Section 16.6. Key Management


[Page 506 (continued)]

16.6. Key Management

The key management portion of IPSec involves the determination and distribution of secret keys. A typical requirement is four keys for communication between two applications: transmit and receive pairs for both AH and ESP. The IPSec Architecture document mandates support for two types of key management:

  • Manual: A system administrator manually configures each system with its own keys and with the keys of other communicating systems. This is practical for small, relatively static environments.

  • Automated: An automated system enables the on-demand creation of keys for SAs and facilitates the use of keys in a large distributed system with an evolving configuration.

The default automated key management protocol for IPSec is referred to as ISAKMP/Oakley and consists of the following elements:

  • Oakley Key Determination Protocol: Oakley is a key exchange protocol based on the Diffie-Hellman algorithm but providing added security. Oakley is generic in that it does not dictate specific formats.

  • Internet Security Association and Key Management Protocol (ISAKMP): ISAKMP provides a framework for Internet key management and provides the specific protocol support, including formats, for negotiation of security attributes.

ISAKMP by itself does not dictate a specific key exchange algorithm; rather, ISAKMP consists of a set of message types that enable the use of a variety of key exchange algorithms. Oakley is the specific key exchange algorithm mandated for use with the initial version of ISAKMP.


[Page 507]

We begin with an overview of Oakley and then look at ISAKMP.

Oakley Key Determination Protocol

Oakley is a refinement of the Diffie-Hellman key exchange algorithm. Recall that Diffie-Hellman involves the following interaction between users A and B. There is prior agreement on two global parameters: q, a large prime number; and a a primitive root of q. A selects a random integer XA as its private key, and transmits to B its public key YA = aXA mod q. Similarly, B selects a random integer XB as its private key and transmits to A its public key YB = aXB mod q. Each side can now compute the secret session key:

The Diffie-Hellman algorithm has two attractive features:

  • Secret keys are created only when needed. There is no need to store secret keys for a long period of time, exposing them to increased vulnerability.

  • The exchange requires no preexisting infrastructure other than an agreement on the global parameters.

However, there are a number of weaknesses to Diffie-Hellman, as pointed out in [HUIT98]:

  • It does not provide any information about the identities of the parties.

  • It is subject to a man-in-the-middle attack, in which a third party C impersonates B while communicating with A and impersonates A while communicating with B. Both A and B end up negotiating a key with C, which can then listen to and pass on traffic. The man-in-the-middle attack proceeds as follows:

    1. B sends his public key YB in a message addressed to A (see Figure 10.8).

    2. The enemy (E) intercepts this message. E saves B's public key and sends a message to A that has B's User ID but E's public key YE. This message is sent in such a way that it appears as though it was sent from B's host system. A receives E's message and stores E's public key with B's User ID. Similarly, E sends a message to B with E's public key, purporting to come from A.

    3. B computes a secret key K1 based on B's private key and YE. A computes a secret key K2 based on A's private key and YE. E computes K1 using E's secret key XE and YB and computer K2 using YE and YB.

    4. From now on E is able to relay messages from A to B and from B to A, appropriately changing their encipherment en route in such a way that neither A nor B will know that they share their communication with E.

  • It is computationally intensive. As a result, it is vulnerable to a clogging attack, in which an opponent requests a high number of keys. The victim spends considerable computing resources doing useless modular exponentiation rather than real work.


[Page 508]

Oakley is designed to retain the advantages of Diffie-Hellman while countering its weaknesses.

Features of Oakley

The Oakley algorithm is characterized by five important features:

  1. It employs a mechanism known as cookies to thwart clogging attacks.

  2. It enables the two parties to negotiate a group; this, in essence, specifies the global parameters of the Diffie-Hellman key exchange.

