on the in security of ipsec in mac then encrypt
play

On the (In)Security of IPsec in MAC-then-Encrypt Configurations - PowerPoint PPT Presentation

Nov 28, 2022 •245 likes •930 views

Motivation The Attacks Concluding Remarks On the (In)Security of IPsec in MAC-then-Encrypt Configurations Jean Paul Degabriele Kenneth G. Paterson Information Security Group Royal Holloway, University of London CCS 2010 Jean Paul

  1. Motivation The Attacks Concluding Remarks On the (In)Security of IPsec in MAC-then-Encrypt Configurations Jean Paul Degabriele Kenneth G. Paterson Information Security Group Royal Holloway, University of London CCS 2010 Jean Paul Degabriele, Kenneth G. Paterson | On the (In)Security of IPsec in MAC-then-Encrypt Configurations 1/22

  2. Motivation The Attacks Concluding Remarks Outline Motivation 1 Security of MAC-then-Encrypt in IPsec 2 Preliminaries Using an ESP Trailer Oracle to Recover Plaintext An Oracle Based on IP Fragmentation Concluding Remarks 3 Jean Paul Degabriele, Kenneth G. Paterson | On the (In)Security of IPsec in MAC-then-Encrypt Configurations 2/22

  3. Motivation The Attacks Concluding Remarks IPsec IPsec is a suite of protocols that provide security at the IP layer. Three main protocols – AH, ESP , IKE that can be combined in various ways, giving higher configurability. Encryption is provided by ESP , normally using a block cipher in CBC mode. Data origin authentication can be provided either by AH or ESP . Keys can be set manually or automatically through IKE. Jean Paul Degabriele, Kenneth G. Paterson | On the (In)Security of IPsec in MAC-then-Encrypt Configurations 3/22

  4. Motivation The Attacks Concluding Remarks Configuring IPsec An admin who wants to use IPsec to ensure the confidentiality of network traffic, has to make a number of choices: - Encryption-only, Encrypt-then-MAC, MAC-then-encrypt. - Each of AH or ESP can be operated in Transport or Tunnel mode. - Is replay protection necessary to achieve confidentiality? - Should AH or ESP be used for authentication. The RFCs provide very little guidance on this matter. There exists no systematic security analysis of the resulting configurations. Jean Paul Degabriele, Kenneth G. Paterson | On the (In)Security of IPsec in MAC-then-Encrypt Configurations 4/22

  5. Motivation The Attacks Concluding Remarks Why Use MAC-then-Encrypt? SSL uses MAC-then-encrypt, and is widely perceived to be secure. A popular textbook by Stallings discusses several benefits that accrue from MAC-then-encrypt in IPsec. Ferguson and Schneier claim that encrypt-then-MAC as applied in ESP is wrong , and in their book ‘Practical Cryptography’ they recommend MAC-then-encrypt for constructing secure channels. Horton principle: ‘Authenticate what is meant not what is said’ . Krawczyk’s proof that MAC-then-encrypt in CBC mode is secure. Jean Paul Degabriele, Kenneth G. Paterson | On the (In)Security of IPsec in MAC-then-Encrypt Configurations 5/22

  6. Motivation The Attacks Concluding Remarks Why NOT MAC-then-Encrypt? Our paper presents practical attacks against ALL possible MAC-then-encrypt IPsec configurations: - AH in Transport mode followed by ESP in Transport mode. - AH in Transport mode followed by ESP in Tunnel mode. - AH in Tunnel mode followed by ESP in Transport mode. - AH in Tunnel mode followed by ESP in Tunnel mode. Even when replay protection is enabled. Also in a repeated ESP configuration (ESP in MAC-only followed by ESP in encryption-only). Jean Paul Degabriele, Kenneth G. Paterson | On the (In)Security of IPsec in MAC-then-Encrypt Configurations 6/22

  7. Motivation The Attacks Concluding Remarks Why NOT MAC-then-Encrypt? Our paper presents practical attacks against ALL possible MAC-then-encrypt IPsec configurations: - AH in Transport mode followed by ESP in Transport mode. - AH in Transport mode followed by ESP in Tunnel mode. - AH in Tunnel mode followed by ESP in Transport mode. - AH in Tunnel mode followed by ESP in Tunnel mode. Even when replay protection is enabled. Also in a repeated ESP configuration (ESP in MAC-only followed by ESP in encryption-only). Jean Paul Degabriele, Kenneth G. Paterson | On the (In)Security of IPsec in MAC-then-Encrypt Configurations 6/22

