Professional Documents
Culture Documents
SESSION SEC-4011
Saadat Malik
Sr. Manager, Software Development
Critical Infrastructure Assurance Group (CIAG)
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 1
Agenda
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 2
Agenda
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 3
IPSec Composition
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 4
What Is IKE?
SKEME Oakley
Mechanism for Utilizing Modes-Based Mechanism for
Public Key Encryption Arriving at an Encryption Key
for Authentication Between Two Peers
ISAKMP
Architecture for Message
Exchange Including Packet
Formats and State Transitions
Between Two Peers
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 5
Why IKE?
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 6
How Does IKE Work?
Phase 1 Exchange
Peers Negotiate a Secure, Authenticated Channel with Which to
Communicate ‘Main Mode’
or ‘Aggressive Mode’ Accomplish a Phase I Exchange
Phase 2 Exchange
Security Associations Are Negotiated on Behalf of IPSec Services;
‘Quick Mode’ Accomplishes a Phase II Exchange
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 7
How Does IKE Work?
Phase II SA Phase II SA
(IPSec SA) (IPSec SA)
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 8
IKE Phase 1 (Main Mode): Preparation for
Sending ‘Message 1 and 2’
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 9
IKE Phase 1 (Main Mode):
Sending ‘Message 1’
The Initiator Proposes a Set of Attributes to Base the SA On
Initiator Responder
Initiator Cookie (Calculated and Inserted Here)
Responder Cookie (Left 0 for Now) DOI Identifies the Exchange
SA Version Exchange Flags to Be Occurring to Setup IPSec
Message ID SPI = 0 for All Phase
Total Message Length 1 Messages
Next Payload 1 SA Payload Length Includes Proposal #,
SA Payload (Includes DOI and Situation) Protocol ID, SPI Size,
Next Payload 1 Proposal Payload Length # of Transforms, SPI
Proposal Payload (Two Proposals Shown Here)
Next Payload 1 Transform Payload Length Includes Transform #,
Transform Payload Transform ID, SA Attributes,
Next Payload 1 Proposal Payload Length for Example, DES, MD5,
Proposal Payload DH 1, Pre Share, Timeout
0 1 Transform Payload Length (Two Transform Sets
Transform Payload
Shown Here)
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 10
IKE Phase 1 (Main Mode):
Sending ‘Message 2’
The Responder Sends Back the One Set of Attributes Acceptable to It
Initiator Responder
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 11
IKE Phase 1 (Main Mode): Preparation for
Sending ‘Message 3 and 4’
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 12
IKE Phase 1 (Main Mode): Preparation for
Sending ‘Message 3 and 4’
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 13
IKE Phase 1 (Main Mode):
Sending ‘Message 3’
The Initiator Sends Its DH Public Value Xa and Nonce Ni
Initiator Responder
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 14
IKE Phase 1 (Main Mode):
Sending ‘Message 4’
The Responder Sends Its DH Public Value Xb and Nonce Nr
Initiator Responder
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 15
IKE Phase 1 (Main Mode): Preparation for
Sending ‘Message 5 and 6’
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 16
IKE Phase 1 (Main Mode): Preparation for
Sending ‘Message 5 and 6’
SKEYID_a = SKEYID_e =
PRF (SKEYID, SKEYID_d | gab | CKY-I | CKY-R | 1) PRF (SKEYID, SKEYID_a | gab | CKY-I | CKY-R | 2)
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 17
IKE Phase 1 (Main Mode): Preparation for
Sending ‘Message 5 and 6’
SKEYID_a = SKEYID_e =
PRF (SKEYID, SKEYID_d | gab | CKY-I | CKY-R | 1) PRF (SKEYID, SKEYID_a | gab | CKY-I | CKY-R | 2)
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 18
IKE Phase 1 (Main Mode):
(Digital Signatures) Sending ‘Message 5’
The Initiator Sends Its Authentication Material and ID
Initiator Responder
Initiator Responder
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 21
IKE Phase 1 (Quick Mode): Preparation for
Sending ‘Message 1 and 2’
Initiator Responder
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 23
IKE Phase 2 (Quick Mode):
Sending ‘Message 1’
SA 0 Hash Payload
Hash Payload Hash =PRF (SKEYID_a,
Next Payload 0 SA Payload Length Message ID, Ni’, Proposals+
SA Payload (Includes DOI and Situation) Transforms, Xa)
Next Payload 0 Proposal Payload Length Proposal:
Proposal Payload ESP or AH, SHA or MD5,
Next Payload 0 Transform Payload Length
DH 1 or 2, SPI
Transform Payload
(Two Proposals
Next Payload 0 Proposal Payload Length
Shown Here)
SKEYID_e
Proposal Payload
Next Payload 0 Transform Payload Length
Transform Payload
Transform:
Next Payload 0 Keyload Payload Length
Tunnel or Transport,
IPSec Timeout
KE Payload
Next Payload 0 Nonce Payload Length
Nonce Payload (Ni’) KE Payload = Xa’
