5 IPsec
5 IPsec
Lesson 4: IPsec
Course 2022-2023
1. IPsec introduction:
v Objectives & benefits.
v IPsec Virtual Private Networks (VPNs).
v IPsec Transport and Tunnel Modes.
v IPsec Security Associations (SAs):
v Security Association Database (SAD).
v Security Policy Database (SPD).
v IPsec framework.
2. IPsec Security Protocols:
v Authentication Header (AH).
v Encapsulating Security Payload (ESP).
3. Internet Key Exchange (IKE):
v Phase I.
v Phase II.
2
IPsec objectives (I)
4
Benefits of IPsec
• Anti-replay protection:
v Acceptable sliding window of W packets, since IP is best effort (packets can
be lost, duplicated or reordered).
• Key management:
v Session negotiation and establishment.
v Remote peer is authenticated through varying options.
v Secret keys are securely exchanged.
v Sessions are re-keyed or deleted automatically.
*network to network authentication. You aren’t authenticating a particular user but anyone that could be using that device 5
IPsec in the TCP/IP stack
6
http://www.tcpipguide.com/free/t_IPsecModesTransportandTunnel.htm
IPsec VPNs
Intranet
Remote User
Extranet
Business-to-Business VPN
software
Client
Internet
Untrusted Network
Trusted Network
“Remote access” VPN model: Host-to-Gateway
Transport Mode
IP header Data
Optional Encryption
Optional Encryption
Outer IP header
Inner IP header 9
Application of IPsec modes (I)
Host-to-Host (uncommon):
Host Host
Internet
Untrusted Network
IPsec Gateway
Internet
Untrusted Network
Trusted Network
11
Security Association (SA)
12
IPsec Security Databases
13
Security Association Database (SAD)
– Parameters:
• Authentication algorithm and key.
• Encryption algorithm and key.
• Lifetime.
SAD • Security protocol mode: Tunnel or Transport.
• Anti-replay service.
• Link with an associated policy in the SPD.
14
Security Policy Database (SPD)
Internet
Interface 1 Interface 2 Interface 1 Interface 2
1.1.1.1 2.2.2.2 3.3.3.3 1.2.1.1
Intranet Intranet
1.1.1.0/24 1.2.1.0/24
16
Example of host Security Policy Database
IP IP
IPsec Header
Header
Destination
IP address
Security Protocol (AH / ESP)
SPI
SAD SPD
IP IP
IPsec Header
Header
Policy
Selectors
SAD SPD
• IPsec is not a single protocol. Instead, IPsec provides a set of security algorithms
plus a general framework that allows a pair of communicating entities to use
whichever algorithms to provide security appropriate for the communication.
20
Confidentiality
• IPsec ensures confidentiality by using encryption, which prevents third parties from
reading the data.
Key length:
- 56-bits
Key length:
- 56-bits (3 times)
Key lengths:
-128-bits
DH7
-192 bits
-256-bits
21
Integrity
• IPsec ensures data ingrity, avoids tampering, by using HMACs (Hashed Message
Authentication Code).
Digest length:
- 128-bits
Digest length:
- 160-bits
Digest length:
- 256 bits
- 512 bits
22
HMAC for AH
23
Authentication
• IPsec ensures that the connection is made with the desired peer by using IKE,
based on Pre-Shared Keys (PSKs) or digital certificates/public cryptography.
24
Pre-Shared Key (PSK)
• Authentication key and the identity information are hashed by local device to form
hash_I. One-way authentication is established by sending hash_I to the remote
device. If remote device can independently create the same hash, the local device is
authenticated.
• The authentication process is also applied in the opposite direction (hash_R).
25
Public Key Signatures
• Authentication key and identity information are hashed at local device forming hash_I, which
is encrypted using the local device's private encryption key creating a digital signature. The
digital signature and digital certificate with associated public encryption key are forwarded to
the remote device. The remote device verifies the digital signature by decrypting it using the
public encryption key, so the result is hash_I.
• The remote device independently creates hash_I’ from stored information. If the calculated
hash_I’ equals the decrypted hash_I, the local device is authenticated. Then, the
authentication process begins in the opposite direction. 26
Secure Key Exchange
• Diffie-Hellman (DH) groups determine the strength of the key exchange process.
• Higher group # are more secure, but require more resources to compute the key.
Next Hdr is IP in Tunnel Mode, upper protocol (e.g. TCP, UDP, ICMP) in Transport Mode
Notice: No IP value in the AH header ( compatible for IPv4 & IPv6.) 29
Authentication Header (AH)
Hash (HMAC)
AH
IP Hdr. AH Data
Authentication Data IP Header + Data + Key
(00ABCDEF)
3. The new packet is
Internet
transmitted to the Hash (HMAC)
IPsec peer router
IP Hdr. AH Data
Recomputed Received
2. The sender builds a new AH Hash Hash
header that is inserted into (00ABCDEF)
= (00ABCDEF)
R1
the original packet 4. The peer router hashes the IP
header and data payload, and
⁺ Include AH except Authentication data field (zeroed) compares with the transmitted hash
30
* Except mutable fields: ToS, Flags, Offset, TTL, Checksum. This fields are zeroed. Details in RFC4302
IPsec Anti-Replay Window
Fixed window size Sequence Number
(default is W=64)
employed by receiver
N: Highest seq.
number for a
valid paket
recevied so far
32
IPsec ESP format
• ESP: IPv4.Protocol = 50 or IPv6.Next Header =50
ESP Hdr.