  8. Motivation The Attacks Concluding Remarks Why NOT MAC-then-Encrypt? Our paper presents practical attacks against ALL possible MAC-then-encrypt IPsec configurations: - AH in Transport mode followed by ESP in Transport mode. - AH in Transport mode followed by ESP in Tunnel mode. - AH in Tunnel mode followed by ESP in Transport mode. - AH in Tunnel mode followed by ESP in Tunnel mode. Even when replay protection is enabled. Also in a repeated ESP configuration (ESP in MAC-only followed by ESP in encryption-only). Jean Paul Degabriele, Kenneth G. Paterson | On the (In)Security of IPsec in MAC-then-Encrypt Configurations 6/22

  9. Motivation The Attacks Concluding Remarks Why NOT MAC-then-Encrypt? Our paper presents practical attacks against ALL possible MAC-then-encrypt IPsec configurations: - AH in Transport mode followed by ESP in Transport mode. - AH in Transport mode followed by ESP in Tunnel mode. - AH in Tunnel mode followed by ESP in Transport mode. - AH in Tunnel mode followed by ESP in Tunnel mode. Even when replay protection is enabled. Also in a repeated ESP configuration (ESP in MAC-only followed by ESP in encryption-only). Jean Paul Degabriele, Kenneth G. Paterson | On the (In)Security of IPsec in MAC-then-Encrypt Configurations 6/22

  10. Motivation The Attacks Concluding Remarks Why NOT MAC-then-Encrypt? Our paper presents practical attacks against ALL possible MAC-then-encrypt IPsec configurations: - AH in Transport mode followed by ESP in Transport mode. - AH in Transport mode followed by ESP in Tunnel mode. - AH in Tunnel mode followed by ESP in Transport mode. - AH in Tunnel mode followed by ESP in Tunnel mode. Even when replay protection is enabled. Also in a repeated ESP configuration (ESP in MAC-only followed by ESP in encryption-only). Jean Paul Degabriele, Kenneth G. Paterson | On the (In)Security of IPsec in MAC-then-Encrypt Configurations 6/22

  11. Motivation The Attacks Concluding Remarks Why NOT MAC-then-Encrypt? Our paper presents practical attacks against ALL possible MAC-then-encrypt IPsec configurations: - AH in Transport mode followed by ESP in Transport mode. - AH in Transport mode followed by ESP in Tunnel mode. - AH in Tunnel mode followed by ESP in Transport mode. - AH in Tunnel mode followed by ESP in Tunnel mode. Even when replay protection is enabled. Also in a repeated ESP configuration (ESP in MAC-only followed by ESP in encryption-only). Jean Paul Degabriele, Kenneth G. Paterson | On the (In)Security of IPsec in MAC-then-Encrypt Configurations 6/22

  12. Motivation The Attacks Concluding Remarks Outline Motivation 1 Security of MAC-then-Encrypt in IPsec 2 Preliminaries Using an ESP Trailer Oracle to Recover Plaintext An Oracle Based on IP Fragmentation Concluding Remarks 3 Jean Paul Degabriele, Kenneth G. Paterson | On the (In)Security of IPsec in MAC-then-Encrypt Configurations 7/22

  13. Motivation The Attacks Concluding Remarks Bit Flipping in CBC Mode CBC encryption CBC decryption C i = E k ( P i ⊕ C i − 1 ) ; C 0 = IV P i = D k ( C i ) ⊕ C i − 1 ; C 0 = IV Jean Paul Degabriele, Kenneth G. Paterson | On the (In)Security of IPsec in MAC-then-Encrypt Configurations 8/22

  14. Motivation The Attacks Concluding Remarks Bit Flipping in CBC Mode CBC encryption CBC decryption C i = E k ( P i ⊕ C i − 1 ) ; C 0 = IV P i = D k ( C i ) ⊕ C i − 1 ; C 0 = IV IV C 1 C 2 D k ( · ) D k ( · ) � � P 1 P 2 Jean Paul Degabriele, Kenneth G. Paterson | On the (In)Security of IPsec in MAC-then-Encrypt Configurations 8/22

  15. Motivation The Attacks Concluding Remarks Bit Flipping in CBC Mode CBC encryption CBC decryption C i = E k ( P i ⊕ C i − 1 ) ; C 0 = IV P i = D k ( C i ) ⊕ C i − 1 ; C 0 = IV IV C 1 C 2 D k ( · ) D k ( · ) � � P 1 P 2 Jean Paul Degabriele, Kenneth G. Paterson | On the (In)Security of IPsec in MAC-then-Encrypt Configurations 8/22

