp.com/doc/83final/ba554_90007/ch04s03.html
(Details not required. The example is just to illustrate that the program of a network application needed to be rewritten if
secure socket (SSL) is to be used)
secure socket (SSL) is to be used).
...........
...........
........... 8
...........
...........
9
...........
• By following the layering strictly, the applications can run in IPsec
B f ll i th l i t i tl th li ti i IP without
ith t
modification. However, IPsec also provides other security features that involve
the upper layer. In practice, to make full use of IPsec, applications are also
modified.
modified
Example: In the IP layer, the Identities are IP‐addresses. Hence, an application that are
switched to run on IPsec without modification can only authenticate ip‐addresses. To
illustrate consider the scenario where an application that connect an user with account
illustrate, consider the scenario where an application that connect an user with account
“alice@comp.nus.edu.sg” to a server. “sun.comp.nus.edu.sg”. The application can only
be sure that, through IPsec, the ip‐address of the user is authentic. There is no way for
the server to verify that the ip‐address indeed belongs to “alice@comp.nus.edu.sg”.
Furthermore, on the client‐side, the application can only authenticate the ip‐address
and does not know whether the domain name “sun.comp.nus.edu.sg” has been
resolved correctly. So, simply switching to IPsec does not improve security much.
Actually, IKE(the protocol in IPsec that responsible for authentication) support various
type of identities, including domain name and account name. To make full use of this
feature, the application also has to be modified.
feature, the application also has to be modified.
10
Brief summary on the header info.
application
Data to be sent
transport TCP h d
TCP header D t t b
Data to be sent
t
pass to datalink
t d t li k
Brief summary on the packet header
application
Data to be sent
src port number, destination port number, Sequence Number,..
b d i i b S N b
transport TCP h d
TCP header D t t b
Data to be sent
t
pass to datalink
t d t li k
src IP address, destination IP address, IPID, time to live...
Protection by IPsec The TCP header and payload
are encrypted for confidentiality
Encrypted
MAC, Sequence number & other additional info
are included in the IP header
are included in the IP header.
Confidentiality: TCP header and the payload are encrypted.
I
Integrity: The mac
i Th i
is computed over: TCP header, payload and
d TCP h d l d d
“Immutable” portion of IP header,
14
Protocols.
• Consists of 3 protocols.
‐ Authentication Header (AH) :
Provides integrity
g y
‐ Encapsulating Security Payload (ESP) :
Provides confidentiality and (optional) integrity
‐ Internet Key Exchange (IKE):
Internet Key Exchange (IKE):
Authentication and keys establishment
• Security Association (SA) is a piece of information indicating the
parameters be used between the sender and receiver.
t b db t th d d i
Essentially, when two entities want to establish secure connection, IKE is
first carried out to authentication each other, and establish the SA (Security
Associations). For there onward, data are protected by either AH, ESP or
both: ESP followed by AH.
IPSec ‐ Tunnel & Transport Mode
AH & ESP are implemented by adding more information to the standard IP
AH & ESP are implemented by adding more information to the standard IP
headers. Can be either AH, ESP, or both: ESP followed by AH.
• AH & ESP
AH & ESP can operate in either
t i ith
‐ Transport Mode
Provides protection in upper‐layer (transport & application)
‐ Tunnel Mode.
Provides protection to the entire IP packet (to be discussed later).
Provides protection to the entire IP packet. (to be discussed later)
original
Transport Mode
IP header TCP header Payload
The header includes an authentication tag that is computed over
after applying AH
pp y g TCP header, payload and immutable portion of IP header.
TCP header, payload and immutable portion of IP header.
The header includes an authentication tag that is computed over
ESP header, TCP header, payload, ESP auth and immutable portion of IP header.
after applying ESP follows by AH
encrypted
(optional)
IP header AH header ESP header TCP header Payload ESP auth
Security Associations
• SA is a piece of information indicating the parameters to be used between
the sender and receiver.
• IIt contains info like
i i f lik
‐ ESP information: include the symmetric keys, type of encryption
algorithm.
‐ AH Information: include type of authentication algorithm, (symmetric)
AH Information incl de t pe of a thentication algorithm (s mmetric)
keys.
‐ Lifetime of the SA
‐ Anti‐Replay window : (describe later)
Anti Replay window : (describe later)
• A SA is uniquely identified by
‐ Security Parameters Index: some number.
Security Parameters Index: some number
‐ IP Destination address.
‐ Protocol identifier: indicate whether this is for AH or ESP.