  3. It uses nonces to ensure against replay attacks.

  4. It enables the exchange of Diffie-Hellman public key values.

  5. It authenticates the Diffie-Hellman exchange to thwart man-in-the-middle attacks.

We have already discussed Diffie-Hellman. Let us look the remainder of these elements in turn. First, consider the problem of clogging attacks. In this attack, an opponent forges the source address of a legitimate user and sends a public Diffie-Hellman key to the victim. The victim then performs a modular exponentiation to compute the secret key. Repeated messages of this type can clog the victim's system with useless work. The cookie exchange requires that each side send a pseudorandom number, the cookie, in the initial message, which the other side acknowledges. This acknowledgment must be repeated in the first message of the Diffie-Hellman key exchange. If the source address was forged, the opponent gets no answer. Thus, an opponent can only force a user to generate acknowledgments and not to perform the Diffie-Hellman calculation.

ISAKMP mandates that cookie generation satisfy three basic requirements:

  1. The cookie must depend on the specific parties. This prevents an attacker from obtaining a cookie using a real IP address and UDP port and then using it to swamp the victim with requests from randomly chosen IP addresses or ports.

  2. It must not be possible for anyone other than the issuing entity to generate cookies that will be accepted by that entity. This implies that the issuing entity will use local secret information in the generation and subsequent verification of a cookie. It must not be possible to deduce this secret information from any particular cookie. The point of this requirement is that the issuing entity need not save copies of its cookies, which are then more vulnerable to discovery, but can verify an incoming cookie acknowledgment when it needs to.

  3. The cookie generation and verification methods must be fast to thwart attacks intended to sabotage processor resources.

The recommended method for creating the cookie is to perform a fast hash (e.g., MD5) over the IP Source and Destination addresses, the UDP Source and Destination ports, and a locally generated secret value.

Oakley supports the use of different groups for the Diffie-Hellman key exchange. Each group includes the definition of the two global parameters and the identity of the algorithm. The current specification includes the following groups:


[Page 509]
  • Modular exponentiation with a 768-bit modulus

    q = 2768 - 2704 - 1 + 264 x ([2638 x p] + 149686)

    a = 2

  • Modular exponentiation with a 1024-bit modulus

    q = 21024 - 2960 - 1 + 264 x ([2894 x p] + 129093)

    a = 2

  • Modular exponentiation with a 1536-bit modulus

    Parameters to be determined

  • Elliptic curve group over 2155

    Generator (hexadecimal):X = 7B, Y = 1C8

    Elliptic curve parameters (hexadecimal):A = 0, Y = 7338F

  • Elliptic curve group over 2185

    Generator (hexadecimal):X = 18, Y = D

    Elliptic curve parameters (hexadecimal):A = 0, Y = 1EE9

The first three groups are the classic Diffie-Hellman algorithm using modular exponentiation. The last two groups use the elliptic curve analog to Diffie-Hellman, which was described in Chapter 10.

Oakley employs nonces to ensure against replay attacks. Each nonce is a locally generated pseudorandom number. Nonces appear in responses and are encrypted during certain portions of the exchange to secure their use.

Three different authentication methods can be used with Oakley:

  • Digital signatures: The exchange is authenticated by signing a mutually obtainable hash; each party encrypts the hash with its private key. The hash is generated over important parameters, such as user IDs and nonces.

  • Public-key encryption: The exchange is authenticated by encrypting parameters such as IDs and nonces with the sender's private key.

  • Symmetric-key encryption: A key derived by some out-of-band mechanism can be used to authenticate the exchange by symmetric encryption of exchange parameters.

Oakley Exchange Example

The Oakley specification includes a number of examples of exchanges that are allowable under the protocol. To give a flavor of Oakley, we present one example, called aggressive key exchange in the specification, so called because only three messages are exchanged.

Figure 16.11 shows the aggressive key exchange protocol. In the first step, the initiator (I) transmits a cookie, the group to be used, and I's public Diffie-Hellman key for this exchange. I also indicates the offered public-key encryption, hash, and authentication algorithms to be used in this exchange. Also included in this message are the identifiers of I and the responder (R) and I's nonce for this exchange. Finally, I appends a signature using I's private key that signs the two identifiers, the nonce, the group, the Diffie-Hellman public key, and the offered algorithms.