  16. Motivation The Attacks Concluding Remarks Bit Flipping in CBC Mode CBC encryption CBC decryption C i = E k ( P i ⊕ C i − 1 ) ; C 0 = IV P i = D k ( C i ) ⊕ C i − 1 ; C 0 = IV IV C 1 C 2 D k ( · ) D k ( · ) � � P 1 P 2 Jean Paul Degabriele, Kenneth G. Paterson | On the (In)Security of IPsec in MAC-then-Encrypt Configurations 8/22

  17. Motivation The Attacks Concluding Remarks Bit Flipping in CBC Mode CBC encryption CBC decryption C i = E k ( P i ⊕ C i − 1 ) ; C 0 = IV P i = D k ( C i ) ⊕ C i − 1 ; C 0 = IV IV C 1 C 2 D k ( · ) D k ( · ) � � P 1 P 2 Jean Paul Degabriele, Kenneth G. Paterson | On the (In)Security of IPsec in MAC-then-Encrypt Configurations 8/22

  18. Motivation The Attacks Concluding Remarks Bit Flipping in CBC Mode CBC encryption CBC decryption C i = E k ( P i ⊕ C i − 1 ) ; C 0 = IV P i = D k ( C i ) ⊕ C i − 1 ; C 0 = IV IV C 1 C 2 D k ( · ) D k ( · ) � � P 1 P 2 Jean Paul Degabriele, Kenneth G. Paterson | On the (In)Security of IPsec in MAC-then-Encrypt Configurations 8/22

  19. Motivation The Attacks Concluding Remarks Bit Flipping in CBC Mode CBC encryption CBC decryption C i = E k ( P i ⊕ C i − 1 ) ; C 0 = IV P i = D k ( C i ) ⊕ C i − 1 ; C 0 = IV IV C 1 C 2 D k ( · ) D k ( · ) � � P 1 P 2 Jean Paul Degabriele, Kenneth G. Paterson | On the (In)Security of IPsec in MAC-then-Encrypt Configurations 8/22

  20. Motivation The Attacks Concluding Remarks Bit Flipping in CBC Mode CBC encryption CBC decryption C i = E k ( P i ⊕ C i − 1 ) ; C 0 = IV P i = D k ( C i ) ⊕ C i − 1 ; C 0 = IV IV C 1 C 2 D k ( · ) D k ( · ) � � P 1 P 2 Jean Paul Degabriele, Kenneth G. Paterson | On the (In)Security of IPsec in MAC-then-Encrypt Configurations 8/22

Recommend

Labeled IPsec draft-jml-ipsec-ikev1-security-context-00.txt

Labeled IPsec draft-jml-ipsec-ikev1-security-context-00.txt

Labeled IPsec draft-jml-ipsec-ikev1-security-context-00.txt draft-jml-ipsec-ikev2-security-context-00.txt Presented by: Joy Latten Document authors: Serge Hallyn, Trent Jaeger, Joy Latten, and George Wilson Problem Description Mandatory

295 views • 6 slides
OPPORTUNISTIC ENCRYPTION USING IPSEC Linux Security Summit, Toronto August 2016 Presented by

OPPORTUNISTIC ENCRYPTION USING IPSEC Linux Security Summit, Toronto August 2016 Presented by

OPPORTUNISTIC ENCRYPTION USING IPSEC Linux Security Summit, Toronto August 2016 Presented by Paul Wouters, RHEL Security THE LIBRESWAN PROJECT An Internet Key Exchange (IKE) daemon for IPsec Enterprise IPsec based VPN solution

736 views • 32 slides
Introduction to IPsec Charlie Kaufman charliek@microsoft.com 1 IP Security (IPsec) IETF

Introduction to IPsec Charlie Kaufman charliek@microsoft.com 1 IP Security (IPsec) IETF

Introduction to IPsec Charlie Kaufman charliek@microsoft.com 1 IP Security (IPsec) IETF standard for Network Layer security Popular for creating trusted link (VPN), either firewall-firewall, or machine to firewall Done at

868 views • 51 slides
Uses of IPSEC with VPNs VPNs Uses of IPSEC with Purpose Outline some scenarios where IPSEC

Uses of IPSEC with VPNs VPNs Uses of IPSEC with Purpose Outline some scenarios where IPSEC

Uses of IPSEC with VPNs VPNs Uses of IPSEC with Purpose Outline some scenarios where IPSEC can be used with VPNs Identify areas where extensions to IPSEC could be useful Bryan Gleeson, Page-1 VPN Reference Model CE CE PE

352 views • 9 slides
Kenny Paterson Information Security Group 1 Outline RSA encryption in PKCS#1 The SSH

Kenny Paterson Information Security Group 1 Outline RSA encryption in PKCS#1 The SSH