Next Payload 0 Identity Payload Length
ID Type DOI Specific ID Data
Identity Payload = ID-s
0 0 Identity Payload Length
ID-s = Source Proxy
ID Type DOI Specific ID Data
ID-d = Destination Proxy
Identity Payload = ID-d
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 24
IKE Phase 2 (Quick Mode):
Sending ‘Message 2’
The Responder Sends Authentication/Keying Material and
Proposes a Set of Attributes to Base the SA on
Initiator Responder
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 25
IKE Phase 2 (Quick Mode):
Sending ‘Message 2’
Hash =
Next Payload 0 Hash Payload Length
PRF (SKEYID_a, Message ID
Hash Payload Ni’, Nr’, Accepted Proposal+
Next Payload 0 SA Payload Length Transform, Xb)
SA Payload (Includes DOI and Situation)
Next Payload 0 Transform Payload Length
Proposal Payload (Accepted Proposal)
Next Payload 0 Proposal Payload Length Proposal:
SKEYID_e
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 26
IKE Phase 2 (Quick Mode): Completion of
Phase 2
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 27
IKE Phase 2 (Quick Mode):
Sending ‘Message 3’
The Initiator Sends Across a Proof of Liveness
Initiator Responder
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 28
One Page Summary: Signatures Main Mode
Initiator IKE Responder
ESP ESP
DES HDR*, HASH1, Saproposal, NonceI [,KEI] [,IDCI,IDCR] DES
SHA SHA
PFS 1 PFS 1
HDR*, HASH3
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 30
Agenda
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 31
IKE v2: Replacement for Current IKE
Specification
• Feature preservation
Most of the features and characteristics of the baseline
parent IKE v1 protocol are preserved in v2
• New features
A few new mechanisms and features have been introduced
in the IKE v2 protocol as well
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 32
IKE v2: What has not Changed
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 33
IKE v2: What has Changed
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 34
How Does IKE v2 Work?
CREATE_CHILD_SA
(Two Messages) Second CHILD_SA Created
A Protected Data B
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 35
IKE_SA_INIT: ‘Message 1’
The Initiator Proposes Basic SA Attributes
Along with Authentication Material
Initiator Responder
Initiator SPI
Responder SPI (Left 0 for Now)
Next Payload Version Exchange Flags Critical Bit: Request Rejection
Message ID of Entire Message if This
Total Message Length Payload Not Understood
Next Payload C 0 SA Payload Length
SA Payload (Includes Proposal and Transform Info)
Next Payload C 0 KE Payload Length
Key Exchange Payload (Includes DH Public Value) DH Public Value Is Guessed
Next Payload C 0 Nonce Payload Length
Nonce
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 36
IKE_SA_INIT: ‘Message 2’
The Responder Sends Back the One Set of Attributes Acceptable
to It Along with Authentication Material
Initiator Responder
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 37
IKE_AUTH: ‘Message 3’
Authentication Material Along with CHILD_SA Info Sent
Initiator Responder
Initiator SPI
Responder SPI Includes an Identity for the
Next Payload Version Exchange Flags Initiator
Message ID
Total Message Length Auth Payload = hash(hash(
Next Payload C 0 ID Payload Length Shared Secret, “Key Pad for
ID Payload (Contains Initiator ID) IKEv2”, All Octets from First Init
Message, Ni, hash(SK_ar, IDr)))
SK_e and SK_a
Initiator Responder
Initiator SPI
Responder SPI
Next Payload Version Exchange Flags
Responder Identity
Message ID
Total Message Length
Next Payload C 0 ID Payload Length
ID Payload (Contains Responder ID) Calculated Similar to the
Initiator Calculation
SK_e and SK_a
Initiator SPI
Includes SA, Proposal and
Responder SPI
Transform Info to Create the
Exchange Flags
2nd CHILD_SA
Message ID
Total Message Length
Next Payload C 0 SA Payload Length
SA, Proposal and Transform Info for 2nd CHILD_SA
SK_e and SK_a
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 40
CREATE_CHILD_SA: ‘Message 6’
The Responder Sends Its Authentication Material and ID
Initiator Responder
Initiator SPI
Responder SPI
Exchange Flags
Includes Agreed upon SA Info
Message ID
Total Message Length
Next Payload C 0 SA Payload Length
SA, Proposal and Transform Info for 2nd CHILD_SA
SK_e and SK_a
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 41
Agenda
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 42
SSH
• SSH
RFCs 4250-4254
• Goals of protocol
Secure remote logins and other secure services
IDs define standard methods for secure interactive shells,
tunneling TCP/IP ports and X11 connections
Authentication + privacy + integrity
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 43
SSH Composition
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 44
How Does SSH Negotiation Work?
