Professional Documents
Culture Documents
4seguridad 2022
4seguridad 2022
4seguridad 2022
Network Security
security in practice:
firewalls and intrusion detection systems
security in application, transport, network, link
layers
3
Chapter 8 roadmap
4
What is network security?
Confidentiality: only sender, intended receiver
should “understand” message contents
sender encrypts message
receiver decrypts message
Authentication: sender, receiver want to confirm
identity of each other
Message integrity: sender, receiver want to ensure
message not altered (in transit, or afterwards)
without detection
Access and availability: services must be accessible
and available to users
5
Friends and enemies: Alice, Bob, Trudy
well-known in network security world
Bob, Alice (lovers!) want to communicate “securely”
Trudy (intruder) may intercept, delete, add messages
Alice Bob
channel data, control
messages
Trudy
6
Who might Bob, Alice be?
… well, real-life Bobs and Alices!
Web browser/server for electronic
transactions (e.g., on-line purchases)
on-line banking client/server
DNS servers
routers exchanging routing table updates
other examples?
7
There are bad guys (and girls) out there!
Q: What can a “bad guy” do?
A: A lot! See section 1.6
eavesdrop: intercept messages
actively insert messages into connection
impersonation: can fake (spoof) source address
in packet (or any field in packet)
hijacking: “take over” ongoing connection by
removing sender or receiver, inserting himself
in place
denial of service: prevent service from being
used by others (e.g., by overloading resources)
8
Chapter 8 roadmap
9
The language of cryptography
Alice’s Bob’s
K encryption K decryption
A
key B key
m plaintext message
KA(m) ciphertext, encrypted with key KA
m = KB(KA(m))
10
Simple encryption schemes
transposition or permutation cipher: the order of the
characters in the plaintext is altered
E.g.: Plaintext: bob i love you a lice
Ciphertext: ibob evol auoy ecil
plaintext: abcdefghijklmnopqrstuvwxyz
ciphertext: mnbvcxzasdfghjklpoiuytrewq
13
Polyalphabetic encryption
Example: Vigenère
cipher
Key is a phrase, Mi
is the alphabet
shifted, being the
first letter each
one of the phrase.
I LOVE YOU with
key CYPHER is
K JECI PQS
14
Breaking an encryption scheme
Cipher-text only Known-plaintext attack:
attack: Trudy has Trudy has some
ciphertext that she plaintext corresponding
can analyze to some ciphertext
Two approaches: eg, in monoalphabetic
cipher, trudy determines
Search through all
pairings for a,l,i,c,e,b,o,
keys: must be able to
differentiate resulting Chosen-plaintext attack:
plaintext from Trudy can get the
gibberish cyphertext for some
Statistical analysis chosen plaintext
pangram
• the quick brown fox jumps
over the lazy dog
15
Types of Cryptography
Crypto often uses keys:
Algorithm is known to everyone
Only “keys” are secret
Public key cryptography
Involves the use of two keys
Symmetric key cryptography
Involves the use one key
Hash functions
Involves the use of no keys
Nothing secret: How can this be useful?
16
Symmetric key cryptography
KS KS
17
Two types of symmetric ciphers
Stream ciphers
encrypt one bit at time
Block ciphers
Break plaintext message in equal-size blocks of
n bits
Encrypt each n-bit block as a unit
18
Stream Ciphers
pseudo random
keystream
key generator keystream
19
RC4 Stream Cipher
RC4 was a popular stream cipher
Extensively analyzed and considered formerly
good
Key can be from 5 to 256 bytes
Used in WEP for 802.11
Could be used in SSL
20
Block ciphers
Message to be encrypted is processed in
blocks of i bits (e.g., 64-bit blocks).
1-to-1 mapping is used to map k-bit block of
plaintext to i-bit block of ciphertext
Example with i=3:
input output input output
000 110 100 011
001 111 101 010
010 101 110 000
011 100 111 001
What is the ciphertext for 010110001111 ?
21
Block ciphers
How many possible mappings are there for
i=3?
How many 3-bit inputs?
• 8 (from 000 to 111)
How many permutations of the 3-bit inputs?
• 40,320 ; not very many!
