Upload
loraine-margaret-horton
View
221
Download
2
Tags:
Embed Size (px)
Citation preview
04/20/23 4
Interception
Release Of Message Contents Traffic Analysis
• learn sensitive information
•Determine the identity and location of the host
04/20/23 5
Active Attacks
Interruption
(availability)
Modification
(integrity)
Fabrication
(authenticity)
04/20/23 6
Modification (integrity)
Modify the contents of the message or a file. It is an attack on integrity
04/20/23 7
Interruption (availability)
Try to break the system to make it out of service. It is an attack on Availability.
04/20/23 8
Fabrication (Authenticity)
Insert messages into system or objects into files. Try to fool the system. It is attack on authenticity.
04/20/23 10
Confidentiality
Is the protection of transmission from passive attacks
444-21-8888 444-21-8888
***-**-****
04/20/23 11
Authentication
The authentication service assures that the recipient receives information from reliable
source.
I am friendOk-let us talk
04/20/23 12
Integrity
Buy 1000 stocks
Buy 1000 stocks,
Buy 1000 stocks
Broker He/She
Make sure that the message is received as it is sent without modification, duplication,
insertion, reordering,or replay.
04/20/23 13
Nonrepudiation
I am John, buy 1000 stocks
You are not john, I can’t do that.
Broker He/She
Nonrepudiation prevents either sender or receiver from denying a transaction.
04/20/23 15
Cryptography Definition
• A process associated with scrambling plaintext (ordinary text, or clear text) into cipher text (a process called encryption), then back again (known as decryption). Cryptography concerns itself with four objectives:
1. Confidentiality (the information cannot be understood by anyone for whom it was unintended)
2. Integrity (the information cannot be altered in storage or transit between sender and intended receiver without the alteration being detected).
3. Non-repudiation (the creator/sender of the information cannot deny at a later stage his or her intentions in the creation or transmission of the information).
4. Authentication (the sender and receiver can confirm each other’s identity and the origin/destination of the information) Procedures and protocols that meet some or all of the above criteria are known as cryptosystems.
04/20/23 16
Encryption Model
PlainText
Encryption Algorithm
Decryption Algorithm
PlainText
cryptanalyst
X
X’
K’
XY
Key Secure Channel
CipherText
04/20/23 17
Cryptography Classification
Cryptographic systems are generally classified along three independent dimensions:
• The type of operation used for transforming plaintext to ciphertext:: all encryption algorithms are based on two general principles:
1. Substitution: in which each element in the plain text (bit, letter, group of bits or letters) is mapped into another elements.
2. Transposition: in which elements in the plaintext are rearranged.
The fundamental requirements that all operations must be reversible. Most system involves multiple stages of substitution and transposition.
• The number of keys used:
1. Symmetric: If both sender and receiver use the same key, the system referred to be symmetric, single-key, secret-key, or conventional encryption.
2. Asymmetric: if both sender and receiver each uses a different key, the system is referred to be as asymmetric, two-key, or public-key encryption.
• The way in which the plaintext is processed:
1. Block ciphering: processes the input one block of elements at a time, producing an output block for each input block.
2. Stream ciphering: processes the input elements continuously, producing output one elements at a time.
04/20/23 18
Encryption techniques: Caesar Cipher
Substitution cipher:
Plain: meet me after the party
Cipher: PHHW PH DIWHU WKH SDUMB
C = E(p) = (p+3) % 26
p = D(C) = (C-3) % 26
04/20/23 19
Encryption techniques: Caesar Cipher
Cryptanalysis :p = D(C) = (C-i) % 26Try all the different 25 keys.
04/20/23 20
Encryption techniques: Mono-alphabetic Cipher
Substitution cipher:Plain:
a b c d e f g h I j k l m n o p q r s t u v w x y z
Cipher:
D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
The cipher line could be any permutation of the 26 characters, so there are 26! Or greater
than 4 x 1026 Possible keys.
04/20/23 21
Encryption techniques: Mono-alphabetic Cipher
Cryptanalysis
Construct a table of frequency of one, two etc letters in a very long English text. Construct another table of frequency of one, two etc letters based on the encrypted text. From the relationship of both tables we can figure out the encryption key.
04/20/23 22
Encryption techniques: Hill Cipher
Substitution cipher:
The encryption algorithm takes m successive plaintext letters and substitutes for them m ciphertext letters. The substitution is determined by m linear equations in which each character is assigned a numerical value determined by m linear equations in which each character is assigned a numerical value (a=0,b=1,….z=25). For m = 3, the system can be described as follows:
26mod)(
26mod)(
26mod)(
3332321313
3322221212
3132121111
pkpkpkC
pkpkpkC
pkpkpkC
04/20/23 23
Encryption techniques: Hill Cipher
3
2
1
333231
232221
131211
3
2
1
ppp
kkkkkkkkk
CCC
PKPKCKCDP
KPPEC
k
k
11)(
)(
04/20/23 25
Block Cipher Modes of Operations
•The Electronic Code Mode (ECB).
