Beruflich Dokumente
Kultur Dokumente
03Crypto - Hugo K
IPSec: IP Security
[RFC2401-12]
(Internet Protocol)
layer
Any
and authentication
Network Layers
Applications
Applications
APIs
APIs
TCP/UDP/
TCP/UDP/
IP/IPSEC
Network
Device Drivers
03Crypto - Hugo K
IP Secure Tunnel
IP/IPSEC
Network
Device Drivers
4
03Crypto - Hugo K
5
Source:
www.vpn-technology.com
03Crypto - Hugo K
IP HDR
ESP
HDR
IP HDR
ESP
HDR
Plain IP
packet
Payload
Encrypted
Payload
Payload
Encrypted
Payload
MAC
Encapsulated
Security
Payload (ESP)
MAC
ESP MAC-only
MAC
ESP-Tunnel
Mode
7
Negotiable
encrypt-then-authenticate
03Crypto - Hugo K
Key
IKEv2
03Crypto - Hugo K
10
Signaling
KEY EXCHANGE
Session Mgmt
W
RI
TE
Application
Kernel (OS)
D
A
RE
SPI
.
.
.
.
.
.
. . .
. . .
.
.
.
SA Database (SAD)
IPSec
in/out
Packet handling
CRYPTO PROCESSING (ENC,MAC)
03Crypto - Hugo K
Inbound-Outbound
12
Perfect
Identity
03Crypto - Hugo K
13
IKEv1 [RFC2409]
Public-key
encryption
Digital
Signature
Re-key
03Crypto - Hugo K
14
IKEv1
derivation
Authentication
But
03Crypto - Hugo K
15
Single
setting [HK99]
03Crypto - Hugo K
16
(v1&v2)
The
name
SIGMA
relatively recentthe
(used
in
SIGMA
stands
forisSIGn-and-MAc
main
IKEv2 revision toelements
differentiate
fromprotocol
other proposals)
authentication
in the
03Crypto - Hugo K
17
Diffie-Hellman (PFS)
Signature-based authentication
03Crypto - Hugo K
18
Identity Protection
Whose
Initiator:
Responder:
03Crypto - Hugo K
19
03Crypto - Hugo K
20
A, gx
B, gy
21
B, gy, SIGB(gx,gy)
SIGA(gy,gx)
Each party signs its own DH value to prevent m-i-t-m attack (and
the peers DH
22
Identity-Misbinding Attack*[DVW92]
(a.k.a. Unknown Key-Share attack)
A, gx
B, gy, SIGB(gx,gy)
SIGA(gy,gx)
Any
E, gx
B, gy, SIGB(gx,gy)
SIGE(gy,gx)
23
B:
E passes command to A
E: {destroy yourself}K
03Crypto - Hugo K
A destroys itself
24
A, g
B, gy, SIGB(gx,gy,A)
SIGA(gy,gx,B)
Thwarts the identity-misbinding attack by including
the identity of the peer under the signature
03Crypto - Hugo K
25
A, gx
B, gy, SIGB(gx,gy,E)
E, gx
B, gy, SIGB(gx,gy,E)
03Crypto - Hugo K
26
Secure [CK01]
Letting each party sign its own identity rather than the peers
solves the privacy issues but makes the protocol insecure (the
identity-misbinding attack again)
03Crypto - Hugo K
27
A, gx
B, gy, {SIGB(gx,gy)}K
{SIGA(gy,gx )}K
03Crypto - Hugo K
28
gx
29
E.g.:
A E
gx
gy, B, {SIGB(gx,gy)}K
E
A,
/ {SIGA(gy,gx )}K
03Crypto - Hugo K
30
Identity-Misbinding on STS
03Crypto - Hugo K
31
(instead of encryption)
gx
[DVW]
and MAc-your-own-identity!!
03Crypto - Hugo K
33
gx
gx
gx
gy
{ A, SIGA (gy,gx), MACKm (A) }Ke
{ B, SIGB (gx,gy), MACKm(B) }Ke
36
gx
gy, B, SIGB (MACKm (B, gx,gy))
A, SIGA (MACKm (A, gy,gx))
37
gx
gy
{ A, SIGA (MACKm (A, gy,gx)) }Ke
{ B, SIGB (MACKm (B, gx,gy)) }Ke
38
SIGMA Summary
With
or without ID Protection
Standardized:
03Crypto - Hugo K
39
Care with
proof: each element is essential
!!variants
e.g., SIG(MAC(id,)) vs. (SIG(id,), MAC(SIG(id,)))
Formal
Guarantees
Secure
secure channels
(see full
RCCA [Thu]
ID Protn: Encryption secure against active attackers (CCA)
Certificates,
03Crypto - Hugo K
40
key authentication
Password-based
Key
03Crypto - Hugo K
41
Final Remark
Proofs
It
03Crypto - Hugo K
42
ThAnKs
03Crypto - Hugo K
43