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 45
Version String Exchange:
‘Message 1’
The Client Sends a Version String to the Server
to Establish Basic Capabilities
Client Server
Client Server
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 47
Key Exchange Initialization (KEXINIT):
‘Message 3’
The Client Lists for the Server Options It Is Willing to Support for
Encryption, Integrity and Compression Algorithms in Each Direction
Client Server
Client Server
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 49
DH Key Exchange:
‘Message 5’
The Client Initiates DH Exchange
Client Server
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 50
DH Key Exchange:
‘Message 6’
The Server Responds with DH Key Material Along with
Information to Prove Its Identity
Client Server
where K = ey mod p
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 51
Calculation of Keys
Where Session_id = H From the Very First Key Exhange, Meaning That Subsequent
Key Exchanges Within This Session Will Use the Hash Calculated First Time, as
the Session Identifier; and Where H = Spriv(hash(client Version String | Server
Version String| Client Kexinit Message | Server Kexinit Message | K_s | E | F | K)
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 52
Key Exchange Conclusion (NEWKEYS):
‘Message 7’
Client Server
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 53
Key Exchange Conclusion (NEWKEYS):
‘Message 8’
Client Server
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 54
Service Request (SERVICE_REQUEST):
‘Message 9’
Client Server
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 55
Service Request Accept
(SERVICE_REQUEST_ACCEPT): ‘Message 10’
Client Server
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 56
User Authentication Request
(USERAUTH_REQUEST): ‘Message 11’
Client Server
Indicates That the Password Method The Service for Which the
of Authentication Is to Be Used Authentication Is Taking Place
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 57
User Authentication Success
(USERAUTH_SUCCESS): ‘Message 12’
Client Server
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 58
Channel Open Request
(CHANNEL_OPEN): ‘Message 13’
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 59
Channel Open Confirmation
(CHANNEL_OPEN_CONFIRMATION): ‘Message 14’
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 60
Agenda
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 61
SSL/TLS
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 62
SSL Composition
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 63
SSL Protocols
Allow for Authentication and Generation
SSL
of Encryption Material Through Negotiation
Handshake
of Parameters And Exchange of
Protocol
Calculated Values
SSL
Used to Convey Administrative Alerts for
Alert
Managing SSL Connections and Sessions
Protocol
SSL
Used to Signal Transition to New Cipher
Change Cipher
and Keys Generally Towards the End of a
Spec
Handshake Negotiation
Protocol
Client Server
Handshake Protocol Body
The Server Responds by Sending Back the Selected Options for Ciphers
and Compression Method Along with Its Own Random Number
Client Server
Handshake Protocol Body
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 68
Server Hello Done: ‘Message 4’
Client Server
Handshake Protocol Body
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 69
Client Key Exchange: ‘Message 5’
The Server Sends This Message Indicating It Has Sent All the Material
It Wanted to Send During the Handshake Process
Client Server
Handshake Protocol Body
The Client Sends This Message Indicating That It Is About to Start Using
the Newly Generated Masterkey to Send Encrypted Data
Change Cipher Spec Protocol Body
Client Server
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 71
Finished: ‘Message 7’
Being the First Message from Client to Server to Contain Encrypted Data, It
Allows for Verification That All Exchanges Have Been Securely Completed
Client Server
Handshake Protocol Body
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 72
Change Cipher Spec: ‘Message 8’
The Server Sends This Message Indicating That It Is About to Start Using
the Newly Generated Masterkey to Send Encrypted Data
Change Cipher Spec Protocol Body
Client Server
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 73
Finished: ‘Message 9’
Being the First Message from the Server to the Client to Contain Encrypted Data,
It Allows for Verification That All Exchanges Have Been Securely Completed
Client Server
Handshake Protocol Body
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 74
Agenda
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 75
PKI: IKE Authentication Architecture
Key Certificate
Recovery Revocation
Key Certificate
Generation Distribution
Trusted
Key Storage
Time Service
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 76
Digital Signatures
Private Public
• Entity authentication
• Data origin authentication
• Integrity
• Non-repudiation
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 77
Digital Signatures
Alice
Hash of Message s74hr7sh7040236fw
7sr7ewq7ytoj56o457
Sign Hash with Private Key
Signature = “Encrypted”
Hash of Message
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 78
Signature Verification
Message
Hash of
Hash Message
Message
If Hashes Are
Equal, Signature
Is Authentic
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 79
Certificate Authority
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 80
X.509 v3 Certificate
Version
Serial Number Signing Algorithm,
Signature Algorithm ID e.g. SHA1withRSA
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 81
Digital Certification
Certificate Authority
Alice
4
Hash
y
Ke
b lic Alice
Pu Ke y ..