•The Cipher Block Chaining Mode (CBC).
•The Cipher Feedback Mode (CFB).
•The Output Feedback Mode (OFB)
•The Counter Mode (CTR).
04/20/23 26
Electronic Code Mode (ECB)
)(
)(1
jkj
jkj
CCIPHP
PCIPHC
ECB Encryption:
ECB Decryption:
for j=1..n
for j=1..n
PLAINTEXT
OUTPUT BLOCK
INPUT BLOCK
CIPHk
CIPHERTEXT
CIPHERTEXT
OUTPUT BLOCK
INPUT BLOCK
CIPH-1k
PLAINTEXT
ECB Encryption ECB Decryption
04/20/23 27
Cipher Block Chaining Mode (CBC)PLAINTEXT1
OUTPUT BLOCK1
INPUT BLOCK1
CIPHk
CIPHERTEXT1
CIPHERTEXT1
OUTPUT BLOCK1
INPUT BLOCK1
CIPH-1k
PLAINTEXT1
+ECB
Encryption
ECB
Decryption
PLAINTEXT2
OUTPUT BLOCK2
INPUT BLOCK2
CIPHk
CIPHERTEXT2
CIPHERTEXT2
+
PLAINTEXTn
OUTPUT BLOCKn
INPUT BLOCKn
CIPHk
CIPHERTEXTn
CIPHERTEXTn
+
IV
IV
+
OUTPUT BLOCK2
INPUT BLOCK2
CIPH-1k
PLAINTEXT2
+
OUTPUT BLOCKn
INPUT BLOCKn
CIPH-1k
PLAINTEXTn
+
04/20/23 28
Cipher Block Chaining Mode (CBC) (continue)
11
11
1
1
11
)(
)(
)(
)(
jjkj
k
jjkj
k
CCCIPHP
IVCCIPHP
CPCIPHC
IVPCIPHCCBC Encryption:
CBC Decryption:
for j=1..n
for j=1..n
Initial Vector (IV):•Need not be secret.•It should be generated for each encryption/decryption operation.•Must be available for each party in the communication.•It is very difficult to generate IV from the plaintext.
04/20/23 29
Output Feedback Mode (OFB)
IV
OUTPUT BLOCK1
INPUT BLOCK1
CIPHk
CIPHERTEXT1
IV
OUTPUT BLOCK1
INPUT BLOCK1
CIPHk
PLAINTEXT1
ECB
Encryption
ECB
Decryption
+
+
OUTPUT BLOCK2
INPUT BLOCK2
CIPHk
CIPHERTEXT2
OUTPUT BLOCK2
INPUT BLOCK2
CIPHk
PLAINTEXT2
+
+
OUTPUT BLOCKn
INPUT BLOCKn
CIPHk
CIPHERTEXTn
OUTPUT BLOCKn
INPUT BLOCKn
CIPHk
PLAINTEXTn
+
+
PLAUNTEXT1 PLAUNTEXT2 Plaintextn
04/20/23 30
Output Feedback Mode (OFB)-Encryption
)(
)(
1
1
nunn
jjj
jkj
jj
OMSBPC
OPC
ICIPHO
OI
IVI
for j=2,….n
for j=1,2…..n-1
for j=1,2…..n-1
04/20/23 31
Output Feedback Mode (OFB)-Decryption
)(
)(
1
1
nunn
jjj
jkj
jj
OMSBCP
OCP
ICIPHO
OI
IVI
for j=2,….n
for j=1,2…..n-1
for j=1,2…..n-1
04/20/23 32
Cipher Feedback Mode (CFB)
IV
OUTPUT BLOCK1Select s bits
Discard (b-s)bits
INPUT BLOCK1
CIPHk
CIPHERTEXT1S bits
IV
INPUT BLOCK1
CIPHk
PLAINTEXT1S bits
ECB
Encryption
ECB
Decryption
+
+
PLAUNTEXT1S bits
OUTPUT BLOCK1Select s bits
Discard (b-s)bits
OUTPUT BLOCK1Select s bits
Discard (b-s)bits
INPUT BLOCK(b-s)bits|sbits
CIPHk
INPUT BLOCKn(b-s)bits|sbits
CIPHk
PLAINTEXT1S bits
+
+
PLAUNTEXT1S bits
OUTPUT BLOCK1Select s bits
Discard (b-s)bits
CIPHERTEXT1S bits
04/20/23 33
Cipher Feedback Mode (OFB)-Encryption
#
#
##
#11
1
)(
)(
|)(
j
j
jsjj
jkj
jjsbj
P
C
OMSBPC
ICIPHO
CILSBI
IVI
for j=2,….n
for j=1,2…..n
for j=1,2…..n
Ciphertext segment consists of s bits
Plaintext segment consists of s bits
04/20/23 34
Cipher Feedback Mode (OFB)-Decryption
#
#
##
#11
1
)(
)(
|)(
j
j
jsjj
jkj
jjsbj
P
C
OMSBCP
ICIPHO
CILSBI
IVI
for j=2,….n
