key exchange in ipsec revisited formal analysis of ikev1
play

Key Exchange in IPsec revisited: Formal Analysis of IKEv1 and IKEv2 - PowerPoint PPT Presentation

Aug 20, 2022 •218 likes •410 views

Key Exchange in IPsec revisited: Formal Analysis of IKEv1 and IKEv2 Cas Cremers, ETH Zurich Overview What is IKE ? Internet Key Exchange , part of IPsec Formal analysis of IKE Previously considered infeasible Using Scyther

  1. Key Exchange in IPsec revisited: Formal Analysis of IKEv1 and IKEv2 Cas Cremers, ETH Zurich

  2. Overview  What is IKE ?  Internet Key Exchange , part of IPsec  Formal analysis of IKE  Previously considered infeasible  Using Scyther framework and protocol analysis tool  Leveraging massive parallelism / CPU resources  Check security properties relevant for key exchange protocols  Some highlights of results  Is the world safe? 2

  3. Ipsec and IKE  IPsec: IETF standard for end-to-end security  Part of IPv6, optional extension for IPv4.  IPsec establishes a security association between endpoints  Core element: shared keying material  IKE (Internet Key Exchange) establishes keying material  Stated goals of IKE  Authenticated keying material  Perfect Forward Secrecy  Identity Protection  Mutual authentication 3

  4. Previous analyses of IKE  IKEv1  Meadows, 1999; Perlman, Kaufman, 2000; Zhou, 2000; Canetti, Krawczyk, 2001;  Several issues found, some fixed in IKEv2  IKEv2  Drielsma, Moedersheim, 2003; (some subprotocols)  But why not proof or full analysis? 4

  5. “IKE is fairly complicated; to fully understand it, it’s IKE is fairly complicated; to fully understand it, it’s “ helpful to possess multiple advanced degrees in multiple advanced degrees in helpful to possess mathematics and cryptography and to have and to have mathematics and cryptography copious amounts of spare time to read many to read many copious amounts of spare time detailed yet highly valuable resources.” detailed yet highly valuable resources.” Microsoft TechNet: How IPsec works Source: http://technet.microsoft.com/en-us/library/cc512617.aspx (Retrieved September 1, 2011) 5

  6. Example IKE exchange 6

  7. IKEv1 Aggressive Mode with digital signatures IKEv1 Main Mode with digital signatures 7

  8. IKEv1 Aggressive Mode with digital signatures IKEv1 Main Mode with digital signatures IKEv1 Aggressive Mode with Pre-shared keys IKEv1 Main Mode with Pre-shared keys IKEv1 Aggressive Mode with Public keys IKEv1 Main Mode with Public keys IKEv1 Aggressive Mode with Public keys (2) IKEv1 Main Mode with Public keys (2) Note: some minor variants omitted! 8

  9. Phase 1 IKEv1 Aggressive Mode with digital signatures IKEv1 Main Mode with digital signatures IKEv1 Aggressive Mode with Pre-shared keys IKEv1 Main Mode with Pre-shared keys IKEv1 Aggressive Mode with Public keys IKEv1 Main Mode with Public keys IKEv1 Aggressive Mode with Public keys (2) IKEv1 Main Mode with Public keys (2) Phase 2 IKEv1 Quick Mode IKEv1 Quick Mode without PFS IKEv1 Quick Mode without Identity Note: some minor variants omitted! 9

  10. IKEv1 IKEv2 Phase 1 Phase 1 IKEv1 Aggressive Mode with digital signatures IKEv1 Main Mode with digital signatures IKEv2 SIG IKEv2 SIG noid IKEv1 Aggressive Mode with Pre-shared keys IKEv1 Main Mode with Pre-shared keys IKEv2 MAC IKEv2 MAC noid IKEv1 Aggressive Mode with Public keys IKEv1 Main Mode with Public keys IKEv2 EAP IKEv2 EAP noid IKEv1 Aggressive Mode with Public keys (2) IKEv1 Main Mode with Public keys (2) IKEv2 SIG/MAC asymmetric variants IKEv2 SIG/MAC asymmetric variants IKEv2 SIG/MAC asymmetric variants IKEv2 SIG/MAC asymmetric variants Phase 2 IKEv1 Quick Mode IKEv1 Quick Mode without PFS Phase 2 IKEv1 Quick Mode without Identity IKEv2 child mode IKEv2 child mode without PFS Note: some minor variants omitted! 10

  11. Our approach: formal tools  Symbolic analysis of security protocols  Model protocol execution in presence of adversary  Verify/falsify that properties hold in all reachable states  Tools: e.g., Avispa, Maude-NPA, ProVerif, Scyther  We use Scyther (Cremers, 2008)  Defines several adversary types that  Completely control the network (Dolev-Yao assumption)  Can learn long-term keys  For AKE experts: this is used to verify PFS, KCI resilience  Can learn (some) session keys  Can learn (some) intermediate computations made by the participants 11