In general, 2i! mappings; huge for i=64
Problem:
Table approach requires table with 264 entries,
each entry with 64 bits, for each key
Table too big: instead use function that
simulates a randomly permuted table
22
From Kaufman
Prototype function et al
64-bit input
S1 S2 S3 S4 S5 S6 S7 S8
8-bit to
64-bit intermediate 8-bit
mapping
Loop for
n rounds 64-bit output
23
Why rounds in prototpe?
If only a single round, then one bit of input
affects at most 8 bits of output.
In 2nd round, the 8 affected bits get
scattered and inputted into multiple
substitution boxes.
How many rounds?
How many times do you need to shuffle cards
Becomes less efficient as n increases
24
Encrypting a large message
Why not just break message in 64-bit
blocks, encrypt each block separately?
If same block of plaintext appears twice, will
give same cyphertext.
How about:
Generate random 64-bit number r(i) for each
plaintext block m(i)
Calculate c(i) = KS( m(i) r(i) )
Transmit c(i), r(i), i=1,2,…
At receiver: m(i) = KS(c(i)) r(i)
Problem: inefficient, need to send c(i) and r(i)
25
Cipher Block Chaining (CBC)
CBC generates its own random numbers
Have encryption of current block depend on result of
previous block
c(i) = KS( m(i) c(i-1) )
m(i) = KS( c(i)) c(i-1)
26
Cipher Block Chaining
cipher block: if input m(1) = “HTTP/1.1” c(1) = “k329aM02”
t=1 block
block repeated, will cipher
…
produce same cipher m(17) = “HTTP/1.1” c(17) = “k329aM02”
t=17 block
text: cipher
29
Symmetric key
crypto: DES
DES operation
initial permutation
16 identical “rounds” of
function application,
each using different
48 bits of key
final permutation
30
AES: Advanced Encryption Standard
31
Public Key Cryptography
32
Public key cryptography
+ Bob’s public
K
B key
- Bob’s private
K
B key
33
Public key encryption algorithms
Requirements:
+ .
1 need K ( ) and K - ( ) such that
.
B B
- +
K (K (m)) = m
B B
+
2 given public key KB , it should be
impossible to compute
-
private key KB
35
RSA: getting ready
A message is a bit pattern.
A bit pattern can be uniquely represented by an
integer number.
Thus encrypting a message is equivalent to
encrypting a number.
Example
m= 10010001 . This message is uniquely
represented by the decimal number 145.
To encrypt m, we encrypt the corresponding
number, which gives a new number (the
cyphertext).
36
RSA: Creating public/private key
pair
1. Choose two large prime numbers p, q.
(e.g., 1024 bits each)
Magic d
m = (m e mod n) mod n
happens!
c
38
RSA example:
Bob chooses p=5, q=7. Then n=35, z=24.
e=5 (so e, z relatively prime).
d=29 (so ed-1 exactly divisible by z).
Encrypting 8-bit messages.
d
decrypt:
c c m = cd mod n
17 481968572106750915091411825223071697 12
39
Why does RSA work?
Must show that cd mod n = m
where c = me mod n
Fact: for any x and y: xy mod n = x(y mod z) mod n
where n= pq and z = (p-1)(q-1) = φ(pq)=φ(p)φ(q)
Due to Euler’s theorem and Fermat’s little theorem
Thus,
cd mod n = (me mod n)d mod n
= med mod n
= m(ed mod z) mod n
= m1 mod n
=m
40
RSA: another important property
The following property will be very useful later:
- + + -
K (K (m)) = m = K (K (m))
B B B B
41
RSA: another important property
- + + -
Why K (K (m)) = m = K (K (m)) ?
B B B B
42
Why is RSA Secure?
Suppose you know Bob’s public key (n,e).
How hard is it to determine d?
Essentially need to find factors of n
without knowing the two factors p and q.
Fact: factoring a big number is hard.