[Page 510]

Figure 16.11. Example of Aggressive Oakley Key Exchange


When R receives the message, R verifies the signature using I's public signing key. R acknowledges the message by echoing back I's cookie, identifier, and nonce, as well as the group. R also includes in the message a cookie, R's Diffie-Hellman public key, the selected algorithms (which must be among the offered algorithms), R's identifier, and R's nonce for this exchange. Finally, R appends a signature using R's private key that signs the two identifiers, the two nonces, the group, the two Diffie-Hellman public keys, and the selected algorithms.

When I receives the second message, I verifies the signature using R's public key. The nonce values in the message assure that this is not a replay of an old message. To complete the exchange, I must send a message back to R to verify that I has received R's public key.

ISAKMP

ISAKMP defines procedures and packet formats to establish, negotiate, modify, and delete security associations. As part of SA establishment, ISAKMP defines payloads for exchanging key generation and authentication data. These payload formats provide a consistent framework independent of the specific key exchange protocol, encryption algorithm, and authentication mechanism.

ISAKMP Header Format

An ISAKMP message consists of an ISAKMP header followed by one or more payloads. All of this is carried in a transport protocol. The specification dictates that implementations must support the use of UDP for the transport protocol.


[Page 511]

Figure 16.12a shows the header format for an ISAKMP message. It consists of the following fields:

  • Initiator Cookie (64 bits): Cookie of entity that initiated SA establishment, SA notification, or SA deletion.

  • Responder Cookie (64 bits): Cookie of responding entity; null in first message from initiator.

  • Next Payload (8 bits): Indicates the type of the first payload in the message; payloads are discussed in the next subsection.

  • Major Version (4 bits): Indicates major version of ISAKMP in use.

  • Minor Version (4 bits): Indicates minor version in use.

  • Exchange Type (8 bits): Indicates the type of exchange; these are discussed later in this section.

  • Flags (8 bits): Indicates specific options set for this ISAKMP exchange. Two bits so far defined: The Encryption bit is set if all payloads following the header are encrypted using the encryption algorithm for this SA. The Commit bit is used to ensure that encrypted material is not received prior to completion of SA establishment.

  • Message ID (32 bits): Unique ID for this message.

  • Length (32 bits): Length of total message (header plus all payloads) in octets.

Figure 16.12. ISAKMP Formats


ISAKMP Payload Types

All ISAKMP payloads begin with the same generic payload header shown in Figure 16.12b. The Next Payload field has a value of 0 if this is the last payload in the message; otherwise its value is the type of the next payload. The Payload Length field indicates the length in octets of this payload, including the generic payload header.


[Page 512]

Table 16.3 summarizes the payload types defined for ISAKMP, and lists the fields, or parameters, that are part of each payload. The SA payload is used to begin the establishment of an SA. In this payload, the Domain of Interpretation parameter identifies the DOI under which negotiation is taking place. The IPSec DOI is one example, but ISAKMP can be used in other contexts. The Situation parameter defines the security policy for this negotiation; in essence, the levels of security required for encryption and confidentiality are specified (e.g., sensitivity level, security compartment).

Table 16.3. ISAKMP Payload Types
(This item is displayed on page 513 in the print version)

Type

Parameters

Description

Security Association (SA)

Domain of Interpretation, Situation

Used to negotiate security attributes and indicate the DOI and Situation under which negotiation is taking place.

Proposal (P)

Proposal #, Protocol-ID, SPI Size, # of Transforms, SPI

Used during SA negotiation; indicates protocol to be used and number of transforms.

Transform (T)

Transform #, Transform-ID, SA Attributes

Used during SA negotiation; indicates transform and related SA attributes.

Key Exchange (KE)

Key Exchange Data

Supports a variety of key exchange techniques.

Identification (ID)

ID Type, ID Data

Used to exchange identification information.