Provable Security Meets the Real World Kenny Paterson Information Security Group 1 Outline RSA encryption in PKCS#1 The SSH Binary Packet Protocol IPsec MAC-then-Encrypt Lessons learned? 2 Outline RSA encryption in PKCS#1

948 views • 61 slides
Cryptography and Network Security IPSEC Security architecture and protocol stack Secure

Cryptography and Network Security IPSEC Security architecture and protocol stack Secure

Cryptography and Network Security IPSEC Security architecture and protocol stack Secure applications: Applicaz. (SHTTP) PGP, SHTTP, SFTP, or SSL/TLS Security down in the TCP protocol stack -SSL between TCP IPSEC and applic. layer

723 views • 59 slides
IPSEC VPN overview IPSEC VPN overview Basic VPN Architecture CPE/CLE CPE/CLE PE

IPSEC VPN overview IPSEC VPN overview Basic VPN Architecture CPE/CLE CPE/CLE PE

IPSEC VPN overview IPSEC VPN overview Basic VPN Architecture CPE/CLE CPE/CLE PE PE CPE/CLE Host PE CPE to CPE IPSEC can be used for : PE to PE PE to CPE Bryan Gleeson, Page-1 CPE to CPE IPSEC tunnels

680 views • 8 slides
IPsec Slide 1 Protocol security - where? Application layer: (+): easy access to user credentials,

IPsec Slide 1 Protocol security - where? Application layer: (+): easy access to user credentials,

IPsec 1 IPsec Slide 1 Protocol security - where? Application layer: (+): easy access to user credentials, extend without waiting for OS vendor, understand data; (-): design again and again; e.g., PGP, ssh, Kerberos Transport layer: (+):

420 views • 18 slides
IP IPSec ( ) 13 Network

IP IPSec ( ) 13 Network

IP IPSec ( ) 13 Network Security, Principles and Practice,2nd Ed. : http://www.fata.ir

567 views • 23 slides
Security Tunneling Cyber Security Spring 2010 Reading Material IPSec overview Chapter

Security Tunneling Cyber Security Spring 2010 Reading Material IPSec overview Chapter

Security Tunneling Cyber Security Spring 2010 Reading Material IPSec overview Chapter 6 Network Security Essentials, William Stallings SSH RFCs 4251, 4252, 4253 SSL/TLS overview Slide material from Bishop

1.55k views • 69 slides
Cybersecurity Considerations for Telework Security for Enterprises Enterprise Planning Plan

Cybersecurity Considerations for Telework Security for Enterprises Enterprise Planning Plan

Cybersecurity Considerations for Telework Security for Enterprises Enterprise Planning Plan telework-related security policies and controls based on a zero-trust model. Encrypt client devices storage, encrypt all sensitive data stored on

371 views • 9 slides
IKEv2: IPSec Key Management Protocol Lecture 20 Acknowledgement: Slides from Vincent Luk, revised

IKEv2: IPSec Key Management Protocol Lecture 20 Acknowledgement: Slides from Vincent Luk, revised

IKEv2: IPSec Key Management Protocol Lecture 20 Acknowledgement: Slides from Vincent Luk, revised by Cunsheng Ding IP Security Architecture IPSec module 1 IPSec module 2 SPD SPD IKE IKE AH/ESP AH/ESP SAD SAD SA IKE: Internet Key

702 views • 26 slides
Why (Special Agent) Johnny (Still) Cant Encrypt: A Security Analysis of the APCO Project 25

Why (Special Agent) Johnny (Still) Cant Encrypt: A Security Analysis of the APCO Project 25

Why (Special Agent) Johnny (Still) Cant Encrypt: A Security Analysis of the APCO Project 25 Two-Way Radio System Sandy Clark | Travis Goodspeed | Perry Metzger Zachary Wasserman | Kevin Xu | Matt Blaze Usenix 2011 P25 Modulates voice

147 views • 14 slides
Why IPsec and BGP dont play well together in real networks Brian Weis Overview Of

Why IPsec and BGP dont play well together in real networks Brian Weis Overview Of

Why IPsec and BGP dont play well together in real networks Brian Weis Overview Of course IKE/IPsec can be configured on routers to provide transport security for BGP and other similar control plane protocols. And certainly

480 views • 16 slides
IPsec encapsulation over TCP Sabrina Dubroca sd@queasysnail.net Red Hat netdev 0x13, 2019-03-22

IPsec encapsulation over TCP Sabrina Dubroca sd@queasysnail.net Red Hat netdev 0x13, 2019-03-22