Message Digest
’s
CA
blic
r
Pu
Cert Req.
1 fo Sign
est Its Alice CA’s
equ 2 nds Private Key
R Se 3
CA Bob Trusts Alice’s
Public Key After Verifies
5 Her Signature Using CA’s
Public Key
Alice
Alice 6
.. 7
Bob
(Already Has CA’s Public Key)
Convey Trust in Her Public Key
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 82
Agenda
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 83
Encryption vs. Hashing
PlainText Message
CipherText
Encryption( )
or Hash
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 84
Properties and Uses of Hashes
• Collision resistance
Impossible to find a, b such that H(a) = H(b)
Used for non-repudiation, commitment
• Pre-image resistance
Given v, impossible to find a such that H(a) = v
Used for password hashing
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 85
Message Authentication
and Integrity Check Using Hash
Message Message
Message
MAC
Hash Hash
MAC
Insecure Channel
MAC
? Hash Output
Sender Receiver
Secret Key Only Known to Sender and Receiver
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 86
Commonly Used Hash Functions
(MD5 and SHA)
Message Padding
IV
H H H H
128 Bits
Hash
• Both MD5 and SHA are derived based on MD4 128 Bits
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 88
So What Does This Mean?
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 90
Agenda
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 91
Symmetric vs. Asymmetric
Encryption Algorithms
or
Decryption( ) Decryption( )
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 92
Data Encryption Standard (DES)
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 93
DES CBC Mode
IV m1 m2 mn
K K K
DES Encrypt( ) DES Encrypt( ) DES Encrypt( )
C1 C2 Cn
C1 C2 Cn
K K K
DES Decrypt( ) DES Decrypt( ) DES Decrypt( )
IV Cn-1
XOR XOR XOR
m1 m2 mn
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 94
Triple-DES
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 95
AES: the New Encryption Standard
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 97
AES: The Complete Cipher
Input
Key 1
Round 0
Key 2
Round 1
Key
Schedule
Key Nr
Round Nr
Output
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 98
AES: Individual Rounds
Input
Shift
Rows
Input
Key 1
Round 0 Mix
Key 2
Columns
Round 1
Key
Schedule
Add Round
Key Nr Key
Round Nr
Output
Output
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 99
AES Functions: SubBytes and ShiftRows
SubBytes
ShiftRows
s0 s4 s8 s12 s0 s4 s8 s12
s1 s5 s9 s13 s5 s9 s13 s1
s2 s6 s10 s14 s10 s14 s2 s6
s3 s7 s11 s15 s15 s3 s7 s11
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 100
AES Functions: MixColumns and
AddRoundKey
MixColumns
s0, ss
4 s8 s12 s‘0 s's4 s‘8 s‘12
4 4
s1 s5 s9 s13 s‘1 s'5 s‘9 s‘13
s5 Mix s‘5
s2 s6
s6
s10 s14 Columns s‘2 s'6 s‘10
s6
s‘14
s3 s7 s11 s15 s‘3 s'7 s‘11 s‘15
s6 s7
AddRoundKey
s0 s4 s8 s12 s‘0 s'4 s‘8 s‘12
s4 s‘4
s1 s5 s9 s13 Word from s‘1 s'5 s‘9 s‘13
s5 s‘5
XOR Key s‘2 s'6 s‘10 s‘14
s2 s6 s10 s14 s‘6
s6 Schedule
s3 s7 s11 s15 s‘3 s'7 s‘11 s‘15
s6 s‘7
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 101
Agenda
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 102
Galois/Counter Mode (GCM)
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 103
Authenticated Encryption Operation
• Inputs
K Key (same length as block cipher key)
IV Unique value (length between one and 264 bits)
P Plaintext (length between zero and 239 bits)
A Additional authenticated data (one to 264 bits)
• Outputs
C Ciphertext (same length as P)
T Authentication tag (length between zero and 128 bits)
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 104
Example: GCM Frame Encryption
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 105
GCM Internals
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 106
Software Performance (Cycles/Byte)
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 107
GCM Uses
• IPSec ESP
Draft based on ESP-AES-CCM, ESP-AES-CTR
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 108
Agenda
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 109
Elliptic Curve Cryptography (ECC)
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 110
Elliptic Curve Diffie Hellman (ECDH)
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 111
ECDH Gains in Efficiency
80 163 1024
• ‘Network Security
Principles and Practices’
by Saadat Malik
SEC-4011
Available Onsite at the Cisco Company Store
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 113
Complete Your Online Session Evaluation!