Certificate (CERT)

Cert Encoding, Certificate Data

Used to transport certificates and other certificate- related information.

Certificate Request (CR)

# Cert Types, Certificate Types, # Cert Auths, Certificate Authorities

Used to request certificates; indicates the types of certificates requested and the acceptable certificate authorities.

Hash (HASH)

Hash Data

Contains data generated by a hash function.

Signature (SIG)

Signature Data

Contains data generated by a digital signature function.

Nonce (NONCE)

Nonce Data

Contains a nonce.

Notification (N)

DOI, Protocol-ID, SPI Size, Notify Message Type, SPI, Notification Data

Used to transmit notification data, such as an error condition.

Delete (D)

DOI, Protocol-ID, SPI Size, #of SPIs, SPI (one or more)

Indicates an SA that is no longer valid.


The Proposal payload contains information used during SA negotiation. The payload indicates the protocol for this SA (ESP or AH) for which services and mechanisms are being negotiated. The payload also includes the sending entity's SPI and the number of transforms. Each transform is contained in a transform payload. The use of multiple transform payloads enables the initiator to offer several possibilities, of which the responder must choose one or reject the offer.

The Transform payload defines a security transform to be used to secure the communications channel for the designated protocol. The Transform # parameter serves to identify this particular payload so that the responder may use it to indicate acceptance of this transform. The Transform-ID and Attributes fields identify a specific transform (e.g., 3DES for ESP, HMAC-SHA-1-96 for AH) with its associated attributes (e.g., hash length).

The Key Exchange payload can be used for a variety of key exchange techniques, including Oakley, Diffie-Hellman, and the RSA-based key exchange used by PGP. The Key Exchange data field contains the data required to generate a session key and is dependent on the key exchange algorithm used.

The Identification payload is used to determine the identity of communicating peers and may be used for determining authenticity of information. Typically the ID Data field will contain an IPv4 or IPv6 address.

The Certificate payload transfers a public-key certificate. The Certificate Encoding field indicates the type of certificate or certificate-related information, which may include the following:

  • PKCS #7 wrapped X.509 certificate

  • PGP certificate

  • DNS signed key

  • X.509 certificatesignature

  • X.509 certificatekey exchange

  • Kerberos tokens

  • Certificate Revocation List (CRL)

  • Authority Revocation List (ARL)

  • SPKI certificate

At any point in an ISAKMP exchange, the sender may include a Certificate Request payload to request the certificate of the other communicating entity. The payload may list more than one certificate type that is acceptable and more than one certificate authority that is acceptable.


[Page 514]

The Hash payload contains data generated by a hash function over some part of the message and/or ISAKMP state. This payload may be used to verify the integrity of the data in a message or to authenticate negotiating entities.

The Signature payload contains data generated by a digital signature function over some part of the message and/or ISAKMP state. This payload is used to verify the integrity of the data in a message and may be used for nonrepudiation services.

The Nonce payload contains random data used to guarantee liveness during an exchange and protect against replay attacks.

The Notification payload contains either error or status information associated with this SA or this SA negotiation. The following ISAKMP error messages have been defined:

Invalid Payload Type

Invalid Protocol ID

Invalid Cert Encoding

DOI Not Supported

Invalid SPI

Invalid Certificate

Situation Not Supported

Invalid Transform ID

Bad Cert Request Syntax

Invalid Cookie

Attributes Not Supported

Invalid Cert Authority

Invalid Major Version

No Proposal Chosen

Invalid Hash Information

Invalid Minor Version

Bad Proposal Syntax

Authentication Failed

Invalid Exchange Type

Payload Malformed

Invalid Signature

Invalid Flags

Invalid Key Information

Address Notification

Invalid Message ID

  


The only ISAKMP status message so far defined is Connected. In addition to these ISAKMP notifications, DOI-specific notifications are used. For IPSec, the following additional status messages are defined:

  • Responder-Lifetime: Communicates the SA lifetime chosen by the responder.

