IPSec, TLS, and DNSSECThree Major Secure Protocols• Last lecture presented mechanisms• This lecture presents 3 examples of their use- Layer 3: IPSec- Layer 4: TLS- Layer 7: DNSSECIPSec Overview• Layer 3: between hosts, covers both IPv4 and IPv6[RFC 4301]• AH: IP Authentication Header (MAY, [RFC 4302])• ESP: Encapsulated Security Payload (MUST,[RFC 4303])• Very comprehensive: this lecture will only coversome of the basics (no multicast, combinedESP+AH, IPv6, etc.)IPSec Operation [RFC 4301]• Hosts can use IPSec directly (“transport mode”)• Security gateways can tunnel traffic through IPSec(“tunnel mode”)• Security Associations (SAs) specify securityservices for traffic in a half-duplex “connection”- Bi-directional traffic requires two SAs- Security Parameters Index (SPI) field specifies SA in unicasttraffic• Security Association Database (SAD) maintainedat each endpoint- Packets processed based on SA, src/dest IP address- SAD managed “semi-manually”Transport Mode vs. Tunneling Mode• Transport mode operates directly on top of IP- Next header is TCP, UDP, etc.- IPSec header interposes between IP and transport header• Tunneling mode encapsulates entire IP packet- Next header is IP- Separate source, destination addressesEncapsulating Security Payload [RFC 4303]integrity tagSequence NumberPayloadPaddingplen nhdrdest IP addresssrc IP addressSecurity Parameter Indexchecksumprot=51pktlenvMACeddataEncrypteddataIP headerIPsec ESP• Provides confidentiality, integrity, or both• Next header field specifies payloadTransport vs. TunnelingTCP header, payloadintegrity tagSequence NumberPayloadpaddingPaddingplen nhdr=4dest IP addressSecurity Parameter IndexTunneling mode (IPv4, TCP)integrity tagSequence NumberPaddingplen nhdr=6dest IP addressSecurity Parameter IndexTransport mode (TCP)dest IP addresssrc IP addresschecksumprot=6pktlenvdest portsrc portSequence NumberAcknowledgment Numberrest of TCP header, payloadESP Algorithm Support Complications• Some algorithms require an initialization vector(IV), e.g. CBC• Some algorithms integrate confidentiality andintegrity (“combined mode algorithms”)- If confidentiality is required for integrity, need to repeat SPIand sequence number• Algorithm can specify payload substructure(append/prepend data)ESP details• Must avoid replays- Keep counter for 64-bit sequence number- Receiver must accept some packets out of order (e.g., up to 32)- Only low 32 bits of sequence number in actual packet(would be bad if you lost 4 billion packets)• Support for traffic flow confidentiality (TFC)- Can pad packets to fixed length- Can send dummy packets• Support for encryption without MAC. . . Bummer!- Rationale: App might be SSL, which has MAC-only mode- But then attacker can mess with destination address!Security GatewaysSecure Gateway Secure GatewayUnprotectedNetworkProtectedNetworkProtectedNetworkHost A Host BIPSec Complication: NAT• Transport mode can encrypt transport header,integrity covers transport header• NAT needs to rewrite transport header!• NAT-T [RFC 3948], tunnel IPSec in UDPInternet Key Exchange (IKEv2, [RFC 4306])• Can establish SAs for IPSec• UDP port 500, designed to work over NATs• All messages are request/response exchanges, useDiffie-Hellman- Alice and Bob have secrets a, b, public values g, p- Alice computes A = gamod p, Bob B = gbmod p- Exchange A and B, Alice computes s = Bamod p, Bobs = Abmod p- Both s are gabmod p: shared secretIKEv2 Exchanges• IKE SA INIT: negotiate crypto algorithms,establish a shared secret• IKE AUTH: authenticate INIT messages, exchangecertificates, establish first SA• CREATE CHILD SA: create a new SA, renegotiatekeys for an SA• INFORMATIONAL: Notification, Delete, andConfigurationIPSec Overview• Layer 3 security, transport and tunneling mode• Tunneling mode supports security gateways• Transport mode has trouble with NATs• Security specified by SPI, SAs establishedmanually or through IKETLS/SSLSSL/TLS [RFC 5246] Overview• SSL offers security for HTTP protocol- That’s what the padlock means in your web browser• Authentication of server to client• Optional authentication of client to server- Incompatibly implemented in different browsers- CA infrastructure not in widespread use• Confidentiality of communications• Integrity protection of communicationsPurpose in more detail• Authentication based on certification authorities(CAs)- Certifies who belongs to a public key (domain name andreal name of company)- Example: Verisign• What SSL Does Not Address- Privacy- Traffic analysis- Trust managementCiphersuites: Negotiating ciphers• Server authentication algorithm (RSA, DSS)• Key exchange algorithm (RSA, DHE)• Symmetric cipher for confidentiality (RC4, DES,AES)• MAC (HMAC-MD5, HMAC-SHA)Overview of SSL HandshakeSupported ciphers, client randomClient ServerCompute keysCompute keysChosen cipher, server random, certificateEncrypted pre−master secretMAC of handshake messagesMAC of handshake messagesFrom “SSL and TLS” by Eric RescorlaSSL Handshake• Client and server negotiate on cipher selection• Cooperatively establish session keys• Use session keys for secure communication• Details- Multiple messages per stage- Get an idea of protocol in action:openssl s_client -connect www.paypal.com:443Client Authentication Handshake• Server requests that client send its certificate• Client signs a signed digest of the handshakemessagesSSL Client CertificateSupported ciphers, client randomClient ServerCompute keysCompute keysMAC of handshake messagesMAC of handshake messagesChosen cipher, server random, certificatecertificate requestEncrypted pre−master secretcertificate, cert verifyFrom “SSL and TLS” by Eric RescorlaEstablishing a Session Key• Server and client both contribute randomness.• Client sends server a “pre-master secret”encrypted with server’s public key• Use randomness and pre-master secret to createsession keys:- Client MAC- Server MAC- Client Write- Server Write- Client IV- Server IVEstablishing a Session KeyMaster secretClient MAC keyServer MAC keyClient write keyServer write keyServer IVClient IVKey blockClient random Server randomPre−master secretFrom “SSL and TLS” by Eric RescorlaSession Resumption• Problem:
View Full Document
Unlocking...