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 114 114
SEC-4011
11286_05_2005_c1 © 2005 Cisco Systems, Inc. All rights reserved. 115
APPENDIX
SESSION SEC-4011
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 116
Appendix
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 117
Appendix
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 118
IKE Phase 1 (Main Mode): Preparation for
Sending ‘Message 1 and 2’
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 119
IKE Phase 1 (Main Mode):
Sending ‘Message 1’
The Initiator Proposes a Set of Attributes to Base the SA On
Initiator Responder
Initiator Cookie (Calculated and Inserted Here)
Responder Cookie (Left 0 for Now) DOI Identifies the Exchange
SA Version Exchange Flags to be Occurring to Setup IPSec
Message ID SPI = 0 for All Phase
Total Message Length 1 Messages
Next Payload 1 SA Payload Length Includes Proposal #,
SA Payload (Includes DOI and Situation) Protocol ID, SPI Size,
Next Payload 1 Proposal Payload Length # of Transforms, SPI
Proposal Payload (Two Proposals Shown Here)
Next Payload 1 Transform Payload Length Includes Transform #,
Transform Payload Transform ID, SA Attributes,
Next Payload 1 Proposal Payload Length for Example, DES, MD5,
Proposal Payload DH 1, Pre Share, Timeout
0 1 Transform Payload Length (Two Transform Sets
Transform Payload
Shown Here)
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 120
IKE Phase 1 (Main Mode):
Sending ‘Message 2’
The Responder Sends Back the One Set of Attributes Acceptable to It
Initiator Responder
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 121
IKE Phase 1 (Main Mode): Preparation for
Sending ‘Message 3 and 4’
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 122
IKE Phase 1 (Main Mode): Preparation for
Sending ‘Message 3 and 4’
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 123
IKE Phase 1 (Main Mode):
Sending ‘Message 3’
The Initiator Sends Its DH Public Value Xa and Nonce Ni
Initiator Responder
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 124
IKE Phase 1 (Main Mode):
Sending ‘Message 4’
The Responder Sends Its DH Public Value Xb and Nonce Nr
Initiator Responder
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 125
IKE Phase 1 (Main Mode): (Pre-Shared Keys)
Preparation for Sending ‘Message 5 and 6’
PRF = A Pseudo
SKEYID = PRF (Pre-Shared Key, Ni | Nr) Random Function
Based on the
Negotiated Hash
SKEYID_a = SKEYID_e =
PRF (SKEYID, SKEYID_d | gab | CKY-I | CKY-R | 1) PRF (SKEYID, SKEYID_a | gab | CKY-I | CKY-R | 2)
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 126
IKE Phase 1 (Main Mode): (Pre-Shared Keys)
Preparation for Sending ‘Message 5 and 6’
SKEYID_a = SKEYID_e =
PRF (SKEYID, SKEYID_d | gab | CKY-I | CKY-R | 1) PRF (SKEYID, SKEYID_a | gab | CKY-I | CKY-R | 2)
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 127
IKE Phase 1 (Main Mode):
(Pre-Shared Keys) ‘Sending ‘Message 5’
Initiator Responder
Identification of Initiator
Initiator Cookie (Same as Before) (ID_I)
Responder Cookie (Same as Before) Such as Host Name or
Next Payload Version Exchange Flags IP Address
Message ID
Total Message Length Hash_I
Next Payload 0 Identity Payload Length =
SKEYID_e
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 128
IKE Phase 1 (Main Mode):
(Pre-Shared Keys) Sending ‘Message 6’
Initiator Responder
Identification of Responder
Initiator Cookie (Same as Before) (ID_R)
Responder Cookie (Same as Before) Such as Host Name or
Next Payload Version Exchange Flags IP Address
Message ID
Total Message Length Hash_R
Next Payload 0 Identity Payload Length =
SKEYID_e
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 129
IKE Phase 1 (Main Mode):
Completion of Phase 1
Initiator Responder
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 132