for j=1,2…..n
for j=1,2…..n
Ciphertext segment consists of s bits
Plaintext segment consists of s bits
04/20/23 35
Counter Mode (CTR)
Counter1
OUTPUT BLOCK1
INPUT BLOCK1
CIPHk
CIPHERTEXT1
Counter1
OUTPUT BLOCK1
INPUT BLOCK1
CIPHk
PLAINTEXT1
ECB
Encryption
ECB
Decryption
+
+
OUTPUT BLOCK2
INPUT BLOCK2
CIPHk
CIPHERTEXT2
OUTPUT BLOCK2
INPUT BLOCK2
CIPHk
PLAINTEXT2
+
+
OUTPUT BLOCKn
INPUT BLOCKn
CIPHk
CIPHERTEXTn
OUTPUT BLOCKn
INPUT BLOCKn
CIPHk
PLAINTEXTn
+
+
PLAUNTEXT1 PLAUNTEXT2 Plaintextn
Counter2
Counter1Countern
Countern
04/20/23 36
Counter Mode (CTR) (continue)
)(
)(
)(
)(
1
1
nnnn
jjj
jk
nnnn
jjj
jk
OMSBCP
OCP
TCIPHO
OMSBPC
OPC
TCIPHO
CTR Encryption:
CTR Decryption:
for j=1..n
for j=1..n-1
for j=1..n
for j=1..n-1
04/20/23 37
Secret Key Data Encryption Standard (DES)
K (56 bits)
Plain DataE Cipher Data
Cipher DataD Plain Data
K (56 bits)
04/20/23 38
K1 (56 bits)
Plain DataE
K2 (56 bits)
ECipher Data
K2 (56 bits)
D
K1 (56 bits)
D
Plain Data
Cipher Data
2DES
04/20/23 39
K1 (56 bits)
Plain DataE
3DES
K2 (56 bits)
E E
K1 (56 bits)
Cipher Data
K1 (56 bits)
D
K2 (56 bits)
D D
K1 (56 bits)
Cipher Data
Plain Data
04/20/23 40
Public Key RSA (Rivest- Chamir Adelman)
KU (Alice)
Bob’s Plain DataE Cipher Data
Cipher DataD Plain Data
KP (Alice)
04/20/23 42
Authentication With Secret Key
K (Alice-Bob secret key)
Bob’s NameE Cipher Data
Cipher DataD
K (Alice-Bob-secret key) Bob’s Name
Bob
Alice
04/20/23 43
Authentication With Public Key
KP (Bob’s Private Key)
Bob’s NameE Cipher Data
Cipher DataD
KU (Bob’s Public Key) Bob’s Name
Bob
Alice
04/20/23 44
Integrity Hashing Algorithms
512 bit Blocks MD5
Message Digest of 128 bits
512 bit Blocks SHA-1
Message Digest of 160 bits
04/20/23 47
Hash Function Requirements (continue)
One way property : given h it is Computationally infeasible to find Xsuch that H(x) = h
04/20/23 48
Hash Function Requirements (continue)
Week Collision Resistance : for anygiven x it is computationally infeasible to find y <> x withH(x) = H(y)
Strong Collision Resistance : for any given(x,y) it is computationallyinfeasible to find H(x) = H(y)for x<>y
04/20/23 49
Hash Function Requirements (continue)
bit1 bit2 …. bitn
b11 b21 bn1
b21 b22 b2n
b1m b2m bnm
C1 C2 Cn
block1
block2
blockm
Ci = bi1 + bi2 + …….. bim
04/20/23 51
IV = CV0 Fn
b
Y0
n
CV1
F
b
Y1
n F
b
Y L-1
nn
CV2 CV L-1
General Structure Of Secure Hash Function
IV = Initial ValueCV = Chaining ValueYi = ith input blockF = Compression FunctionL = Number of input blocksn = Number of Hash codeb = length input block
04/20/23 52
Hash Function Summary
CV0 = IV = Initial ValueCVi = F(CVi-1,Yi-1) , 1=<i<= LH(M) = CVL
The compression function F has to be collision resistant, then the resultant iteration will have
more collision resistance.