But beware, it will be very easy with quantum
cryptography!!! (Shor’s algorithm)
Generating RSA keys
Have to find big primes p and q
Approach: make good guess then apply
testing rules (see Kaufman) 43
Session keys
Exponentiation is computationally intensive
AES is at least 100 times faster than RSA
Session key, KS
Bob and Alice use RSA to exchange a
symmetric key KS
Once both have KS, they use symmetric key
cryptography
44
Chapter 8 roadmap
46
Message Digests
large
H: Hash
message
Function H(·) that takes as Function
m
input an arbitrary length
message and outputs a
fixed-length string: H(m)
“message signature”
Note that H(·) is a many- Desirable properties:
to-1 surjective function Easy to calculate
H(·) is often called a “hash Irreversibility: Can’t
function” determine m from H(m)
Collision resistance:
Computationally difficult
to produce m and m’ such
that H(m) = H(m’)
Seemingly random output
47
Internet checksum: poor message
digest
Internet checksum has some properties of hash function:
produces fixed length digest (16-bit sum) of input
is many-to-one
But given message with given hash value, it is easy to find another
message with same hash value.
Example: Simplified checksum: add 4-byte chunks at a time:
49
Message Authentication Code (MAC)
s = shared secret
s s
(not transmitted)
message
message
message H( )
Network
H( ) compare
Authenticates sender
Verifies message integrity
No encryption !
Shared secret does not travel with the message !!!
Also called “keyed hash”
Notation: MDm = H(s||m) ; send m||MDm
|| is the concatenation function 50
HMAC
Popular MAC standard
Addresses some subtle security flaws
HMAC = H(s||H(s||m))
51
Example: OSPF
Recall that OSPF is an Attacks:
intra-AS routing Message insertion
protocol Message deletion
Each router creates
Message modification
map of entire AS (or
area) and runs
shortest path How do we know if an
algorithm over map. OSPF message is
Router receives link-
authentic?
state advertisements
(LSAs) from all other
routers in AS.
52
OSPF Authentication
Within an Autonomous Cryptographic hash
System, routers send with MD5
OSPF messages to 64-bit authentication
each other. field includes 32-bit
sequence number
OSPF provides
MD5 is run over a
authentication choices concatenation of the
No authentication OSPF packet and
Shared password: shared secret key
inserted in clear in 64- MD5 hash then
bit authentication field appended to OSPF
in OSPF packet packet; encapsulated in
Cryptographic hash IP datagram
53
End-point authentication
Want to be sure of the originator of the
message – end-point authentication.
Assuming Alice and Bob have a shared
secret, will MAC provide end-point
authentication?
We do know that Alice created the message.
But did she send it?
54
Playback attack
MAC =
f(msg,s) Transfer $1M
from Bill to Trudy MAC
R
MAC =
f(msg,s,R) Transfer $1M
from Bill to Susan MAC
57
Digital Signatures
Simple digital signature for message m:
Bob signs m by encrypting with his private key
- -
KB, creating “signed” message, KB(m)
-
Bob’s message, m K B Bob’s private -
K B(m)
key
Dear Alice
Bob’s message,
Oh, how I have missed Public key m, signed
you. I think of you all the
time! …(blah blah blah) encryption (encrypted) with
algorithm his private key
Bob
58
Digital signature = signed message digest
Alice verifies signature and
Bob sends digitally signed integrity of digitally signed
message: message:
large
message H: Hash encrypted
m function H(m)
msg digest
-
KB(H(m))
Bob’s digital large
private signature message
- Bob’s
key KB (encrypt) m digital
public
+ signature
key KB
encrypted H: Hash (decrypt)
msg digest function
-
+ KB(H(m))
H(m) H(m)
equal
?
59
Digital Signatures (more)
-
Suppose Alice receives msg m, digital signature KB(m)
Alice verifies m signed by Bob by applying Bob’s
+ - + -
public key KB to KB(m) then checks KB(KB(m) ) = m.
+ -
If KB(KB(m) ) = m, whoever signed m must have used
Bob’s private key.
Alice thus verifies that:
Bob signed m.
No one else signed m.
Bob signed m and not m’.
Non-repudiation:
-
Alice can take m, and signature KB(m) to
court and prove that Bob signed m.
60
Public-key certification
Motivation: Trudy plays pizza prank on Bob
Trudy creates e-mail order:
Dear Pizza Store, Please deliver to me four
pepperoni pizzas. Thank you, Bob
Trudy signs order with her private key
Trudy sends order to Pizza Store
Trudy sends to Pizza Store her public key, but
says it’s Bob’s public key.
Pizza Store verifies signature; then delivers
four pizzas to Bob.