• The SA is established during the 2nd‐phase of IKE.
AH
• The header include
The header include 32 bits
to identify
Security Parameters Index the SA
prevent
Sequence Number replay‐attack
Authentication data (variable size)
store the
Calculated over
MAC
1. the entire data
2. IP header field that do not change in transit (immutable)
or “predictable” when it reach the receiver.
3. The AH header except itself.
Data
Sequence Number in SA.
• The purpose of the Sequence Number is to prevent replay attack
The purpose of the Sequence Number is to prevent replay attack.
• When sending packets, the Sequence Number always increases by 1 for
the new packet.
the new packet.
The receiver keeps a window (whose size is specified in SA).
1. If a packet arrives and its sequence number is on the “left” of the window, then rejects
p q , j
it and raises alarm.
2. If it is on the “right”, shift the window rightward.
1 2 3 4 5 6 7 8 9 10 11 12
window Time
packets received
packets not yet received
Immutable, predictable
• Certain fields in the IP header might be changed by the routers along the
path from the source to the destination. For instance, TTL. These are
mutable information. These include,
TYPE OF SERVICE, FLAG, FRAGMENT OFFSET, TIME TO LIVE, HEADER CHECKSUM
The immutable are fields that should not be modified in transit. This
include
SOURCE ADDRESS, DESTINTAION ADDRESS, PAYLOAD LENGTH.
Some fields like payload length might be modified along the way, but will
Some fields like payload length might be modified along the way, but will
be restored to the original value when it reach destination. So, consider to
be immutable.
• AH does not protect the mutable field.
• A complication is “mutable but predictable” field. See text 17.3.2 for
A li ti i “ t bl b t di t bl ” fi ld S t t 17 3 2 f
details.
21
ESP
32 bits
Security Parameters Index
ESP
header
Sequence Number
Encrypted Payload Data (variable)
with padding
optional Authentication Data (variable)
Authentication covers the ESP header and payload.
In tunnel mode, it covers the original IP header.
IKEv2 (chapter 18)
• Consists of 2 phases.
• p y ,
The first phase is essentially a variant of station‐to‐station Diffie‐Hellman,
for mutual authentication + key exchange. A key is established during this
phase.
• Based on the key established in phase 1, multiple SA’s between the two
parties are established during phase 2. Subsequent protocols (not
necessary must be AH, ESP) will use the parameters agreed in the SA,
y ) p g
including some new keys, to secure their communications.
A natural question to ask is, why not just combine the two phases. The textbook(pg
A l i ki h j bi h h Th b k(
445 ‐ 446) gives some discussions on this.
23
Phase 1.
• There are two mode: Aggressive mode and Main mode.
gg g ,
Aggressive mode is more “efficient”. It uses 3 messages, while main mode
uses 6 messages.
Main mode can hide the two endpoints identities, and additional flexibility
on the choice of crypto to be used. Under main mode, the two parties first
use Diffie‐Hellman
use Diffie Hellman to establish a key. Next, use the established key to
to establish a key. Next, use the established key to
securely exchange their identities, and proof of identities.
24
Aggressive Mode (Page 447 protocol 18‐2)
ga mod p, “I’m Alice”, crypto proposal
gb mod p, crypto choice, proof of I’m Bob
Alice Bob
proof of I’m Alice
25
Main Mode (Page 447 protocol 18‐3)
(1)
(1) crypto suites I support
t it I t
(2) crypto suites I choose
(3) ga mod p
Ali
Alice B b
Bob
(4) gb mod p
The derived
k=gab mod p
key (5) k { “I’m
(5) k { I m Alice
Alice”, proof of I
proof of I’m
m Alice }
Alice }
k=gab mod p
(6) k { “I’m Bob”, proof of I’m Bob }
• Message (3),(4) are Diffie
Message (3),(4) are Diffie‐Hellman key exchanged. The derived key is k= ggab mod p.
Hellman key exchanged. The derived key is k mod p.
• Message (5),(6) are encrypted using k.
• The proof in the (6),(6) include certificate of Alice and Bob (if PKC) and integrity of
26
previous messages.
Phase 2
• omitted.
27
Remarks on crypto suites (chapter 18.5.5 page 451)
• In message (1), Alice indicates a list of crypto suites she can use. A crypto
suite is a combination of parameters from these 4 types
– encryption algorithm (e.g. DES, 3DES, AES)
– hash algorithm (e.g MD5 or SHA)
– authentication method (e.g. whether pre‐shared key or PKC).