04/20/23 55
Message Authentication Code (MAC)
MAC is an authentication technique involves using a shared secret key to generate a small fixed size block of
data known as cryptographic checksum
MAC = Ck(M)
04/20/23 56
Message Authentication Code Based on DES
D1:64 bits
DES
64 bitO1
K
+
DES
64 bitO2
K
D2:64 bits
+
DES
64 bitOn
K
Dn:64 bits
DAC16-64 bitsDAC- Data Authentication Code
04/20/23 58
Source
Destination
K1
Ck
N
Y
Message Authentication and confidentiality. Authentication tied to plain text
EK2
CkD
K2
04/20/23 59
Source
Destination
K1
Ck
N
Y
Message Authentication and confidentiality. Authentication tied to plain text
K2
CkD
K2
E
04/20/23 60
Source
Destination
K1
Ck
N
Y
Message Authentication and confidentiality. Authentication tied to cipher text
EK2
CkD
K2
04/20/23 63
Source
Destination
H
N
Y
Message Authentication and confidentiality using secret key
K
HD
K
E
04/20/23 64
Kra
Source
H
DestinationN
Y
EH
Message Authentication and Digital signature using public/private keys
Kua
D
04/20/23 65
Kra
Source
H
Destination N
Y
EH
Message Authentication, confidentiality and Digital signature using both public/private keys and secret key
Kua
D
E
K
D
K
04/20/23 66
Kra
Source
H
Destination N
Y
EH
Message Authentication, confidentiality and Digital signature using public/private keys.
Kua
D
E
Kub
D
Krb
04/20/23 67
Source
Destination
H
N
Y
Message Authentication using secret key (e.g. Mobile IP)
H
||
||
K
04/20/23 68
Source
Destination
H
N
Y
Message Authentication and confidentiality using secret key
K
HD
K
E||
K
||
04/20/23 70
Diffie-Hellman algorithm
Node A1.Private key A2.Public key gA
3.Secret key = gAB Node B
1.Private Key B2.Public key gB
3.Secret key = gBA
Secret key = gAB = gBA
Diffie-Hellman group g
04/20/23 72
IKEv2-IKE_SA_INIT (Phase 1)
(1) HDR, SAi1, KEi, Ni
(2) HDR, SAr1,KEr,Nr, [CERTREQ]
Negotiate•Cryptographic Algorithms•Exchange nonce•Diffie-Helman exchange
04/20/23 73
IKEv2-IKE_AUTH (Phase 1)
(3) HDR, SK(IDi, [CERT,][CERTREQ][IDr,],AUTH,SAi2,TSi,TSr)
(4) HDR, SK(IDr, [CERT,],AUTH,SAr2,TSi,TSr)
04/20/23 74
IKEv2-CREATE_CHILD_SA (Phase 2)
(5) HDR, SK ([N], SA, Ni, [KEi], (TSi,TSr))
(6) HDR, SK (SA, Nr, [KEr],[ TSi,TSr]))
04/20/23 75
IKE_SA-Generating Keying Material
four cryptographic algorithms parameters are negotiated
1. An encryption algorithm: the algorithms used in the encryption, such as DES, 3DES etc.
2. Integrity protection algorithm: hashing functions such as MD5, SHA-1 etc.3. pseudo-random function (prf(K,S)): is the keyed pseudo-random function-- often a
keyed hash function-- used to generate a deterministic output that appears pseudo-random. prf's are used both for key derivations and for authentication (i.e. as a keyed MAC )
4. Diffie-Hellman group: g^xy is the Diffie-Hellman shared secret, g is the Diffie-Hellman group and g^xi, and g^yr are the public keys for the initiator and responder.
04/20/23 76
IKE_SA-Generating Keying Material (continue)
prf+ (K,S) = T1 | T2 | T3 | T4 | ...
where:
T1 = prf (K, S | 0x01)
T2 = prf (K, T1 | S | 0x02)
T3 = prf (K, T2 | S | 0x03)
T4 = prf (K, T3 | S | 0x04)
04/20/23 77
IKE_SA-Generating Keying Material (continue)
SKEYSEED = prf(Ni | Nr, g^ir)
{SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr } =
prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr )
1. SK_d: used for deriving new keys for the CHILD_SAs established with this IKE_SA.
2. SK_ai and SK_ar: used as a key to the integrity protection algorithm for authenticating the component messages of subsequent exchanges.
3. SK_ei and SK_er: used for encrypting (and of course decrypting) all subsequent exchanges.
4. SK_pi and SK_pr: which are used when generating an AUTH payload.
04/20/23 78
IKE Header Format
IKE_SA Initiator’s SPI
IKE_SA Responder’s SPI
Next Payload MjVer MnVer Exchange type Flags
Message ID
Length
04/20/23 79
Traffic Selector Payload
Traffic Selector Payload allows peers to identify packet flows for processing by IPSec security services.
IP Protocol ID: UDP/TCP/ICMP etc.
Start Port: the smallest port number.
End Port: the largest port number.
Starting Address: The smallest address (IP4 or IP6).
Ending Address: The largest address (IP4 or IP6).
•TSi = (0, 0-65535,192.0.2.202-192.0.2.202)•TSr = (0, 0-65535,192.0.2.0-192.0.2.255)
04/20/23 80
Authentication of IKE_SA
Digital Signature:
AUTHr= <msg octets>,Ni, prf(SK_pr,IDr_p)
DSr = RSAPrKr(SHA-1(AUTHr))
AUTHi= <msg octets>),Nr, prf(SK_pi,IDr_p)
DSi = RSAPrKi(RSA-1(AUTHi))
PrK Private Key.
