IP Security

Web Security

A. Qayyum
M. A. Jinnah University, Islamabad

   
 IP Sec
● Internet standard for network layer security
● Components:
– an authentication protocol (Authentication
Header – AH)
– a combined encryption and authentication
protocol (Encapsulated Security Payload –
ESP)
– key management protocols (the default is
ISAKMP/Oakley)
● Many RFCs
● IPSec mandatory for IPv6, optional for IPv4
2
An IP Security Scenario

3
 IPSec Services
ESP
ESP
AH (encryption and 
(encryption only)
authentication)

integrity x x

data origin  x x
authentication

replay detection x x x

confidentiality x x

limited traffic flow x x
confidentiality

4
 Security Associations (SA)
● A one-way relationship between a sender
and a receiver system
● Used either for AH or for ESP but never
for both
● Uniquely identified by three parameters
– Security Parameters Index (SPI)
– IP destination address
– Security protocol identifier

5
 SA Parameters
● sequence number counter
– counts the packets sent using this SA
● sequence counter overflow flag
– indicates whether overflow of the sequence number counter should
prevent further transmission using this SA
● anti-replay window
– used to determine whether an inbound AH or ESP packet is a replay
● AH / ESP information
– algorithm, key, and related parameters
● lifetime
– a time interval or byte count after which this SA must be terminated
● protocol mode
– tunnel or transport mode
● path MTU
– any observed maximum transmission unit

6
 SA Selectors
● Security Policy Database (SPD)
– Each entry defines a subset of IP traffic and
points to the SAs to be applied to that traffic
– Subset of IP traffic is defined in terms of
selectors
● Outbound processing
– Compare the selector fields of the packet to
the values in the SPD
– Determine which SAs should be used for the
packet and their SPIs
– Do the required IPSec processing
7
 Modes of operation
● Transport mode
– Provides protection primarily for upper layer
protocols
– Protection is applied to the payload of the IP packet
– Usually used between end-systems
● Tunnel mode
– Provides protection to the entire IP packet
– Entire IP packet is considered as payload and
encapsulated in another IP packet (with potentially
different source and destination addresses)
– Usually used between security gateways (routers,
firewalls)

8
IPSec Authentication Header

9
Authentication Header – AH
● Next header
– type of header immediately following this header
(e.g., TCP, IP, etc.)
● Payload length
– length of AH (in 32 bit words) minus 2
– e.g., 4 if Authentication data is 3x32 bits long
● Security Parameters Index
– identifies the SA used to generate this header
● Sequence number
– sequence number of the packet
● Authentication data
– a (truncated) MAC (default length is 3x32 bits)

10
 Anti-Replay Service
● A replay attack is one in which an 
attacker obtains a copy of an 
authenticated packet and later transmits 
it to the intended destination
● The receipt of duplicate, authenticated IP 
packets may disrupt service in some way 
or may have some other undesired 
consequence
● The Sequence Number field is designed 
to thwart such attacks
11
 Replay Detection
● replay: the attacker obtains an authenticated packet and
later transmits (replays) it to the intended destination
● receiver has an anti-replay window of default size W = 64

12
 Outbound Processing
● Outbound Processing
– Security Association Lookup
– Sequence Number Generation
– Integrity Check Value Calculation
– Fragmentation

13
 MAC
● Implementations must support
– HMAC-MD5-96
– HMAC-SHA1-96
● MAC is calculated over
– IP header fields that do not change in transit
– AH header fields except Authentication data field
– entire upper layer protocol data
● Fields not covered by MAC are set to 0 for
calculation Header 
TTL checksum

0000
IP

0000...
AH

0000...
MAC Authentication data
payload

14
 AH – Inbound processing
● If there is more than one IPsec header /
extension present, the processing for
each one ignores (does not zero, does
not use) any IPsec headers applied
subsequent to the header being
processed
– Reassembly
– Security Association Lookup
– Sequence Number Verification
– Integrity Check Value Verification

15
 End to End versus End to
Intermediate Authentication

16
Scope of AH Authentication

17
Scope of AH Authentication

18
Encapsulating Security Payload
– ESP
● Security Parameters Index
– identifies the SA used to generate this encrypted
packet
● Sequence number
● Payload
– transport level segment (transport mode) or
encapsulated IP packet (tunnel mode)
● Padding
– variable length padding
● Pad length
● Next header
– identifies the type of data contained in the header
● Authentication data
– a (truncated) MAC computed over the ESP packet
(SPI ... Next Header)
19
IPSec ESP Format