– Diffie‐Hellman parameter (e.g the p and g).
• Alice has to list the combinations that she can use, not a list for
each type. For e.g. Alice indicates
yp g
{ (DES,MD5,pre‐shared key, p=xxx, g=xxx), ( AES‐128, MD5, RSA,ECC), .... }
So, if Alice is ok with all the combinations, she has to list them all, which is
So if Alice is ok with all the combinations she has to list them all which is
a very long list.
28
Summary
3 protocols AH, ESP, IKE.
AH ‐ the data are not encrypted.
Data and the original IP header are “authenticated”, i.e. a MAC is computed
and stored in header.
d d h d
ESP‐ the data are encrypted. The data + ESP header can be
“authenticated”.
“authenticated”
AH & EPS‐ The data encrypted. The “encrypted data”, ESP
header and original IP header “authenticated”
header, and original IP header authenticated .
Can operates in Transport or Tunnel mode.
The SA keeps the negotiated parameters between sender/receiver.
IKE produces SA.
AH, ESP use only symmetric keys.
IKE may involve public keys.
9 3 Remarks/Limitations
9.3 Remarks/Limitations
•NAT
•Firewall
•Difficult to implement.
30
NAT and AH (chapter 17.2.1, wiki)
• Network Address Translation.
N t k Add T l ti A NAT b t
A NAT box translates and maps an entire
l t d ti
address space, usually consisting of addresses in a private network, to a
single IP address.
• It i
It is a useful tool in many ways:
f lt li
– Alleviating IPv4 address exhaustion. (delay migrating to IPv6)
– Enable multiple hosts on a private network to access the Internet using a single
public IP address
public IP address.
– Hide the address space of the private network from potential attackers.
• It has become an indispensable feature in many routers for home and
small office
small‐office.
• NAT breaks the end‐to‐end connectivity model and introduces many
complications. Many higher layer protocols and applications and carry IP
l h h l l d l d
addresses in their data. For those protocols/applications to work properly,
NAT has to translate the ip‐address appeared in the data!
• Question: what is an “NAT‐friendly” application?
31
Effect of NAT on AH
• If the data are cryptographically protected, since the NAT box does not has
the key, it is impossible for the NAT box to modified the protected data. If a
packet is protected (encrypted) by ESP, the NAT box does not even know
whether it is a UDP or TCP packet.
h h i i UDP TCP k
The AH protects src
Before NAT: add, dest add, TCP
header, etc.
IP header TCP header
After NAT: ?
32
Effects on Firewall (chapter 17.2.2, pg 429)
• Some organization and network administrators would like to
inspect the packets passing via their gateways.
• IPsec provides
provides “end
end‐to‐end
to end” security, and hide many useful
security and hide many useful
fields that firewall uses, for e.g. protocol type and port
number.
• To be on the safe side, some firewall policies simply discard
encrypted packets.
Question: If a student is establishing a https connection from a machine in
the Programming Lab with internet‐banking.dbs.com.sg, how much
information the SOC’s firewall/gateway can potentially derive regarding
this connection, for example, would the gateway able to determine that this
is a https?
33
Implementation.
• It is not easy to implement IPsec, as it involves significate
modifications of the OS. Also not easy to configure and deploy
IPsec. Thus, expensive.
IPsec. Thus, expensive.
• Many hate IPsec and choose alternative VPN solutions.
34
http://www.sans.org/reading_room/whitepapers/vpns/openvpn_and_the_ssl_vpn_revolution_1459
http://www.openvpn.net/
35
Virtual Private Network (VPN)
• Private Network
p g p q
A private network is one where a group of users acquire exclusive use of
the network links. Outsiders can’t access the links due to physical
protection, and thus can’t sniff or spoof packets. Assuming all users in the
group are trusted, the private network is secure.
• Internet.
A huge public network.
Tunneling
• Tunneling generally refers to the infrastructure that allows the following:
‐ PC_A wants to send a packet to PC_B.
‐ The src ip in the IP header is PC_A’s, and dest ip is PC_B’s.
‐ The packet is first routed to the gateway server A.
p g y
‐ Server A changes the IP header. The src becomes Server_A, dest become Server_B.
Original IP header together with the data are encrypted and become the “data” of this
new packet.
‐ The packet transits through the Internet to Server_B.
‐ Server_B reconstructs the original packet.