DS Digital Signature.Secret Key:
AUTH = prf(prf (SrK, ”Key Pad for IKv2”),<msg octets>))
SrK Shared Secret Key
04/20/23 81
IKEv2- Authentication with EAP
(1) HDR, SAi1, KEi, Ni
(2) HDR, SAr1, KEr, Nr, [CERTREQ]
(3) HDR, SK [IDi, [CERTREQ,] [IDr,] SAi2, TSi, TSr]
(4) HDR, SK [IDr, [CERT,] AUTH, EAP]
(5) HDR, SK (EAP)
(6) HDR, SK (EAP (success))
(7) HDR, SK (AUTH)
(8) HDR, SK (AUTH, SAr2, TSi, TSr)
• Initiate or declare its desire for EAP authentication by leaving out the AUTH payload at message 3. The initator will declare it identity but not proven it.
• The responder includes EAP payload in massage 4 and defer sending SAr2, TSi, TSr. The AUTH payload will be generated using public key.
• For EAP that creates shared secret key (MSK) as a side effect, this key will be used in generating AUTH payload in 7,8 messages.
04/20/23 82
(1) HDR, SK ([N], SA, Ni, [KEi])
(2) HDR, SK (SA, Nr, [KEr])
SKEYSEED = prf(SK_d (old), Ni | Nr| g^ir)
{SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr } =
prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr )
Renewing Security Association when it is about to expire. Include N payload with REKEY_SA
Unlike IKEv1, IKEv2 provides the optional feature to rekey SAs without restarting the entire IKE_SA.
IKEv2-Rekeying using CREATE_CHILD_SA
04/20/23 83
(1) HDR, SK (SA, Ni, [KEi], [TSi,TSr])
(2) HDR, SK (SA, Nr, [KEr], [TSi,TSr])
SKEYSEED = prf(SK_d (old), Ni | Nr| g^ir)
{SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr } =
prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr )
Renewing Security
Association when it is about to
expire.
IKEv2-creating new CHILS_SA with CREATE_CHILD_SA
The first CHILD_SA is created by IKE_AUTH exchange and additional CHILD_SAs can be optionally created in CREATE_CHILD_SA. Unlike IKEv1, IKEv2 provides the optional feature to create CHILD_SAs without
restarting the entire IKE_SA.
04/20/23 84
IKEv2- Requesting an Internal Address on Remote Network
(3) HDR, SK (IDi, [CERT,] [CERTREQ,] [IDr] AUTH CP[CFG_REQUEST), SAi2, TSi, TSr]
(4) HDR, SK (IDr, [CERT,] AUTH, CP[CFG_REPLY), SAr2, TSi, TSr))
IKE_AUTH exchange
CF[CFG_REQUEST]=INTERNAL_IPV4_ADDRRSS(0.0.0.0)INTERNAL_IPV4_NETMASK(0.0.0.0)
CF[CFG_REPLY]=INTERNAL_IPV4_ADDRRSS(192.0.2.202)INTERNAL_IPV4_NETMASK(255.255.255.0)
04/20/23 86
Encryption Algorithm
IP Security Architecture
Architecture
ESP Protocol AH Protocol
Encryption Algorithm
DOI Domain of Interpretation
Key Management
Encryption Algorithm
Authentication Algorithm
04/20/23 87
IP Security Services
AH ESP
(Encryption Only)
ESP
(Encryption + Authentication)
x x
x x
x x x
x x
Connection Less Integrity
Data Origin Authentication
Replay Protection
Confidentiality
04/20/23 88
IPSec Security Protocols
• The IP Authentication Header (AH): offers integrity and data origin authentication, with optional anti-replay features in the direction of the receiver.
• The Encapsulating Security Payload (ESP): protocol offers the same set of services as (AH), and also offers confidentiality.
04/20/23 89
Where IPsec Can Be Implemented
• IPsec Part of IP Stack: may be integrated into the native IP stack. This requires access to the IP source code and is applicable to both hosts and security gateways.
• In a "bump-in-the-stack" (BITS) implementation: IPsec is implemented "underneath" an existing implementation of an IP protocol stack, between the native IP and the local network drivers. Source code access for the IP stack is not required in this context.
• In a "bump-in-the-Wire" (BITW) implementation: The use of a dedicated, inline security protocol.
04/20/23 90
Security Association
A Security Association (SA) is a simplex "connection" that provides security services to the traffic carried by it.
04/20/23 91
Security Association (continue)
Security services are provided by the use of AH, or ESP, but not both.
SA using ESP
SA using AH
If both AH and ESP protection is applied to a traffic stream, then two (or more) SAs are created to provide protection to the traffic
stream.