20
Encryption and MAC algorithms
● Encryption
– Applied to the payload, padding, pad length,
and next header fields
– Implementations must support DES-CBC
– Other suggested algorithms: 3DES, RC5,
IDEA, 3IDEA, CAST, Blowfish
● MAC
– Computed over SPI, sequence number,
encrypted payload, padding, pad length, and
next header fields
● Unlike in AH, here the MAC does not cover the
preceding IP header
– Implementations must support HMAC-
MD5-96 and HMAC-SHA1-96 21
 Outbound Packet Processing
● In transport mode, sender encapsulates the upper
layer protocol information in ESP header/trailer,
and retains the specified IP header
● If there is more than one IPsec header/extension
required by security policy, the order of application
of security headers must be defined by security
policy
● Processing involves
– Security Association Lookup
– Packet Encryption
– Sequence Number Generation
– Integrity Check Value Calculation
– Fragmentation
22
 Inbound Packet Processing
● Involves
– Reassembly
– Security Association Lookup
– Sequence Number Verification
– Integrity Check Value Verification
– Packet Decryption

23
 What is a Tunnel?
● A tunnel identifies packets in a data
stream
– Identify by encapsulation (new header
possibly new trailer)
– Identify by labeling
● Entry into a tunnel gives the data stream
different characteristics
– E.g., Privacy, authentication, different
routing characteristics
– Security is not always the goal of the tunnel

24
Tunnel Protocols for all Levels
● Layer 2
– 802.1Q VLANs – labels ethernet frames for traffic
separation
– Proprietary link encryption
● Layer 3
– IPSec
– IPv6 in IPv4 – Carry IPv6 traffic over IPv4 networks
– Generic Routing Encapsulation (GRE)
– Multiprotocol Label Switching (MPLS) – uses labels to
implement circuit switching at layer 3
● Layer 4
– SSL/TLS
● Layer 7
– SMIME
– DNSSec

25
Transport Level Security vs Tunnel
Mode Security

26
Transport Level Security vs Tunnel
Mode Security

27
 ESP in Transport and Tunnel
Mode
original IPv4 packet
original TCP/UDP
data
IP header header

ESP in transport mode
original ESP TCP/UDP ESP ESP
data
IP header header header trailer MAC
encrypted
authenticated

ESP in tunnel mode
new ESP original TCP/UDP ESP ESP
data
IP header header IP header header trailer MAC
encrypted
authenticated
28
 Combining Security
Associations
 Basic ESP-AH combination
1. apply ESP in transport mode without authentication
2. apply AH in transport mode

original ESP TCP/UDP ESP

AH data
IP header header header trailer

authenticated except for mutable fields in the IP header

 Basic AH-ESP combination

1. apply AH in transport mode
2. apply ESP in tunnel mode without authentication

new ESP original TCP/UDP ESP

AH data
IP header header IP header header trailer

authenticated except for mutable fields in the inner IP header 29
 Combining SAs
Host-host Security

30
 Combining SAs
Gateway-gateway Security

31
 Combining SAs
Host-gateway Security

32
 Combining SAs
Host-gateway Security

33
 IPSec Challenges
● Scaling
– Numerous SAs eat up too much memory for
small routers
– Configurations in a hub and spoke network
grow n^2 in the number of spokes
● Dynamic Multipoint VPN (DMVPN)
● Performance
– Even symmetric encryption can be too much
for high bandwidth environments
● Symmetry
– Both sides must have a means to prove
identity to each other
● Implies the need for a PKI or other broad identity
proof mechanism 34
 Key Management
● Two types must be supported by implementations
– manual
● system admin configures system with necessary keys
– automated
● on-demand creation of keys for SAs
● Default automated method is ISAKMP / Oakley
– Oakley key determination protocol
● a key exchange protocol based on Diffie-Hellman
● provides added security (e.g., authentication)
– ISAKMP – Internet Security Association and Key
Management Protocol
● provides a framework for key exchange
● defines message formats that can carry the messages
of various key exchange protocols 35
 NAT Transparent IPSec
● Initially IPSec could not handle address
translation in the middle
– RFC 3715 describes the problems
– AH includes the addresses in the outer IP header
in its authentication calculation
– Changes to the IP addresses affect the TCP/UDP
checksums, which are encrypted in ESP
– Addresses and ports encrypted or authenticated
– For remote users this was a big use case
● Introduced NAT-traversal extensions RFC 3947
● Detect NAT during IKE
– Move from standard IKE port on 500 to negotiate
on port 4500
– Encapsulate the IPSec traffic using UDP to
preserve the original headers from NAT 36
Scope for ESP Encryption and
Authentication