A packet to be
A packet to be The packet to
The packet to
sent to PC_B be sent to PC_B
PC_A Packets with Server A
as source and Server B PC_B
as destination
as destination.
PC_1 PC_5
Server A Server B
Internet
PC_2
PC_3 PC_6 PC_4
Private LAN Private LAN
additional security services are
provided through encryption,
MAC, etc at Server A & Server
PC_A
B. PC_B
PC_1 PC_5
Server A Server B
Internet
PC 2
PC_2
PC_3 PC_6 PC_4
Such infrastructure joins two private networks using a “tunnel” through the unsecure
public network. The tunnel is secured using cryptographic means. By linking them,
the two private networks can be viewed as one whole Virtual Private Network (VPN).
9 5 VPN implementation
9.5 VPN implementation
39
VPN using IPSec
• There are three main group of VPN implementation.
– Based on IPsec
– OpenVPN
– SSL VPN (or web‐based vpn)
• IPsec: As mentioned before, EPS, AH support to two modes:
Transport and Tunnel mode.
40
Transport Mode (AH)
src ip, dest ip
• When G1 forward data to G2, it will use IPsec tunnel mode. That is, G1 will
add its header and encrypt the data using the key shared by G1 & G2.
add its header and encrypt the data using the key shared by G1 & G2.
• After Alice and Bob establish connection, the data send to Bob could be
already encrypted using key shared by Alice & Bob.
• Hence, there could be double encryptions.
Alice Bob
G1 G2
42
OpenVPN
• Free and open source VPN program, which uses many components in
OpenSSL (an implementation of TLS/SSL). (However, OpenVPN is not SSL
vpn).
• (p ) p
It can run over UDP (preferred) or TCP. It multiplexes all communications
over a single TCP/UDP port ‐‐ puts everything that come out of the IP layers
together, and sends it through a secure TCP/UDP port.
43
without OpenVPN
Sender Receiver
Application Data
pp Application Data
pp
TCP/UDP TCP/UDP
l
layer l
layer
IP layer
IP layer IP layer
IP layer
Data link & Data link &
Physical Physical
layer layer
44
With OpenVPN
Sender
Application Data
pp
TCP/UDP Protection by
l
layer OpenVPN
TCP/UDP
IP layer
IP layer layer
UDP preferred
IP layer
Data link &
Encapsulating the IP protocol in the Physical
Transport layer (e.g. TCP or UDP). layer
45
OpenVPN vs IPSec
• OpenVPN is less efficient but easier to configure and deploy.
• Only small modification to OS is required.
O l ll difi ti t OS i i d
• Open VPN Is
Open VPN Is “NAT‐friendly”
NAT friendly .
Question: Suppose Alice and Bob are using OpenVPN which tunnel their communication
via TCP Eve is able to sniff and spoof packets and know which TCP connection OpenVPN
via TCP. Eve is able to sniff and spoof packets and know which TCP connection OpenVPN
is using. Can Eve close the TCP connection by sending TCP close message?
What about IPsec? Is this attack possible in IPsec?
46
SSL VPN
• VPN on top of SSL/TLS. That is, a secure TCP/UDP connection
is first established using SSL. The application data are then
tunneled via this connection.
tunneled via this connection.
• 3 Levels of applications that can access the secure connection.
– Tier 1: Web‐based and file‐based resources. While the user is
accessing web‐based application, all the HTML, JavaScript and Java are
directed to the VPN gateway.
– Tier 2: Access popular applications such as Microsoft exchange. Traffic
to these applications will be directed to the VPN gateway.
– Tier 3: Full network connectivity.
y
47
Advantages of SSL VPN
• For Tier 1 and 2, no modifications of OS required. For Tier 1
access, only the web‐browser has to be modified.
• SSL/TLS are already supported in many systems.
• “NAT‐friendly” and “firewall‐friendly”.
• Tier 3 not easy to achieve.
48
Question: (chapter 17.8 question 1 page 439)
Suppose Alice is sending packets to Bob using IPSec. Suppose Bob’s TCP
acknowledgement gets lost, and Alice’s TCP, assuming the packet was lost,
retransmits the packet. Will Bob’s IPsec implementation notice that the
packet is a duplicate and discard it?
Question: (chapter 17.8 question 6 page 439)
Refering to figure in Slide 42. Suppose Alice and Bob already have an IPsec
SA between them and are using ESP. What would be the
g
advantage/disadvantage of having G1, in the case where there’s already an
ESP header, merely forwarding the packet to G2 without doing a second
encryption?
49