Bob doesn’t even like Pepperoni
61
Certification Authorities
Certification authority (CA): binds public key to
particular entity, E.
E (person, web server, router) registers its public
key with CA.
E provides “proof of identity” to CA.
CA creates certificate binding E to its public key.
Certificate containing E’s public key digitally signed by CA
– CA says “this is E’s public key”
Bob’s digital
+
public +
signature KB
key KB (encrypt)
CA
certificate for
K-
Bob’s private
identifying key CA Bob’s public key,
information signed by CA
62
Certification Authorities
When Alice wants Bob’s public key:
gets Bob’s certificate (Bob or elsewhere).
apply CA’s public key to Bob’s certificate, get
Bob’s public key
+ digital Bob’s
KB signature public
+
(decrypt) KB key
CA
public +
K CA
key
63
Certificates: summary
64
Chapter 8 roadmap
administered public
network Internet
firewall
66
Firewalls: Why
prevent denial of service attacks:
SYN flooding: attacker establishes many bogus TCP
connections, no resources left for “real” connections
prevent illegal modification/access of internal data.
e.g., attacker replaces CIA’s homepage with
something else
allow only authorized access to inside network (set of
authenticated users/hosts)
three types of firewalls:
stateless packet filters
stateful packet filters
application gateways
67
Stateless packet filtering
Should arriving
packet be allowed
in? Departing packet
let out?
69
Stateless packet filtering: more examples
Policy Firewall Setting
Prevent Web-radios from eating Drop all incoming UDP packets - except
up the available bandwidth. DNS and router broadcasts.
Prevent your network from being Drop all ICMP packets going to a
used for a smurf DoS attack. “broadcast” address (eg
130.207.255.255).
Prevent your network from being Drop all outgoing ICMP TTL expired
tracerouted traffic
70
Access Control Lists
ACL: table of rules in routers, applied top to bottom to
incoming packets: (action, condition) pairs
71
Stateful packet filtering
stateless packet filter: heavy handed tool
admits packets that “make no sense,” e.g., dest port =
80, ACK bit set, even though no TCP connection
established:
source dest source dest flag
action protocol
address address port port bit
72
Stateful packet filtering
ACL augmented to indicate need to check connection state
table before admitting packet
73
Application gateways gateway-to-remote
host telnet session
host-to-gateway
telnet session
filters packets on
application data as well application
gateway
router and filter
as on IP/TCP/UDP fields.
example: allow select
internal users to telnet
outside.
1. require all telnet users to telnet through gateway.
2. for authorized users, gateway sets up telnet connection to
dest host. Gateway relays data between 2 connections
3. router filter blocks all telnet connections not originating
from gateway.
74
Limitations of firewalls and gateways
76
Intrusion detection systems
multiple IDSs: different types of checking
at different locations
application firewall
gateway
Internet
internal
network Web
IDS server DNS
sensors server
FTP
server demilitarized
zone
77
Network Security (summary)
Basic techniques…...
cryptography (symmetric and public)
message integrity
end-point authentication
8: Network Security 78
Material para estudiar en casa
79
Chapter 8 roadmap
80
Secure e-mail
Alice wants to send confidential e-mail, m, to Bob.
KS
m K ( .)
S
KS(m ) KS(m )
KS( ) . m
+ Internet
- KS
KS
+
KB( ). + +
-
KB( ) .
KB(KS ) KB(KS )
K+
B KB-
Alice:
generates random symmetric private key, KS.
encrypts message with KS (for efficiency)
also encrypts KS with Bob’s public key.
sends both KS(m) and KB(KS) to Bob.
81
Secure e-mail
Alice wants to send confidential e-mail, m, to Bob.
KS
m K ( .)
S
KS(m ) KS(m )
KS( ) . m
+ Internet
- KS
KS
+
KB( ). + +
-
KB( ) .
KB(KS ) KB(KS )
K+
B KB-
Bob:
uses his private key to decrypt and recover KS
uses KS to decrypt KS(m) to recover m
82
Secure e-mail (continued)
• Alice wants to provide sender authentication message
integrity.
KA- +
KA
m H(.)
-
KA( ) . -
KA(H(m))
-
KA(H(m)) +
KA( ). H(m )
+ Internet
- compare
m H( ). H(m )
m
83
Secure e-mail (continued)
• Alice wants to provide secrecy, sender authentication,
message integrity.