37
Scope for ESP Encryption and
Authentication

38
 Web Security

   
 Web Security
● Web now widely used by business,
government, individuals
● But Internet & Web are vulnerable
● Have a variety of threats
– integrity
– confidentiality
– denial of service
– authentication
● Need added security mechanisms

  40
 Relative Location of Security
Facilities in TCP/IP Stack

  41
 What are SSL and TLS?
● SSL – Secure Socket Layer
● TLS – Transport Layer Security
● Both provide a secure transport connection
between applications
– e.g., a web server and a browser
● SSL was developed by Netscape
● SSL v3.0 was specified in an Internet Draft
● Evolved into TLS specified in RFC 2246
● TLS can be viewed as SSL v3.1
  42
 SSL Architecture
SSL SSL Change SSL
applications
Handshake Cipher Spec  Alert
(e.g., HTTP)
 Protocol Protocol  Protocol

SSL Record Protocol

TCP

IP

  43
 Encryption-
Supported Algorithms
● Block ciphers (in CBC mode)
– RC2_40
– DES_40
– DES_56
– 3DES_168
– IDEA_128
– FORTEZZA_80
● Stream ciphers
– RC4_40
– RC4_128

  44
 SSL Components
● SSL Record Protocol
– fragmentation
– compression
– message authentication and integrity
protection
– Encryption
● The SSL Record Layer receives
uninterrupted data from higher layers in
non-empty blocks of arbitrary size

  45
 SSL Components
● SSL Handshake Protocol
– negotiation of security algorithms and parameters
– key exchange
– server authentication and optionally client
authentication
● SSL Alert Protocol
– error messages (fatal alerts and warnings)
● SSL Change Cipher Spec Protocol
– a single message that indicates the end of the SSL
handshake

  46
 SSL Sessions

● An association between a client and a

server
● Sessions are stateful; the session state
includes security algorithms and
parameters
● Session may include multiple secure
connections between the same client and
server

  47
 SSL Connections
● Connections of the same session share
the session state
● Sessions are used to avoid expensive
negotiation of new security parameters for
each connection
● There may be multiple simultaneous
sessions between the same two parties,
but this feature is not used in practice

  48
 Session and Connection States
- Session State
● Session identifier
– arbitrary byte sequence chosen by the server
● Peer certificate
– X.509 certificate of the peer (may be null)
● Compression method
● Cipher spec
– Data encryption algo (null, 3DES, …), MAC algo
(MD5, SHA-1), cryptographic attributes (hash size)
● Master secret
– Shared between the client and the server
● Is resumeable
– a flag indicating whether the session can be used to
  initiate new connections 49
 Connection States
● Server and client random
– random byte sequences chosen by server and the client
● Server write MAC secret
– secret key used in MAC operations on data sent by server
● Client write MAC secret
– secret key used in MAC operations on data sent by client
● Server write key
– secret encryption key for data encrypted by the server
● Client write key
– secret encryption key for data encrypted by the client
● Initialization vectors
– IV is maintained for each encryption key (for CBC mode)
● Sending and receiving sequence numbers
– reset to zero after each Change Cipher Spec message
  50
 State Changes
● Operating state
– currently used state
● Pending state
– state to be used
– built using the current state
● Operating state  Pending state
– at the transmission and reception of a Change Cipher Spec
message
party A party B
(client or server) (server or client)

the sending part of the
pending state is copied
 into the sending part Chang
e Ciph
of the operating state er Spe the receiving part of the
c
pending state is copied
 into the receiving part
of the operating state