IPsec encapsulation over TCP Sabrina Dubroca sd@queasysnail.net Red Hat netdev 0x13, 2019-03-22 1 / 22 Introduction 2 / 22 ESP and IKE Components of the IPsec protocol suite ESP Encapsulating Security Payload AH Authentication Header IKE

478 views • 22 slides
ilab Lab 8 - SSL/TLS and IPSec Outlook: On Layer 4: Goal: Provide security for one

ilab Lab 8 - SSL/TLS and IPSec Outlook: On Layer 4: Goal: Provide security for one

Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen ilab Lab 8 - SSL/TLS and IPSec Outlook: On Layer 4: Goal: Provide security for one specific port SSL (Secure Socket Layer) /

812 views • 25 slides
IPsec (AH, ESP), IKE Guevara Noubir CSG254: Network Security noubir@ccs.neu.edu Securing

IPsec (AH, ESP), IKE Guevara Noubir CSG254: Network Security noubir@ccs.neu.edu Securing

IPsec (AH, ESP), IKE Guevara Noubir CSG254: Network Security noubir@ccs.neu.edu Securing Networks Applications Layer Monitoring/Logging/Intrusion Detection Control/Management (configuration) telnet/ftp: ssh, http: https , mail: PGP Network

1.4k views • 26 slides
IPsec real end-to-end security without VPNs FUKT Computer Society Teddy Hogeborn Bjrn

IPsec real end-to-end security without VPNs FUKT Computer Society Teddy Hogeborn Bjrn

IPsec real end-to-end security without VPNs FUKT Computer Society Teddy Hogeborn Bjrn Phlsson Who are we? FUKT Computer Society Unix system since 1995 Using IPsec since 2003 FUKT is a society/club for computer enthusiasts

927 views • 45 slides
Lets Encrypt as a Startup Success Story Security and Ops and Encrypting the web Daniel

Lets Encrypt as a Startup Success Story Security and Ops and Encrypting the web Daniel

Lets Encrypt as a Startup Success Story Security and Ops and Encrypting the web Daniel Jeffery Linux Foundation Why HTTPS? As our dependency on the internet has grown, the risk to users' privacy and safety has grown along with it.

746 views • 40 slides
Ipsec unter Linux 2.6 Einleitung: Die native IPsec Implementierung im Linux Kernel ab

Ipsec unter Linux 2.6 Einleitung: Die native IPsec Implementierung im Linux Kernel ab

Ipsec unter Linux 2.6 Einleitung: Die native IPsec Implementierung im Linux Kernel ab Version 2.5.47 basiert auf dem USAGI Projekt. Hierbei handelt es sich um eine alternative Implementierung des IPsec Stacks zum FreeS/WAN Projekt.

610 views • 8 slides
IPSec Slides by Vitaly Shmatikov UT Austin slide 1 TCP/IP Example slide 2 IP Security Issues

IPSec Slides by Vitaly Shmatikov UT Austin slide 1 TCP/IP Example slide 2 IP Security Issues

IPSec Slides by Vitaly Shmatikov UT Austin slide 1 TCP/IP Example slide 2 IP Security Issues Eavesdropping Modification of packets in transit Identity spoofing (forged source IP addresses) Denial of service Many solutions

543 views • 25 slides
THE LIBRESWAN PROJECT An Internet Key Exchange (IKE) daemon for IPsec Enterprise IPsec

THE LIBRESWAN PROJECT An Internet Key Exchange (IKE) daemon for IPsec Enterprise IPsec

THE LIBRESWAN PROJECT An Internet Key Exchange (IKE) daemon for IPsec Enterprise IPsec based VPN solution Make encryption the default mode of communication Certifjcations (FIPS, Common Criteria, USGv6, etc.)

917 views • 25 slides
Agenda Some attacks against the IP Brief introduction to IPSec Building Block: Security

Agenda Some attacks against the IP Brief introduction to IPSec Building Block: Security

IP Security Cunsheng Ding HKUST, Kong Kong, China C. Ding - COMP4631 - L21 1 Agenda Some attacks against the IP Brief introduction to IPSec Building Block: Security Association Building Block: Security Association Database

694 views • 33 slides
CHIPSEC IPSEC Platform Security Assessment Framework https://github.com/chipsec/chipsec

CHIPSEC IPSEC Platform Security Assessment Framework https://github.com/chipsec/chipsec

CHIPSEC IPSEC Platform Security Assessment Framework https://github.com/chipsec/chipsec @CHIPSEC Wha What is is Pl Platform rm Se Secu curi rity? ty? Hardware Implementation and Configuration Available Security Features

695 views • 20 slides

More recommend