04/20/23 92
Security Association (continue)
SA1
SA2
To secure bi-directional communication between two nodes, two Security Associations (one in each
direction) are required
04/20/23 93
IPSec Transport Mode
Transport Mode refers to applying more than one security protocol to the same IP datagram, without invoking tunneling. This approach to combining AH and ESP allows for only one level of combination; further nesting yields no added benefit (assuming use of adequately strong algorithms in each protocol) since the processing is performed at one IPsec instance at the (ultimate) destination.
Internet
Security Association 1 (ESP transport)
Security Association 2 (AH transport)
04/20/23 94
IPv4-Transport Mode
DataTCPIPv4 Hdr
DataTCPIPv4 Hdr AH
Authentication Except for Mutable fields
04/20/23 95
IPv6-Transport Mode
DataTCPIPv6 Hdr
DataTCPIPv6 Hdr AH
Authentication Except for Mutable fields
EH
DHHbyH,DH,RH,FH
HbyH : Hope by Hope extension.DH : Destination Header.RH : Routing Header.FH : Fragmentation Header.
04/20/23 96
IPSec Tunnel Mode
Tunneling is the process of encapsulating one protocol
inside another one
04/20/23 97
IPSec Tunnel Mode-case 1
both endpoints for the SAs are the same -- The inner and outer tunnels could each be either AH or ESP, though it is unlikely that Host 1 would specify both
to be the same, i.e., AH inside of AH or ESP inside of ESP.
Internet
Security Association 1 (tunnel)
Security Association 2 (tunnel)
Security Gwy1
Security Gwy2
Host Host
04/20/23 98
IPSec Tunnel Mode-case 2
one endpoint of the SAs is the same. The inner and outer tunnels could each be either AH or ESP.
Internet
Security Association 1 (tunnel)
Security Association 2 (tunnel)
Security Gwy1
Security Gwy2
Host Host
04/20/23 99
neither endpoint is the same. The inner and outer tunnels could each be either AH or ESP.
Internet
Security Association 1 (tunnel)
Security Association 2 (tunnel)
Security Gwy1
Security Gwy2
Host Host
IPSec Tunnel Mode-case 3
04/20/23 100
IPv4-Tunnel Mode
DataTCPIPv4 Hdr
DataTCPIPv4 HdrAH
Authentication Except for Mutable fields in new IP Header
New IPv4 Hdr
04/20/23 101
IPv6-Tunnel Mode
AH
Authentication Except for Mutable fields in new IP header and its extension header
DataTCPIPv6 Hdr EHNew IPv6 Hdr EH
DataTCPIPv6 Hdr EH
04/20/23 102
IPsec Data Bases
• The Security Policy Database (SPD): A SA is a management construct used to enforce security policy for traffic:
04/20/23 103
SPD Processing Choices
• DISCARD: The first choice refers to traffic that is not allowed to traverse the IPsec boundary
• BYPASS: The second choice refers to traffic that is allowed to cross the IPsec boundary without IPsec protection.
• PROTECT: traffic that is afforded IPsec protection, and for such traffic the SPD must specify the security protocols to be employed, their mode, security service options, and the cryptographic algorithms to be used.
SPDOutbound Traffic Inbound Traffic
04/20/23 104
SPD Policy Entries
• SPD-I: For inbound traffic that is to be bypassed or discarded, the entry consists of the values of the selectors that apply to the traffic to be bypassed or discarded.
• SPD-O: For outbound traffic that is to be bypassed or discarded, the entry consists of the values of the selectors that apply to the traffic to be bypassed or discarded.
• SPD-S: For traffic that is to be protected using IPsec, the entry consists of the values of the selectors that apply to the traffic to be protected via AH or ESP, controls on how to create SAs based on these selectors, and the parameters needed to effect this protection (e.g., algorithms, modes, etc.).
04/20/23 105
SPD Selector
• Remote IP Address(es) (IPv4 or IPv6): this is a list of ranges of IP addresses (unicast, anycast, broadcast (IPv4 only), or multicast group).
• Local IP Address(es) (IPv4 or IPv6): this is a list of ranges of IP addresses (unicast, anycast, broadcast (IPv4 only), or multicast group).
• Next Layer Protocol: Obtained from the IPv4 "Protocol" or the IPv6 "Next Header" fields.
• Port numbers: If the Next Layer Protocol uses two ports (e.g., TCP, UDP, SCTP, ...), then there are selectors for Local and Remote Ports.
• Mobility Header Message Type (MH type): If the Next Layer Protocol is a Mobility Header, then there is a selector for IPv6 Mobility Header Message Type (MH type).