  12. (About model-checking security protocols:) (About model-checking security protocols:) “The state-of-the-art is able to handle [...] The state-of-the-art is able to handle [...] “ protocols of realistic, but limited, complexity. A protocols of realistic, but limited, complexity. A fully automatic analysis of the Internet Key of the Internet Key fully automatic analysis Exchange Protocol, with all its variations, would Exchange Protocol, with all its variations, would lead to state explosion and is outside of the outside of the lead to state explosion and is current state-of-the-art .“ .“ current state-of-the-art David Basin, Cas Cremers , Catherine Meadows “Model Checking Security Protocols“ [Draft] Chapter for the Handbook of Model Checking, to appear. (Retrieved May 1, 2011) 12

  13. Making analysis of IKE feasible  Ingredients  Scyther tool  Brutus cluster (supercomputer at ETH Zurich)  RFC specs of IKE + design documents for IKEv2  Hundreds of pages  Modeling effort: months  Big thanks to Adrian Kyburz for work on the initial models  What to check? Not specified in documentation  Secrecy , authentication with respect to 96 adversary types (for AKE experts: this includes Dolev-Yao, BR93, CK, eCK, multi-protocol adversaries – see e.g. Basin and Cremers, Esorics 2010) 13

  14. Example: model fragment 14

  15. Results: summary  Final run:  3700 lines for protocol models (Scyther input language, macros)  Number of tool runs: approx. 50000  Time: 3 days (no Brutus: 1 year!)  Used much more resources while developing models  Resources enabled tool-assisted model development  Security?  Rediscovered vast majority of known attacks  Found several new weaknesses  Bounded verification (for now) 15

  16. Results highlights: secrecy  “Simple” secrecy holds against network attacker  But not any cryptographic security notion  For AKE experts: e.g. BR93, CK, eCK, ...  Main reasons:  Vulnerable to reveal of randomness / intermediate computations  Compute same keying material in non-matching sessions  Enables session-key reveal attacks  Vulnerable to Key Compromise Impersonation attacks  May not be problematic in practice  But other protocols are “more secure” (e.g., (H)MQV) 16

  17. Results highlights: authentication  Many new weaknesses  ...but often resolved after message exchange (because key is secret anyway)  IKEv1  aliveness guaranteed for phase 1, but nothing more  beliefs may be wrong  IKEv2  Much better  Still no agreement in some subprotocols  Don't use these keys here if you want authentication!  Still no recent aliveness guarantees after Phase 2 exchange 17

  18. Highlight: example of weak authentication B does not accept the last message! ...but A has already successfully finished 18

  19. Conclusions  Most extensive formal analysis of IKE so far  Formal analysis of standards is possible and useful  New insights in the properties achieved  Don't expect strong authentication or recent aliveness from the IKE phases  Hints for provable security – but models still fairly coarse  Methodology scales well for real-world security protocols, given sufficient resources  Biggest hurdle : developing good protocol models (faithful abstractions)  Having a library of existing analyses helps Cas Cremers – cas.cremers@inf.ethz.ch 19

Recommend

Labeled IPsec draft-jml-ipsec-ikev1-security-context-00.txt

Labeled IPsec draft-jml-ipsec-ikev1-security-context-00.txt

Labeled IPsec draft-jml-ipsec-ikev1-security-context-00.txt draft-jml-ipsec-ikev2-security-context-00.txt Presented by: Joy Latten Document authors: Serge Hallyn, Trent Jaeger, Joy Latten, and George Wilson Problem Description Mandatory

295 views • 6 slides
THE LIBRESWAN PROJECT An Internet Key Exchange (IKE) daemon for IPsec Enterprise IPsec

THE LIBRESWAN PROJECT An Internet Key Exchange (IKE) daemon for IPsec Enterprise IPsec

THE LIBRESWAN PROJECT An Internet Key Exchange (IKE) daemon for IPsec Enterprise IPsec based VPN solution Make encryption the default mode of communication Certifjcations (FIPS, Common Criteria, USGv6, etc.)