KA-
m .
H( ) .-
KA( )
K
-
A(H(m))
KS
+ K S( ).
m + Internet
KS
+ .
K B( ) +
KB(KS )
K+
B
Alice uses three keys: her private key, Bob’s public key, newly
created symmetric key
84
Chapter 8 roadmap
85
SSL: Secure Sockets Layer
Widely deployed security Original goals:
protocol Had Web e-commerce
Supported by almost all transactions in mind
browsers and web servers Encryption (especially
https credit-card numbers)
Tens of billions $ spent Web-server
per year over SSL authentication
Originally designed by Optional client
Netscape in 1993 authentication
Number of variations: Minimum hassle in doing
business with new
TLS: transport layer merchant
security, RFC 2246
Available to all TCP
Provides applications
Confidentiality Secure socket interface
Integrity
Authentication
86
SSL and TCP/IP
Application Application
SSL
TCP
TCP
IP IP
87
Could do something like PGP:
-
KA
-
- . KA(H(m))
m .
H( ) KA( ) KS
+ KS( ).
m + Internet
KS
+
KB( ). +
KB(KS )
+
KB
MS = master secret
EMS = encrypted master secret
90
Toy: Key derivation
Considered bad to use same key for more than one
cryptographic operation
Use different keys for message authentication code
(MAC) and encryption
Four keys:
Kc = encryption key for data sent from client to server
Mc = MAC key for data sent from client to server
Ks = encryption key for data sent from server to client
Ms = MAC key for data sent from server to client
91
Toy: Data Records
Why not encrypt data in constant stream as we
write it to TCP?
Where would we put the MAC? If at end, no message
integrity until all data processed.
For example, with instant messaging, how can we do
integrity check over all bytes sent before displaying?
Instead, break stream in series of records
Each record carries a MAC
Receiver can act on each record as it arrives
Issue: in record, receiver needs to distinguish
MAC from data
Want to use variable-length records
92
Toy: Sequence Numbers
Attacker can capture and replay record or
re-order records
Solution: put sequence number into MAC:
MAC = MAC(Mx, sequence||data)
Note: no sequence number field
93
Toy: Control information
Truncation attack:
attacker forges TCP connection close segment
One or both sides thinks there is less data than
there actually is.
Solution: record types, with one type for
closure
type 0 for data; type 1 for closure
MAC = MAC(Mx, sequence||type||data)
94
Toy SSL: summary
bob.com
encrypted
95
Toy SSL isn’t complete
How long are the fields?
What encryption protocols?
No negotiation
Allow client and server to support different
encryption algorithms
Allow client and server to choose together
specific algorithm before data transfer
96
Most common symmetric ciphers in
SSL
DES – Data Encryption Standard: block
3DES – Triple strength: block
RC2 – Rivest Cipher 2: block
RC4 – Rivest Cipher 4: stream
AES
97
SSL Cipher Suite
Cipher Suite
Public-key algorithm
Symmetric encryption algorithm
MAC algorithm
98
Real SSL: Handshake (1)
Purpose
1. Server authentication
2. Negotiation: agree on crypto algorithms
3. Establish keys
4. Client authentication (optional)
99
Real SSL: Handshake (2)
1. Client sends list of algorithms it supports, along
with client nonce
2. Server chooses algorithms from list; sends back:
choice + certificate + server nonce
3. Client verifies certificate, extracts server’s
public key, generates pre_master_secret,
encrypts with server’s public key, sends to server
4. Client and server independently compute
encryption and MAC keys from
pre_master_secret and nonces
5. Client sends a MAC of all the handshake messages
6. Server sends a MAC of all the handshake
messages
100
Real SSL: Handshaking (3)
Last 2 steps protect handshake from tampering
Client typically offers range of algorithms,
some strong, some weak
Man-in-the middle could delete the stronger
algorithms from list
Last 2 steps prevent this
Last two messages are encrypted
101
Real SSL: Handshaking (4)
Why the two random nonces?
Suppose Trudy sniffs all messages between
Alice & Bob.
Next day, Trudy sets up TCP connection
with Bob, sends the exact same sequence
of records,.
Bob (Amazon) thinks Alice made two separate
orders for the same thing.