04/20/23 106
Outbound IP Traffic Processing (Cache Hit)
SPD Selection
SPD Cache Process (AH/ESP)
Forwarding
Protected
bypass
discard
04/20/23 107
Outbound IP Traffic Processing (Cache Miss)
•Create inbound CE•Create Outbound CE
•Invoke IKE•Create SA
Check SPD-O,SPD-S
protected Bypass
•Create outbound CE
discard
discard Forwarding Process (AH/ESP)
04/20/23 108
inbound IP Traffic Processing
Process (AH/ESP)
IPSec Protected
No
Yes
Verify SelectorWith SAD Selector
SPD-I
Forward
bypass
discard
packet
04/20/23 111
128 bit digestIV
Y0
512 bits
Y1
512 bits
Yq
512 bits
YL-1
512 bits
128 128
CV1
128
CVq CV L-1
128
K bits
L x 512 bits
Padding 1-512 bits Length
MD5 MD5 MD5 MD5
04/20/23 112
K bits
L x 512 bits
Step 1 Appending padding bits Padding:1-512
The length of the padding is 64 bits less than an integer multiple of
512 bits.
M = 448 bits, pad = 512 bits
04/20/23 113
K bits
L x 512 bits
Step 2 Adding Length Length
A 64 bit representation of the length in bits of the original message is appended to the result of step 1 (least significant byte first). If length is grater than 2^64, then only the low order 64 bits of the
length is used.
Length = K mod 2 ^ 64
04/20/23 114
Step 3 Initialize MD buffer
128 bit buffer is used to hold intermediate and final result of the hash function. The buffer is presented as four 32-bit registers
(A,B,C,D). The initial values are stored in little-endian, which least significant byte is in the lowest address
A = 01 33 45 57B = 89 AB CD EFC = FE DC BA 98D = 76 54 32 10
IV
04/20/23 115
Step 4 Process message in 512 blocks CVq
F,T[1..16], 16 steps
A B C D
G,T[16..32], 16 steps
A B C D
H,T[32..48], 16 steps
A B C D
I,T[49..64], 16 steps
A B C D
Yq
+ + + +
CVq+1
04/20/23 116
0 71 122 173 224 75 12
6 17
7 228 79 12
10 1711 2212 713 12
14 17
15 22
F,T[1..16], 16 steps
A B C D
Round 1
04/20/23 117
a b +((a+g(b,c,d)+X[k]+T[i]) <<<s)
A B C D
A B C D
+++cls
+
gX[k]
T[i]
MD5 compression function
04/20/23 119
round Primitive function g G(b,c,d)
1 F(b,c,d) (b^c)v(b^d)
2 G(b,c,d) (b^d)v(c^d)
3 H(b,c,d) (b+c+d)
4 I(b,c,d) (c+(b v d))
04/20/23 120
Round 1 X[i] = i
Round 2 X[i] = (1+5i) mod16
Round 3 X[i] = (5+3i) mod16
Round 4 X[i] = 7i mod16
04/20/23 123
160 bit digestIV
Y0
512 bits
Y1
512 bits
Yq
512 bits
YL-1
512 bits
160 160
CV1
160
CVq CV L-1
160
K bits
L x 512 bits
Padding 1-512 bits Length
SHA-1 SHA-1 SHA-1 SHA-1
04/20/23 124
K bits
L x 512 bits
Step 1 Appending padding bits Padding:1-512
The length of the padding is 64 bits less than an integer multiple of
512 bits.
M = 448 bits, pad = 512 bits
04/20/23 125
K bits
L x 512 bits
Step 2 Adding Length Length
A 64 bit representation of the length in bits of the original message is appended to the result of step 1 (least significant byte first). If length is grater than 2^64, then only the low order 64 bits of the
length is used.
Length = K mod 2 ^ 64
04/20/23 126
Step 3 Initialize ID buffer
160 bit buffer is used to hold intermediate and final result of the hash function. The buffer is presented as four 32-bit registers (A,B,C,D,E). The initial values are stored in big-endian, which
least significant byte is in the hightest address
A = 67 45 23 01B = EF CD AB 89C = 98 BA DC FED = 10 32 54 76E = C3 D2 E1 F0
IV
04/20/23 127
Step 4 Process Message in 512-bits blocks CVq
F1,,W[0..19], 20 steps
A B C D
F2,,W[20..39], 20 steps
A B C D
H,W[40..59], 20 steps
A B C D
I,T[60..79], 20 stepsA B C D
Yq
+ + + +
CVq+1
E
E
E
E
+
04/20/23 129
Step Function Name Function Value
0<= t <=19 F1=f(t,b,c,d) (b^c)v(b^d)
20=<t<=29 F2=f(t,b,c,d) (b+c+d)
40=<t<=59 F3=f(t,b,c,d) (b^c)v(b^d)v(c^d)
60=<t<=79 F4=f(t,b,c,d) (b+c+d)
f for different rounds
04/20/23 130
Step Hexadecimal Take Integer Part of
0<= t <=19 Kt = 0x5A827999 2^30 x sqrt(2)
20=<t<=29 Kt = 0x6ED9EBA1 2^30 x sqrt(3)
40=<t<=59 Kt = 0x8F1BBCDC 2^30 x sqrt(5)
60=<t<=79 Kt = 0xCA62C1D6 2^30 x sqrt(10)
Kt
04/20/23 131
Brute Force Attack:
If we have a message x such that H(x) = h, the difficulty of finding y such as H(y) = H(x) is on the order of 2^128 operations to MD5 and 2^160 operations for SHA-1.