IKE Phase 2 (Quick Mode):
Sending ‘Message 1’
SA 0 Hash Payload
Hash Payload Hash =PRF (SKEYID_a,
Next Payload 0 SA Payload Length Message ID, Ni’, Proposals+
SA Payload (Includes DOI and Situation) Transforms, Xa)
Next Payload 0 Proposal Payload Length Proposal:
Proposal Payload ESP or AH, SHA or MD5,
Next Payload 0 Transform Payload Length
DH 1 or 2, SPI
Transform Payload
(Two Proposals
Next Payload 0 Proposal Payload Length
Shown Here)
SKEYID_e
Proposal Payload
Next Payload 0 Transform Payload Length
Transform:
Transform Payload
Next Payload 0 Keyload Payload Length
Tunnel or Transport,
IPSec Timeout
KE Payload
Next Payload 0 Nonce Payload Length
Nonce Payload (Ni’) KE Payload = Xa’
Next Payload 0 Identity Payload Length
ID Type DOI Specific ID Data
Identity Payload = ID-s
0 0 Identity Payload Length
ID-s = Source Proxy
ID Type DOI Specific ID Data
ID-d = Destination Proxy
Identity Payload = ID-d
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 133
IKE Phase 2 (Quick Mode):
Sending ‘Message 2’
The Responder Sends Authentication/Keying Material and
Proposes a Set of Attributes to Base the SA On
Initiator Responder
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 134
IKE Phase 2 (Quick Mode):
Sending ‘Message 2’
Hash =
Next Payload 0 Hash Payload Length
PRF (SKEYID_a, Message ID
Hash Payload Ni’, Nr’, Accepted Proposal+
Next Payload 0 SA Payload Length Transform, Xb)
SA Payload (Includes DOI and Situation)
Next Payload 0 Transform Payload Length
Proposal Payload (Accepted Proposal)
Next Payload 0 Proposal Payload Length Proposal:
SKEYID_e
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 135
IKE Phase 2 (Quick Mode):
Completion of Phase 2
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 136
IKE Phase 2 (Quick Mode):
Sending ‘Message 3’
The Initiator Sends Across a Proof of Liveness
Initiator Responder
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 137
One Page Summary: Pre-Shared Main Mode
ESP ESP
DES HDR*, HASH1, Saproposal, NonceI [,KEI] [,IDCI,IDCR] DES
SHA SHA
PFS 1 PFS 1
HDR*, HASH3
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 139
Aggressive Mode Using Pre-Shared Key:
a Quick Overview
HDR, HASHI
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 141
Remote Access Features
• Mode config
• Extended authentication
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 142
Placement of Mode Config and X-Auth
in IKE
Phase II SA Phase II SA
(IPSec SA) (IPSec SA)
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 143
Mode Config
Mechanism Used to Push Attributes to Remote Access
IPSec Clients
Remote Access
Private IPSec Gateway IPSec Client
Network
Public
Network
Internal IP Address
DNS Server
DHCP Server
Optional Attributes
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 144
Mode Config Protocol Specifications
Type =
ISAKMP HEADER
ISAKMP_CFG_REQUEST = 1 Next
Reserved = 0
Attributes Payload Hash
Payload Length
or =
ISAKMP_CFG_REPLY = 2 Type = 1 Reserved = 0 Identifier Prf (SKEYID_a,
or Attributes (0 Length Attributes in Request) ISAKMP Header M-ID |
ISAKMP_CFG_SET = 3 0 0 Hash Payload Attribute Payload)
or Length
ISAKMP_CFG_ACK = 4 Hash
Attribute Request
Initiator Responder
Remote Client IPSec Gateway
Attribute Reply
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 145
X-Auth
Mechanism Used to Perform Per User Authentication
for RA Clients
Remote Access
Private IPSec Gateway IPSec Client
Network
Public
Network
Chap
OTP
S/Key
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 146
X-Auth Protocol Specifications
Type =
ISAKMP HEADER
ISAKMP_CFG_REQUEST = 1 Next
Reserved = 0
Attributes Payload Hash
Payload Length
or =
ISAKMP_CFG_REPLY = 2 Type = 1 Reserved = 0 Identifier Prf (SKEYID_a,
or Attributes (0 Length Attributes in Request) ISAKMP Header M-ID |