Solution: Bob sends different random nonce for
each connection. This causes encryption keys to
be different on the two days.
Trudy’s messages will fail Bob’s integrity check.
102
SSL Record Protocol
data
data data
MAC MAC
fragment fragment
data
MAC
Everything
henceforth
is encrypted
106
Chapter 8 roadmap
108
Virtual Private Networks (VPNs)
Institutions often want private networks
for security.
Costly! Separate routers, links, DNS
infrastructure.
With a VPN, institution’s inter-office
traffic is sent over public Internet
instead.
But inter-office traffic is encrypted before
entering public Internet
109
Virtual Private Network (VPN)
Public
laptop
Internet IP IPsec Secure w/ IPsec
header header payload
salesperson
in hotel
Router w/ Router w/
IPv4 and IPsec IPv4 and IPsec
branch office
headquarters 110
IPsec services
Data integrity
Origin authentication
Replay attack prevention
Confidentiality
111
IPsec Transport Mode
IPsec IPsec
IPsec datagram emitted and received by
end-system.
Protects upper level protocols
112
IPsec – tunneling mode (1)
IPsec IPsec
113
IPsec – tunneling mode (2)
IPsec
IPsec
114
Two protocols
Authentication Header (AH) protocol
provides source authentication & data integrity
but not confidentiality
Encapsulation Security Protocol (ESP)
provides source authentication, data integrity,
and confidentiality
more widely used than AH
115
Four combinations are possible!
116
Security associations (SAs)
Before sending data, a virtual connection is
established from sending entity to receiving entity.
Called “security association (SA)”
SAs are simplex: for only one direction
Both sending and receiving entites maintain state
information about the SA
Recall that TCP endpoints also maintain state information.
IP is connectionless; IPsec is connection-oriented!
How many SAs in VPN w/ headquarters, branch
office, and n traveling salesperson?
117
Example SA from R1 to R2
Headquarters Internet
Branch Office
200.168.1.100
193.68.2.23
SA
R1
172.16.1/24
R2
172.16.2/24
R1 stores for SA
32-bit identifier for SA: Security Parameter Index (SPI)
the origin interface of the SA (200.168.1.100)
destination interface of the SA (193.68.2.23)
type of encryption to be used (for example, 3DES with CBC)
encryption key
type of integrity check (for example, HMAC with with MD5)
authentication key
118
Security Association Database (SAD)
Endpoint holds state of its SAs in a SAD, where it
can locate them during processing.
119
IPsec datagram
Focus for now on tunnel mode with ESP
“enchilada” authenticated
encrypted
new IP ESP original Original IP ESP ESP
header hdr IP hdr datagram payload trl auth
120
What happens?
Headquarters Internet
Branch Office
200.168.1.100
193.68.2.23
SA
R1
172.16.1/24
R2
172.16.2/24
“enchilada” authenticated
encrypted
new IP ESP original Original IP ESP ESP
header hdr IP hdr datagram payload trl auth
122
Inside the enchilada:
“enchilada” authenticated
encrypted
new IP ESP original Original IP ESP ESP
header hdr IP hdr datagram payload trl auth
Goal:
Prevent attacker from sniffing and replaying a packet
• Receipt of duplicate, authenticated IP packets may disrupt
service
Method:
Destination checks for duplicates
But doesn’t keep track of ALL received packets; instead
uses a window
124
Security Policy Database (SPD)
125
Summary: IPsec services
Suppose Trudy sits somewhere between R1
and R2. She doesn’t know the keys.
Will Trudy be able to see contents of original
datagram? How about source, dest IP address,
transport protocol, application port?
Flip bits without detection?
Masquerade as R1 using R1’s IP address?
Replay a datagram?
126
Internet Key Exchange
In previous examples, we manually established
IPsec SAs in IPsec endpoints:
Example SA
SPI: 12345
Source IP: 200.168.1.100
Dest IP: 193.68.2.23
Protocol: ESP
Encryption algorithm: 3DES-cbc
HMAC algorithm: MD5
Encryption key: 0x7aeaca…
HMAC key:0xc0291f…
Such manually keying is impractical for large VPN
with, say, hundreds of sales people.