  • Replay-Status: Used for positive confirmation of the responder's election of whether or not the responder will perform anti-replay detection.

  • Initial-Contact: Informs the other side that this is the first SA being established with the remote system. The receiver of this notification might then delete any existing SA's it has for the sending system under the assumption that the sending system has rebooted and no longer has access to those SAs.

The Delete payload indicates one or more SAs that the sender has deleted from its database and that therefore are no longer valid.

ISAKMP Exchanges

ISAKMP provides a framework for message exchange, with the payload types serving as the building blocks. The specification identifies five default exchange types that should be supported; these are summarized in Table 16.4. In the table, SA refers to an SA payload with associated Protocol and Transform payloads.


[Page 515]

Table 16.4. ISAKMP Exchange Types

Exchange

Note

(a) Base Exchange

(1)IR: SA; NONCE

Begin ISAKMP-SA negotiation

(2)RE: SA; NONCE

Basic SA agreed upon

(3)IR: KE; IDI AUTH

Key generated; Initiator identity verified by responder

(4)RE: KE; IDR AUTH

Responder identity verified by initiator; Key generated; SA established

(b) Identity Protection Exchange

(1)IR: SA

Begin ISAKMP-SA negotiation

(2)RE: SA

Basic SA agreed upon

(3)IR: KE; NONCE

Key generated

(4)RE: KE; NONCE

Key generated

(5)*IR: IDI; AUTH

Initiator identity verified by responder

(6)*RE: IDR; AUTH

Responder identity verified by initiator; SA established

(c) Authentication Only Exchange

(1)IR: SA; NONCE

Begin ISAKMP-SA negotiation

(2)RE: SA; NONCE; IDR; AUTH

Basic SA agreed upon; Responder identity verified by initiator

(3)IR: IDI; AUTH

Initiator identity verified by responder; SA established

(d) Aggressive Exchange

(1)IR: SA; KE; NONCE; IDI;

Begin ISAKMP-SA negotiation and key exchange

(2)RE: SA; KE; NONCE; IDR; AUTH

Initiator identity verified by responder; Key generated; Basic SA agreed upon

(3)*IR: AUTH

Responder identity verified by initiator; SA established

(e) Informational Exchange

(1)*IR: N/D

Error or status notification, or deletion

Notation:

I = initiator

R = responder

* = signifies payload encryption after the ISAKMP header

AUTH = authentication mechanism used


The Base Exchange allows key exchange and authentication material to be transmitted together. This minimizes the number of exchanges at the expense of not providing identity protection. The first two messages provide cookies and establish an SA with agreed protocol and transforms; both sides use a nonce to ensure against replay attacks. The last two messages exchange the key material and user IDs, with an authentication mechanism used to authenticate keys, identities, and the nonces from the first two messages.


[Page 516]

The Identity Protection Exchange expands the Base Exchange to protect the users' identities. The first two messages establish the SA. The next two messages perform key exchange, with nonces for replay protection. Once the session key has been computed, the two parties exchange encrypted messages that contain authentication information, such as digital signatures and optionally certificates validating the public keys.

The Authentication Only Exchange is used to perform mutual authentication, without a key exchange. The first two messages establish the SA. In addition, the responder uses the second message to convey its ID and uses authentication to protect the message. The initiator sends the third message to transmit its authenticated ID.

The Aggressive Exchange minimizes the number of exchanges at the expense of not providing identity protection. In the first message, the initiator proposes an SA with associated offered protocol and transform options. The initiator also begins the key exchange and provides its ID. In the second message, the responder indicates its acceptance of the SA with a particular protocol and transform, completes the key exchange, and authenticates the transmitted information. In the third message, the initiator transmits an authentication result that covers the previous information, encrypted using the shared secret session key.

The Informational Exchange is used for one-way transmittal of information for SA management.




Cryptography and Network Security Principles and Practices
Cryptography and Network Security (4th Edition)
ISBN: 0131873164
EAN: 2147483647
Year: 2005
Pages: 209

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net