internet key exchange ike protocol vulnerability risks l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Internet Key Exchange (IKE) protocol vulnerability risks PowerPoint Presentation
Download Presentation
Internet Key Exchange (IKE) protocol vulnerability risks

Loading in 2 Seconds...

play fullscreen
1 / 19

Internet Key Exchange (IKE) protocol vulnerability risks - PowerPoint PPT Presentation


  • 152 Views
  • Uploaded on

Internet Key Exchange (IKE) protocol vulnerability risks. Master's thesis seminar 18.5.2004 HUT, Networking Laboratory Composed by Ari Muittari at Nokia Networks Supervisor: Prof. Raimo Kantola Instructor: M.Sc. Jussi Kohonen. Contents. Background Research methods

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Internet Key Exchange (IKE) protocol vulnerability risks' - nuwa


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
internet key exchange ike protocol vulnerability risks
Internet Key Exchange (IKE) protocol vulnerability risks

Master's thesis seminar 18.5.2004

HUT, Networking Laboratory

Composed by Ari Muittari at Nokia Networks

Supervisor: Prof. Raimo Kantola

Instructor: M.Sc. Jussi Kohonen

contents
Contents
  • Background
  • Research methods
  • Network security concepts
  • IPsec and IKE protocols
  • Experimental part
  • Conclusions
background
Background
  • New types of uses for the Internet are emerging and amount of IP traffic is growing; an ever increasing amount of attacks can be expected
  • Lack of security is a major hindrance to the widespread use of the Internet
  • IPsec (and IKE as its key exchange protocol) promises network level IP security
  • Attacking on IKE is presumably difficult because it has been designed to be robust
    • Few studies analyze the weaknesses of IKE
    • A couple of experimental attack programs are available (in contrast to the tool arsenal targeted to TCP/IP)

Research problem: Is it feasible to successfully attack IKE protocol?

research methods
Research methods
  • Modeling network security concepts
  • Reviewing the cryptography used, IPsec and IKE protocol
  • Analyzing the papers written of IKE weaknesses
  • Analyzing the existing IKE attack programs
  • Applying selected theoretical attack scenarios into practise by implementing them into attack programs
  • Experimenting these attacks in a test environment
network security concepts 1 2
Green circle: Security is retained inspite of the mounted attacks

Red circle: Security threats are realized by successful attacks

Attacker tries to adversely affect the information flow:

A basic model for network security concepts constructed

Helps to form a general view of the related concepts and their relations

Network security concepts 1(2)
network security concepts 2 2
Network security concepts 2(2)

Cryptographic methods are the building blocks of IPSec and IKE

  • Secret and Public key encryption
    • Provides confidentiality
  • Digital signature and hash functions, MAC (Message Authentication Code)
    • Provides integrity
  • Random numbers
    • Add unpredictability to cryptographic algorithms and protocols
    • Used for example for creating keys, nonces and cookies
  • Diffie-Hellman key exchange protocol
    • Two parties agree over an insecure channel on a shared secret
    • Shared secret is used to protect the following traffic
ipsec and ike protocols 1 2
IPsec and IKE protocols 1(2)

Internal structure of IPsec protocol suite

AH = Authentication Header

API = Application Programming Interface

DOI = Domain of Interpretation

ESP = Encapsulated Security Payload

ISAKMP = Internet Security Association

and Key Management Protocol

Oakley = Key Exchange Protocol

SA = Security Association

SAD = Security Association Database

SKEME = Secure Key Exchange Mechanism

SPD = Security Policy Database

ipsec and ike protocols 2 2
IKE SA and IPsec SA establisment

Main mode :

IPsec and IKE protocols 2(2)

Aggressive mode:

HDR = ISAKMP Header,

HDR* = Payloads are encrypted

SA = Security Association payload

KE = Key Exchange payload (Diffie-Hellman public value)

Ni, Nr = Nonce payload (of Initiator, Responder)

IDii, Idir = Identification payload

HASH_I, HASH_R = Hash payload (of Initiator, Responder)

experimental part 1 6
Experimental part 1(6)

Test network

  • Three hosts in a LAN (Local Area Network) running FreeBSD OS (operating system)
  • Hosts are operated via a switch matrix
  • Software of the IPsec hosts
    • IPsec: KAME
    • IKE: racoon
  • Software of the Attacker’s host
    • ettercap for enabling Man-in-the-middle (MITM) attacks by using ARP tables poisoning technique
    • ike-scan for discovering IKE services
    • ikeprobe for IKE packet fabrication
    • ikecrack for pre-shared key cracking
  • Installation of OS and software
  • Configuration of IPsec policies
experimental part 2 6
Experimental part 2(6)

Attacks on IKE are diverse:

  • Exploit weaknesses of a protocol or an implementation by applying various techniques
  • Active or passive, specific to an exchange (main or aggressive mode) or parameters used
  • Differ in terms of required effort and level of difficulty to implement and mount
  • The implications induced by an attack vary as do the benefits the attacker is able to gain

Categorization of demonstrated attacks

  • Discovery of IKE service
  • Denial-of-Service (DoS) attacks
  • Authentication attacks
experimental part 3 6
Experimental part 3(6)

Discovery of IKE service

  • If the attacker knows a specific IPsec implementation on the network, he can focus his effort on its known vulnerabilities
  • As IKE runs over UDP protocol, it needs a retransmission strategy:
    • Time to wait before resending the packet
    • Time to wait (delay) between subsequent packets
    • Count of packets to be resent before giving up
  • IPsec implementations tend to have an individual IKE retransmission strategy which forms a kind of pattern (fingerprint)
  • ike-scan discovers and identifies IPsec implementations:
    • A publicly available C program
    • Sends an initial main mode packet to the specified hosts
    • Collects timing information from responses
    • Matches that information against a database of the known implementation’s patterns
    • Concludes the IPsec/IKE implementation (vendor)
experimental part 4 6
Experimental part 4(6)

Denial-of-Service (DoS) attacks

  • The attacker’s aim is to disable the Responder by exploiting IKE protocol or implementation flaws
    • Force Responder to spend computing or memory resources
    • Force Responder to crash or jam by sending a malformed packet
  • ikeprobe.pl, IKE packet fabrication tool
    • Largely rewritten and enhanced from the IKEProber.pl
    • Aggressive and main mode packet flooding
    • Initiates an IKE negotiation without trying to complete it
  • DoS protection means of IKE
    • Cookies (IKE fails to protect against even simple DoS attacks)
    • Discarding of malformed packets
    • Limited logging of abnormal events
experimental part 5 6
Experimental part 5(6)

DoS attacks classified according to a mechanism they effect on the IKE service

experimental part 6 6
Experimental part 6(6)

Authentication attacks

  • Cracking a weak pre-shared key
    • ikecrack.pl, IKE message parser and pre-shared key cracking tool
    • Largely rewritten and enhanced from the ikecrack-snarf-1.00.pl
    • The attacker captures the exchange by “tcpdump –nxq –s 600 > file”
    • ikecrack parses the capture file, computes needed keying material and MAC values and starts dictionary, hybrid and brute-force cracking
    • In aggressive mode only a capture of an exchange needed
    • In main mode also a MITM attack needed to forge a DH public key by using an ettercap plug-in program developed
  • Use of degenerated DH public keys
    • racoon accepts degenerated DH public keys and thus allows revealing of DH shared secret (implementation flaw)
conclusions
Conclusions
  • IKE is a complex protocol. Security suffers from complexity
  • Attacking on IKE is feasible, although not trivial
  • Serious vulnerabilities demonstrated in various areas, including
    • Denial-of-Service
      • Resources can be exhausted (computing, memory and disk)
      • Implementation flaws (crashes and endless loops)
    • Authentication
      • Cracking a pre-shared key (aggressive and main mode)
      • MITM attacks on DH
  • It is only a matter of time when there are advanced attack tools available
  • IKE will probably remain in use for years (IKEv2 is an Internet-draft)
    • Still, IPsec is the current best practice in IP security
    • Realize the weaknesses and enforce respective countermeasures
    • Focus on security testing (traditionally inter-operation testing)

Further research

  • Test other IPsec implementations
  • Verify the robustness of the forthcoming IKEv2
  • Develop a security testing tool suite (move from Perl to C)
additional material 1 4
Additional material 1(4)

An example of a DoS attack which floods responder with expensive modular exponentiation computations in aggressive mode

  • perl ikeprobe.pl –d 10.0.0.2 –s 1:1:1:2 –ip 10.0.0.3 –k user 99 –n user 77 –c 30000 –wait –b 8
  • racoon uses all the available processing capacity (95 % CPU usage)
  • Disk storage is exhausted at the rate of 10 Mbytes/hour
  • Virtual memory is exhausted at the rate of 30 Mbytes/hour (the memory remains reserved until racoon has been killed)
additional material 2 4
Additional material 2(4)

An example of a MITM attack (cracking a pre-shared key in main mode)

  • To decrypt the HASH_I the MITM has to know the encryption key which is derived from DH shared secret
  • MITM forges Responder’s DH public key gy to a value of which DH private key y he knows, and can compute DH shared secret (gx)y
  • g is defined to be 2, so if gy = 2 then y = 1 and DH shared secret is (gx)y = gx

Main mode exchange and a respective ettercap snapshot:

additional material 3 4
Additional material 3(4)

Diffie Hellman (DH) Key Exchange protocol

additional material 4 4
Additional material 4(4)

RFC 2409 The Internet Key Exchange (IKE)

  • IKE keying material and MACs in a pre-shared key authentication