ISAKMP_CFG_SET = 3 0 0 Hash Payload Attribute Payload)
or Length
ISAKMP_CFG_ACK = 4 Hash
Attribute Request
Initiator Responder
Remote Client IPSec Gateway
Attribute Reply
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 147
X-Auth Protocol Specifications
Type = ISAKMP HEADER
Attribute Set
Initiator Responder
IPSec Gateway IPSec Client
Attribute Ack
ISAKMP HEADER
Next Reserved Payload
Hash Reserved =
=00 Attributes
Payload Length
Length
Type = 4
2 Reserved = 0 Identifier
Attributes (Set to(None
Attributes the Values for One or
Included)
More of the Attributes to Be Pushed)
0 00 HashHash
Payload Length
Payload
Hash Length
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 148
IPSec and NAT: The Problem
IPSec
Remote IPSec
Private Client PAT Device Gateway Private
Network Network
Public
Network
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 149
Need Based NAT Traversal with IPSec
over TCP or UDP
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 150
Step 1: Detect Support for Bi-Directional
NAT Traversal
ISAKMP HEADER
Next Payload Reserved VID Payload Length
Vendor ID = Hash (IETF ID or RFC Number)
VID
Initiator Responder
Remote Client Gateway
VID
ISAKMP HEADER
Next Payload Reserved VID Payload Length
Vendor ID = Hash (IETF ID or RFC Number)
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 151
Step 2: Discover Existence of NAT
in IPSec Path
ISAKMP HEADER
Next Payload Reserved NAT-D Payload Length
NAT-D Payload = Hash (CKY-I | CKY-R | IP | Port)
NAT-D
Initiator Responder
Remote Client Gateway
NAT-D
If Hashes Are
Not the Same,
ISAKMP HEADER
Nat Exists!
Next Payload Reserved NAT-D Payload Length
NAT-D Payload = Hash (CKY-I | CKY-R | IP | Port)
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 152
Step 3: Negotiate NAT Traversal
Encapsulation (Shown Here for UDP)
Type =
ISAKMP HEADER
ISAKMP_CFG_REQUEST = 1 Next
Reserved = 0
Attributes Payload Hash
Payload Length
or =
ISAKMP_CFG_REPLY = 2 Type = 1 Reserved = 0 Identifier Prf (SKEYID_a,
or Attributes (0 Length Attributes in Request) ISAKMP Header M-ID |
ISAKMP_CFG_SET = 3 0 0 Hash Payload Attribute Payload)
or Length
ISAKMP_CFG_ACK = 4 Hash
Attribute Request
Initiator Responder
Remote Client Gateway
Attribute Reply
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 153
Dead Peer Discovery
Peer A Peer B
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 154
Cisco’s DPD Worry Metric
Peer A Peer B
DPD
R-U-THERE
Initiator Responder
R-U-THERE-ACK
ISAKMP HEADER
Next Payload Reserved Notify Payload Length
DOI = IPSec DOI
Protocol ID = Notify Message Type =
ISAKMP SPI SIZE R-U-THERE
SPI = CKY-I | CKY-R
Notification Data = Sequence Number
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 156
Appendix
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 157
What Is a Multicast Group?
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 158
Multicasting
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 159
Securing Multicast Groups
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 160
Solution: GDOI and Key Server
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 161
GDOI Overview
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 162
GDOI Protocol Flow
• Two phases
IKE phase 1 protocol
GROUPKEY-PULL protocol
IKE Phase 1
Group
GROUPKEY-PULL Protocol GCKS
Member
• Security protections
IKE phase 1 provides authentication, confidentiality,
and integrity
GROUPKEY-PULL protocol provides authorization
and replay protection
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 163
GDOI Phase 2 Protocol
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 164
GDOI Rekey GROUPKEY-PUSH Message
SEC-4011
12470_04_2006_c1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 165