917 views • 25 slides
Uses of IPSEC with VPNs VPNs Uses of IPSEC with Purpose Outline some scenarios where IPSEC

Uses of IPSEC with VPNs VPNs Uses of IPSEC with Purpose Outline some scenarios where IPSEC

Uses of IPSEC with VPNs VPNs Uses of IPSEC with Purpose Outline some scenarios where IPSEC can be used with VPNs Identify areas where extensions to IPSEC could be useful Bryan Gleeson, Page-1 VPN Reference Model CE CE PE

352 views • 9 slides
OPPORTUNISTIC ENCRYPTION USING IPSEC Linux Security Summit, Toronto August 2016 Presented by

OPPORTUNISTIC ENCRYPTION USING IPSEC Linux Security Summit, Toronto August 2016 Presented by

OPPORTUNISTIC ENCRYPTION USING IPSEC Linux Security Summit, Toronto August 2016 Presented by Paul Wouters, RHEL Security THE LIBRESWAN PROJECT An Internet Key Exchange (IKE) daemon for IPsec Enterprise IPsec based VPN solution

736 views • 32 slides
IPSEC VPN overview IPSEC VPN overview Basic VPN Architecture CPE/CLE CPE/CLE PE

IPSEC VPN overview IPSEC VPN overview Basic VPN Architecture CPE/CLE CPE/CLE PE

IPSEC VPN overview IPSEC VPN overview Basic VPN Architecture CPE/CLE CPE/CLE PE PE CPE/CLE Host PE CPE to CPE IPSEC can be used for : PE to PE PE to CPE Bryan Gleeson, Page-1 CPE to CPE IPSEC tunnels

680 views • 8 slides
OpenIKED, AsiaBSDCon 2013 Reyk Flter

OpenIKED, AsiaBSDCon 2013 Reyk Flter

OpenIKED, AsiaBSDCon 2013 Reyk Flter (reyk@openbsd.org) Agenda Why another VPN protocol? We have lots of existing VPN protocols: IPsec IKEv1 with

412 views • 25 slides
Ipsec unter Linux 2.6 Einleitung: Die native IPsec Implementierung im Linux Kernel ab

Ipsec unter Linux 2.6 Einleitung: Die native IPsec Implementierung im Linux Kernel ab

Ipsec unter Linux 2.6 Einleitung: Die native IPsec Implementierung im Linux Kernel ab Version 2.5.47 basiert auf dem USAGI Projekt. Hierbei handelt es sich um eine alternative Implementierung des IPsec Stacks zum FreeS/WAN Projekt.

610 views • 8 slides
THE ADVICE TAKER REVISITED John McCarthy Stanford University http://www-formal.stanford.edu/jmc/

THE ADVICE TAKER REVISITED John McCarthy Stanford University http://www-formal.stanford.edu/jmc/

THE ADVICE TAKER REVISITED John McCarthy Stanford University http://www-formal.stanford.edu/jmc/ March 21, 2003 The long term goal of AI is human level AI. Programs with Common Sense1959 Ad- vice Taker (AT).

222 views • 11 slides
Yasser F. O. Mohammad REMIDER 1: IPSec Uses REMINDER 2: IPSec Services Access control

Yasser F. O. Mohammad REMIDER 1: IPSec Uses REMINDER 2: IPSec Services Access control

Yasser F. O. Mohammad REMIDER 1: IPSec Uses REMINDER 2: IPSec Services Access control Connectionless integrity Data origin authentication Rejection of replayed packets a form of partial sequence integrity Confidentiality

818 views • 37 slides
Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and

Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and

Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and Linux Contents Introduction Highly Scalable Linux Network Stack Netfilter Hooks Packet selection based on IP Tables The Connection Tracking

444 views • 9 slides
The Journey towards a Reference Implementation of IPSec Automatic Security Analysis with

The Journey towards a Reference Implementation of IPSec Automatic Security Analysis with

1/25 The Journey towards a Reference Implementation of IPSec Automatic Security Analysis with Tamarin-Prover Eike Stadtlnder July 12, 2018 2/25 Outline Motivation Tamarin-Prover Overview Multiset Rewriting Tamarin-Prover in Practice

1.32k views • 117 slides
Introduction to Formal Analysis Mark Greenstreet CpSc 513 Term 1, 2015/16 Formal

Introduction to Formal Analysis Mark Greenstreet CpSc 513 Term 1, 2015/16 Formal

Introduction to Formal Analysis Mark Greenstreet CpSc 513 Term 1, 2015/16 Formal verification uses algorithms to rigorously prove properties of hardware or software design. 20 years ago, we had the FDIV bug: 42.0 / 7.0 = 8.0 Formal

576 views • 6 slides
Testing/Simulation Formal Analysis Real System Formal Model Partial coverage Complete coverage

Testing/Simulation Formal Analysis Real System Formal Model Partial coverage Complete coverage

Formal Methods Assurance for TTP John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I Formal Methods Assurance for TTP: 1 Formal Methods for Analysis and Assurance: The Idea Testing/Simulation Formal

200 views • 6 slides
Tutorial Intro. to Modern Formal Methods: Mechanized Formal Analysis Using Model Checking,