ESP Trailer
ESP Auth.
ICV applies to whole ESP header and encrypted payload (i.e., encrypt-then-MAC).
ESP Auth.
33
ESP Mode Types
IP Hdr. Data
Original data prior to selection of IPsec protocol mode
Transport Mode:
Encrypted
ESP ESP
IP Hdr. ESP Hdr. Data Trailer Auth
Authenticated
Security is only provided for transport layer and above, leaving original IP header in clear-text
and not authenticated.
Authenticated
ESP tunnel mode provides confidentiality and integrity protection for the complete original IP
packet (inner IP packet). Outer IP header is in clear-text and not authenticated as in ESP
Transport Mode. 34
ESP operation in Tunnel Mode
Internet
Router Router
IP Hdr. Data IP Hdr. Data
ESP ESP
Outer IP Hdr. ESP Hdr. IP Hdr. Data Trailer Auth
Encrypted
Authenticated
• Provides confidentiality with encryption
• Provides integrity and authentication through hashing
35
Internet Key Exchange (IKE)
• Bidirectional IPsec communications requires two SAs (one per direction) and usually four keys in total:
• 2 SAs x (1 Encryption key + 1 Integrity key)/SA = 2 Encryption keys + 2 Integrity keys.
• Plus the PSK or Public-private key pairs/digital certificates for endpoint authentication.
• IPsec encryption/integrity key management could be either Manual (i.e. OOB) or Automated (i.e. IKE).
36
IPsec parameters configured using IKE
R1 R2
Host A Host B
10.0.1.3 10.0.2.3
IKE Phase 1 Exchange – Main Mode
39
IKE Phase 1.1 – Exchange of IKE policies
R1 R2
Host A Host B
Negotiate IKE Proposals 10.0.2.3
10.0.1.3
Policy 10 Policy 15
DES DES
MD5 MD5
pre-share IKE Policy Sets pre-share
DH1 DH1
lifetime lifetime
Policy 20
3DES
SHA
pre-share
DH1
lifetime
u Allows two parties, without prior knowledge, to jointly establish a shared secret
key over an insecure communications channel:
v Key can then be used to encrypt subsequent communications using a symmetric key
cipher.
v Does not authenticate peers (i.e. vulnerable to man-in-the-middle) by itself, but other
mechanisms can be used to address this.
41
Diffie-Hellman illustrated
Eve
u Alice and Bob exchange their
secret colors (representing
numbers) via public transport
only as a mix.
u Eve (attacker) is able to snoop
all exchanged messages.
u Original version of D-H uses
multiplicative group of integers
modulo p
Khan Academy - Diffie-Hellman Key Exchange
https://www.youtube.com/watch?v=YEBfamv-_do
Source: https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
42
Diffie-Hellman (DH) key exchange
How to establish a Diffie-Hellman Key?
Secret value: A (large random number) Secret value: B
Alice
Bob
A mod p B
YA = g YB = g mod p
YA
YB
A AB B
K= (Y A )
B mod p = gB mod p = g mod p = g A mod p = (YAB ) mod p = K
• Each peer deduces same K shared secret, after exchanging some clear-text values.
• Based on the discrete logarithm problem: Y = gX mod p ; Y, g, p à X?
• g (generator) and p (prime-modulus) are non-secret numbers pre-agreed upon.
• Some restrictions needed: g<p, A<p, B<p. In practive p should be huge!!!
• No one listening on the unsecure channel can compute K (a secret value is needed).
• B = dlogg,p(YB) and from here K = (YAB ) mod p
• Through DH exchange, the master key K is set and is used to generate other session keys.43
Diffie-Hellman (DH) Exercise
44
Diffie-Hellman (DH) Exercise
• The device on the other end of the VPN tunnel (remote peer) must be
authenticated before communications path is considered secure.
Authenticate Peer
Remote Office Corporate Office
Internet
Server
Peer
Authentication
10.0.1.3 10.0.2.3
No DoS protection -> FW/GW
IKE Phase 1 - Agressive Mode Exchange Does not have identity protection -> Cert.
Policy 10 Policy 15
1.Send IKE policy set, DES DES
MD5 MD5
identity and R1’s DH pre-share pre-share 2. Confirm IKE policy
DH1 DH1
key lifetime lifetime set, calculate
shared secret and
send R2’s DH key,
identity and auth.
3.Calculate shared material
secret, verify peer
identify, and confirm 4. Authenticate peer
with peer and begin Phase 2.
IKE Phase 2 Exchange
47
IKE Phase 2
R1 R2
Host A Host B
48
IPsec VPN Negotiation
10.0.1.3 R1 R2 10.0.2.3