Security Of MD5 and RSA-1
04/20/23 132
•An attacker is generating k different inputs trying to find at least one message y, where H(x) = H(y)
•What is the size of k such that the probability of H(x) = H(y) = .5
Mathematical Basis Of Brute Force Attack
Problem Statement
04/20/23 133
Output Feedback Mode (OFB)
IV
OUTPUT BLOCK1
INPUT BLOCK1
CIPHk
CIPHERTEXT1
IV
OUTPUT BLOCK1
INPUT BLOCK1
CIPHk
PLAINTEXT1
ECB
Encryption
ECB
Decryption
+
+
OUTPUT BLOCK2
INPUT BLOCK2
CIPHk
CIPHERTEXT2
OUTPUT BLOCK2
INPUT BLOCK2
CIPHk
PLAINTEXT2
+
+
OUTPUT BLOCKn
INPUT BLOCKn
CIPHk
CIPHERTEXTn
OUTPUT BLOCKn
INPUT BLOCKn
CIPHk
PLAINTEXTn
+
+
PLAUNTEXT1 PLAUNTEXT2 Plaintextn
04/20/23 134
Output Feedback Mode (OFB)-Encryption
)(
)(
1
1
nunn
jjj
jkj
jj
OMSBPC
OPC
ICIPHO
OI
IVI
for j=2,….n
for j=1,2…..n-1
for j=1,2…..n-1
04/20/23 135
Output Feedback Mode (OFB)-Decryption
)(
)(
1
1
nunn
jjj
jkj
jj
OMSBCP
OCP
ICIPHO
OI
IVI
for j=2,….n
for j=1,2…..n-1
for j=1,2…..n-1
04/20/23 136
Cipher Feedback Mode (CFB)
IV
OUTPUT BLOCK1Select s bits
Discard (b-s)bits
INPUT BLOCK1
CIPHk
CIPHERTEXT1S bits
IV
INPUT BLOCK1
CIPHk
PLAINTEXT1S bits
ECB
Encryption
ECB
Decryption
+
+
PLAUNTEXT1S bits
OUTPUT BLOCK1Select s bits
Discard (b-s)bits
OUTPUT BLOCK1Select s bits
Discard (b-s)bits
INPUT BLOCK(b-s)bits|sbits
CIPHk
INPUT BLOCKn(b-s)bits|sbits
CIPHk
PLAINTEXT1S bits
+
+
PLAUNTEXT1S bits
OUTPUT BLOCK1Select s bits
Discard (b-s)bits
CIPHERTEXT1S bits
04/20/23 137
Cipher Feedback Mode (OFB)-Encryption
#
#
##
#11
1
)(
)(
|)(
j
j
jsjj
jkj
jjsbj
P
C
OMSBPC
ICIPHO
CILSBI
IVI
for j=2,….n
for j=1,2…..n
for j=1,2…..n
Ciphertext segment consists of s bits
Plaintext segment consists of s bits
04/20/23 138
Cipher Feedback Mode (OFB)-Decryption
#
#
##
#11
1
)(
)(
|)(
j
j
jsjj
jkj
jjsbj
P
C
OMSBCP
ICIPHO
CILSBI
IVI
for j=2,….n
for j=1,2…..n
for j=1,2…..n
Ciphertext segment consists of s bits
Plaintext segment consists of s bits
04/20/23 139
Counter Mode (CTR)
Counter1
OUTPUT BLOCK1
INPUT BLOCK1
CIPHk
CIPHERTEXT1
Counter1
OUTPUT BLOCK1
INPUT BLOCK1
CIPHk
PLAINTEXT1
ECB
Encryption
ECB
Decryption
+
+
OUTPUT BLOCK2
INPUT BLOCK2
CIPHk
CIPHERTEXT2
OUTPUT BLOCK2
INPUT BLOCK2
CIPHk
PLAINTEXT2
+
+
OUTPUT BLOCKn
INPUT BLOCKn
CIPHk
CIPHERTEXTn
OUTPUT BLOCKn
INPUT BLOCKn
CIPHk
PLAINTEXTn
+
+
PLAUNTEXT1 PLAUNTEXT2 Plaintextn
Counter2
Counter1Countern
Countern
04/20/23 141
CHILD_SA-Generating Keying Material
CHILD_SA are created by:
1. Piggybacked on the IKE_AUTH exchange.
KYEMAT = prf+ (SK_d ,Ni |Nr)
Where Ni, Nr are nonces from the IKE_SA_INIT exchange if request is the first CHILD_SA create.
2. CREATE_CHILD_SA exchange
KEYMAT = prf+(Sk_d,g^ir (new) | Ni | Nr)
Ni, Nr are fresh nonces from the CREATE_CHILD_SA exchange; g^ir (new) is the shared secret from the ephemeral Diffie - Hellman exchange of this CREATE_CHILD_SA exchange