  51
 SSL Record Protocol – Processing
Overview
application data

fragmentation

SSLPlaintext

compression

SSLCompressed

msg authentication and 
encryption (with padding if necessary)
SSLCiphertext
type version length MAC padding

  52
 Header
● Type
– higher level protocol used to process the enclosed fragment
– possible types:
● change_cipher_spec
● alert
● handshake
● application_data
● Version
– SSL version, currently 3.0
● Length
– length of the enclosed fragment or compressed fragment
– max value is 214 + 2048

  53
 SSL Record Format

  54
 SSL Record Protocol Payload

  55
 SSL Alert Protocol
● Each alert message consists of 2 fields
(bytes)
● First field (byte): “warning” or “fatal”
● Second field (byte):
– fatal
● unexpected_message
● bad_record_MAC
● decompression_failure
● handshake_failure
● illegal_parameter

  56
 SSL Alert Protocol
● Warning
– close_notify
– no_certificate
– bad_certificate
– unsupported_certificate
– certificate_revoked
– certificate_expired
– certificate_unknown
● In case of a fatal alert
– connection is terminated
– session ID is invalidated  no new connection can
be established within this session

  57
SSL Handshake Protocol – overview
client server
client_hello Phase 1: Negotiation of the session ID, key exchange
server_hello algorithm, MAC algorithm, encryption algorithm, and 
exchange of initial random numbers

certificate
Phase 2: Server may send its certificate and key
server_key_exchange
exchange message, and it may request the client
certificate_request to send a certificate. Server signals end of hello
phase.
server_hello_done

certificate
Phase 3: Client sends certificate if requested and may
client_key_exchange send an explicit certificate verification message. 
certificate_verify Client always sends its key exchange message.

change_cipher_spec

finished
Phase 4: Change cipher spec and finish handshake
change_cipher_spec

finished

  58
  59
 Hello Messages-
Client
● client_hello
– client_version
● the highest version supported by the client
– client_random
● current time (4 bytes) + pseudo random bytes (28 bytes)
– session_id
● empty if the client wants to create a new session, or
● the session ID of an old session within which the client
wants to create the new connection

  60
 Client Messages
● cipher_suites
– list of cryptographic options supported by the client
ordered by preference
– a cipher suite contains the specification of the
● key exchange method, the encryption and the MAC
algorithm
● the algorithms implicitly specify the hash_size, IV_size, and
key_material parameters (part of the Cipher Spec of the
session state)
– exmaple: SSL_RSA_with_3DES_EDE_CBC_SHA
● compression_methods
– list of compression methods supported by the client

  61
 Hello Messages
Server
● server_hello
– server_version
● min( highest version supported by client, highest version
supported by server )
– server_random
● current time + random bytes
● random bytes must be independent of the client random

  62
 Server Messages
● session_id
– session ID chosen by the server
– if the client wanted to resume an old session:
● server checks if the session is resumable
● if so, it responds with the session ID and the parties proceed to
the finished messages
– if the client wanted a new session
● server generates a new session ID
● cipher_suite
– single cipher suite selected by the server from the list given by
the client
● compression_method
– single compression method selected by the server

  63
 Certificate request and server
hello done msgs
● certificate_request
– sent if the client needs to authenticate itself
– specifies which type of certificate is
requested (rsa_sign, dss_sign, rsa_fixed_dh,
dss_fixed_dh, …)

  64
 server_hello_done
● Sent to indicate that the server is finished its
part of the key exchange
● After sending this message the server waits for
client response
● The client should verify that the server provided
a valid certificate and the server parameters are
acceptable

  65
 Finished messages
● finished
– sent immediately after the
change_cipher_spec message
– first message that uses the newly negotiated
algorithms, keys, IVs, etc.
– used to verify that the key exchange and
authentication was successful

  66
 TLS vs. SSL
● Version number
– for TLS the current version number is 3.1
● MAC
– TLS uses HMAC
– the MAC covers the version field of the
record header too
● More alert codes
● Cipher suites
– TLS doesn’t support Fortezza key exchange
and Fortezza encryption
  67
 TLS vs. SSL
● certificate_verify message
– the hash is computed only over the
handshake messages
– in SSL the hash contained the master_secret
and pads
● Padding before block cipher encryption
– variable length padding is allowed (max 255
padding bytes)

  68
 Thank You
Questions ...