Instead use IPsec IKE (Internet Key Exchange)
127
IKE: PSK and PKI
Authentication (proof who you are) with
either
pre-shared secret (PSK) or
with PKI (pubic/private keys and certificates).
With PSK, both sides start with secret:
then run IKE to authenticate each other and to
generate IPsec SAs (one in each direction),
including encryption and authentication keys
With PKI, both sides start with
public/private key pair and certificate.
run IKE to authenticate each other and obtain
IPsec SAs (one in each direction).
Similar with handshake in SSL.
128
IKE Phases
IKE has two phases
Phase 1: Establish bi-directional IKE SA
• Note: IKE SA different from IPsec SA
• Also called ISAKMP security association
Phase 2: ISAKMP is used to securely negotiate
the IPsec pair of SAs
Phase 1 has two modes: aggressive mode
and main mode
Aggressive mode uses fewer messages
Main mode provides identity protection and is
more flexible
129
Summary of IPsec
IKE message exchange for algorithms, secret
keys, SPI numbers
Either the AH or the ESP protocol (or both)
The AH protocol provides integrity and source
authentication
The ESP protocol (with AH) additionally provides
encryption
IPsec peers can be two end systems, two
routers/firewalls, or a router/firewall and an end
system
130
Chapter 8 roadmap
132
Review: Symmetric Stream Ciphers
keystream
key generator keystream
133
Stream cipher and packet
independence
Recall design goal: each packet separately
encrypted
If for frame n+1, use keystream from where we
left off for frame n, then each frame is not
separately encrypted
Need to know where we left off for packet n
WEP approach: initialize keystream with key + new
IV for each packet:
keystream
Key+IVpacket generator keystreampacket
134
WEP encryption (1)
Sender calculates Integrity Check Value (ICV) over data
four-byte hash/CRC for data integrity
Each side has 104-bit shared key
Sender creates 24-bit initialization vector (IV), appends to
key: gives 128-bit key
Sender also appends keyID (in 8-bit field)
128-bit key inputted into pseudo random number generator
to get keystream
data in frame + ICV is encrypted with RC4:
Bytes of keystream are XORed with bytes of data & ICV
IV & keyID are appended to encrypted data to create payload
Payload inserted into 802.11 frame
encrypted
Key
IV data ICV
ID
IV
(per frame)
KS: 104-bit key sequence generator
secret ( for given KS, IV)
symmetric
k1IV k2IV k3IV … kNIV kN+1IV… kN+1IV 802.11 WEP-encrypted data
key IV
header plus ICV
plaintext &
frame data d1 d2 d3 … dN CRC1 … CRC4
plus CRC
c1 c2 c3 … cN cN+1 … cN+4
New7.8-new1:
Figure IV for802.11
each frame
WEP protocol
136
WEP decryption overview
encrypted
Key
IV data ICV
ID
MAC payload
Receiver extracts IV
Inputs IV and shared secret key into pseudo
random generator, gets keystream
XORs keystream with encrypted data to decrypt
data + ICV
Verifies integrity of data with ICV
Note that message integrity approach used here is
different from the MAC (message authentication code)
and signatures (using PKI).
137
End-point authentication w/ nonce
“I am Alice”
R
KA-B(R) Alice is live, and
only Alice knows
key to encrypt
nonce, so it must
be Alice!
138
Not all APs do it, even if WEP
WEP Authentication is being used. AP indicates
if authentication is necessary
in beacon frame. Done before
association.
AP
authentication request
139
Breaking 802.11 WEP encryption
security hole:
24-bit IV, one IV per frame, -> IV’s eventually reused
IV transmitted in plaintext -> IV reuse detected
attack:
Trudy causes Alice to encrypt known plaintext d1 d2
d3 d4 …
IV
Trudy sees: ci = di XOR ki
140
802.11i: improved security
141
802.11i: four phases of operation
1 Discovery of
security capabilities
STA,
4 AP use PMK to derive
Temporal Key (TK) used for message
encryption, integrity 142
EAP: extensible authentication protocol
EAP: end-end client (mobile) to authentication
server protocol
EAP sent over separate “links”
mobile-to-AP (EAP over LAN)
AP to authentication server (RADIUS over UDP)
wired
network
EAP TLS
EAP
EAP over LAN (EAPoL) RADIUS
IEEE 802.11 UDP/IP
143