Tutorial Intro. to Modern Formal Methods: Mechanized Formal Analysis Using Model Checking,

Tutorial Intro. to Modern Formal Methods: Mechanized Formal Analysis Using Model Checking, Theorem Proving SMT Solving, Abstraction, and Static Analysis With SAL, PVS, and Yices, and more John Rushby Computer Science Laboratory SRI

1.89k views • 161 slides
Formal Analysis of Correctness of a Strategy for the KRK Chess Endgame Fifth Workshop on Formal

Formal Analysis of Correctness of a Strategy for the KRK Chess Endgame Fifth Workshop on Formal

Formal Analysis of Correctness of a Strategy for the KRK Chess Endgame Fifth Workshop on Formal and Automated Theorem Proving and Applications. Belgrade, February 3-4, 2012. Marko Malikovi Mirko ubrilo Predrag Janii Faculty of Humanities

406 views • 27 slides
Requirements for IPsec Negotiation in the SIP Framework

Requirements for IPsec Negotiation in the SIP Framework

Requirements for IPsec Negotiation in the SIP Framework draft-saito-mmusic-ipsec-negotiation-req-00.txt August 1, 2005 Makoto Saito (ma.saito@ntt.com) Shingo Fujimoto (shingo_fujimoto@jp.fujitsu.com) 1 Motivation To secure communication

83 views • 6 slides
Introduction to IPsec Charlie Kaufman charliek@microsoft.com 1 IP Security (IPsec) IETF

Introduction to IPsec Charlie Kaufman charliek@microsoft.com 1 IP Security (IPsec) IETF

Introduction to IPsec Charlie Kaufman charliek@microsoft.com 1 IP Security (IPsec) IETF standard for Network Layer security Popular for creating trusted link (VPN), either firewall-firewall, or machine to firewall Done at

868 views • 51 slides
Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis of Programs with Dynamic Memory Mihaela Sighireanu IRIF, University Paris Diderot & CNRS VTSA 2015 1 / 149 Outline Introduction 1 Formal

861 views • 68 slides
IKEv2: IPSec Key Management Protocol Lecture 20 Acknowledgement: Slides from Vincent Luk, revised

IKEv2: IPSec Key Management Protocol Lecture 20 Acknowledgement: Slides from Vincent Luk, revised

IKEv2: IPSec Key Management Protocol Lecture 20 Acknowledgement: Slides from Vincent Luk, revised by Cunsheng Ding IP Security Architecture IPSec module 1 IPSec module 2 SPD SPD IKE IKE AH/ESP AH/ESP SAD SAD SA IKE: Internet Key

702 views • 26 slides
Beware the Middleman: Empirical Analysis of Bitcoin-Exchange Risk Tyler Moore 1 Nicolas Christin 2

Beware the Middleman: Empirical Analysis of Bitcoin-Exchange Risk Tyler Moore 1 Nicolas Christin 2

Data on Bitcoin-Exchange Closures Survival Analysis of Exchange Closure Regression Analysis of Exchange Breaches Beware the Middleman: Empirical Analysis of Bitcoin-Exchange Risk Tyler Moore 1 Nicolas Christin 2 1 Computer Science &

751 views • 31 slides
iLab IPsec Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de Chair of

iLab IPsec Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de Chair of

iLab IPsec Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de Chair of Network Architectures and Services Department of Informatics Technical University of Munich Lab 8 18ss 1 / 29 Outline Overview IPsec databases

563 views • 29 slides
IP IPSec ( ) 13 Network

IP IPSec ( ) 13 Network

IP IPSec ( ) 13 Network Security, Principles and Practice,2nd Ed. : http://www.fata.ir

567 views • 23 slides
Why IPsec and BGP dont play well together in real networks Brian Weis Overview Of

Why IPsec and BGP dont play well together in real networks Brian Weis Overview Of

Why IPsec and BGP dont play well together in real networks Brian Weis Overview Of course IKE/IPsec can be configured on routers to provide transport security for BGP and other similar control plane protocols. And certainly

480 views • 16 slides
IPsec encapsulation over TCP Sabrina Dubroca sd@queasysnail.net Red Hat netdev 0x13, 2019-03-22

IPsec encapsulation over TCP Sabrina Dubroca sd@queasysnail.net Red Hat netdev 0x13, 2019-03-22

IPsec encapsulation over TCP Sabrina Dubroca sd@queasysnail.net Red Hat netdev 0x13, 2019-03-22 1 / 22 Introduction 2 / 22 ESP and IKE Components of the IPsec protocol suite ESP Encapsulating Security Payload AH Authentication Header IKE

478 views • 22 slides

More recommend