internet key exchange (ike) protocol vulnerability risks master's thesis seminar 18.5.2004 hut,...
TRANSCRIPT
![Page 1: Internet Key Exchange (IKE) protocol vulnerability risks Master's thesis seminar 18.5.2004 HUT, Networking Laboratory Composed by Ari Muittari at Nokia](https://reader038.vdocument.in/reader038/viewer/2022100508/56649ddf5503460f94ad7fe8/html5/thumbnails/1.jpg)
Internet Key Exchange (IKE) protocol vulnerability risks
Internet Key Exchange (IKE) protocol vulnerability risks
Master's thesis seminar 18.5.2004
HUT, Networking Laboratory
Composed by Ari Muittari at Nokia Networks
Supervisor: Prof. Raimo Kantola
Instructor: M.Sc. Jussi Kohonen
![Page 2: Internet Key Exchange (IKE) protocol vulnerability risks Master's thesis seminar 18.5.2004 HUT, Networking Laboratory Composed by Ari Muittari at Nokia](https://reader038.vdocument.in/reader038/viewer/2022100508/56649ddf5503460f94ad7fe8/html5/thumbnails/2.jpg)
Internet Key Exchange (IKE) protocol vulnerability risks
Contents
• Background
• Research methods
• Network security concepts
• IPsec and IKE protocols
• Experimental part
• Conclusions
![Page 3: Internet Key Exchange (IKE) protocol vulnerability risks Master's thesis seminar 18.5.2004 HUT, Networking Laboratory Composed by Ari Muittari at Nokia](https://reader038.vdocument.in/reader038/viewer/2022100508/56649ddf5503460f94ad7fe8/html5/thumbnails/3.jpg)
Internet Key Exchange (IKE) protocol vulnerability risks
Background
• New types of uses for the Internet are emerging and amount of IP traffic is growing; an ever increasing amount of attacks can be expected
• Lack of security is a major hindrance to the widespread use of the Internet
• IPsec (and IKE as its key exchange protocol) promises network level IP security
• Attacking on IKE is presumably difficult because it has been designed to be robust
• Few studies analyze the weaknesses of IKE • A couple of experimental attack programs are available (in
contrast to the tool arsenal targeted to TCP/IP)
Research problem: Is it feasible to successfully attack IKE protocol?
![Page 4: Internet Key Exchange (IKE) protocol vulnerability risks Master's thesis seminar 18.5.2004 HUT, Networking Laboratory Composed by Ari Muittari at Nokia](https://reader038.vdocument.in/reader038/viewer/2022100508/56649ddf5503460f94ad7fe8/html5/thumbnails/4.jpg)
Internet Key Exchange (IKE) protocol vulnerability risks
Research methods
• Modeling network security concepts
• Reviewing the cryptography used, IPsec and IKE protocol
• Analyzing the papers written of IKE weaknesses
• Analyzing the existing IKE attack programs
• Applying selected theoretical attack scenarios into practise by implementing them into attack programs
• Experimenting these attacks in a test environment
![Page 5: Internet Key Exchange (IKE) protocol vulnerability risks Master's thesis seminar 18.5.2004 HUT, Networking Laboratory Composed by Ari Muittari at Nokia](https://reader038.vdocument.in/reader038/viewer/2022100508/56649ddf5503460f94ad7fe8/html5/thumbnails/5.jpg)
Internet Key Exchange (IKE) protocol vulnerability risks
Network security concepts 1(2)
• Green circle: Security is retained inspite of the mounted attacks
• Red circle: Security threats are realized by successful attacks
Attacker tries to adversely affect the information flow:
• A basic model for network security concepts constructed
• Helps to form a general view of the related concepts and their relations
(b ) In te rrup tion
(a) N orm al in form ation flow
S ource D estina tion
(c) In terception
(d) M od ifica tion (e) Fabrica tion
C om m unicationchannel
S ecurity servicesS ecurity th reats
S ecurity a ttacks S ecurity m echan ism s
Security m echanism sensure security services
Security servicesm ake use of security
m echanism s
Security threats threatensecurity services
Security servicesdefeat security threats
Security threats arecarried out by m ounting
security a ttacks
Security m echanism s try todetect and prevent security
attacks, or recover from them
Attacker's in tentions toadversely affect theinform ation flow of the network :- In terception- Fabrication- M odification- In terruption
C onsist o f:- C onfidentia lity- Authentication- In tegrity and non-repudiation- Availab ility
C onsist o f:- Security protocols- C ryptographic a lgorithm s and functions- P rocesses and practices
A ttacker's actions topenetrate the system :- Passive attacks - D isc losure of in form ation - T raffic analys is- Active attacks - M asquerade - R eplay - M odification of m essages - D enia l o f service
Successfu l securityattacks rea lizesecurity threats Security a ttacks try to
explo it vu lnerabilities insecurity m echanism s
![Page 6: Internet Key Exchange (IKE) protocol vulnerability risks Master's thesis seminar 18.5.2004 HUT, Networking Laboratory Composed by Ari Muittari at Nokia](https://reader038.vdocument.in/reader038/viewer/2022100508/56649ddf5503460f94ad7fe8/html5/thumbnails/6.jpg)
Internet Key Exchange (IKE) protocol vulnerability risks
Network security concepts 2(2)
Cryptographic methods are the building blocks of IPSec and IKE
• Secret and Public key encryption• Provides confidentiality
• Digital signature and hash functions, MAC (Message Authentication Code)
• Provides integrity
• Random numbers• Add unpredictability to cryptographic algorithms and protocols• Used for example for creating keys, nonces and cookies
• Diffie-Hellman key exchange protocol• Two parties agree over an insecure channel on a shared secret• Shared secret is used to protect the following traffic
![Page 7: Internet Key Exchange (IKE) protocol vulnerability risks Master's thesis seminar 18.5.2004 HUT, Networking Laboratory Composed by Ari Muittari at Nokia](https://reader038.vdocument.in/reader038/viewer/2022100508/56649ddf5503460f94ad7fe8/html5/thumbnails/7.jpg)
Internet Key Exchange (IKE) protocol vulnerability risks
IPsec and IKE protocols 1(2)
Internal structure of IPsec protocol suite
AH = Authentication Header
API = Application Programming Interface
DOI = Domain of Interpretation
ESP = Encapsulated Security Payload
ISAKMP = Internet Security Association
and Key Management Protocol
Oakley = Key Exchange Protocol
SA = Security Association
SAD = Security Association Database
SKEME = Secure Key Exchange Mechanism
SPD = Security Policy Database
S ocket layer
T ransport P ro toco l (TC P /U D P )
IP
L ink Layer P ro toco l
A pplica tionP rocess
A pplica tionP ro toco l
IK E
A P I
S ecurity P ro toco lA H , E S PSPD
System Manager
D O IIS A K M P
O akley,S K E M E
A sks forS A creation
N egotia tes, m odifiesand de le tes S A s
C onfiguresIP sec po lic ies
C onsu lts
C onsu lts
E rror logsto systemaudit file
SAD
P oin ts to
![Page 8: Internet Key Exchange (IKE) protocol vulnerability risks Master's thesis seminar 18.5.2004 HUT, Networking Laboratory Composed by Ari Muittari at Nokia](https://reader038.vdocument.in/reader038/viewer/2022100508/56649ddf5503460f94ad7fe8/html5/thumbnails/8.jpg)
Internet Key Exchange (IKE) protocol vulnerability risks
IPsec and IKE protocols 2(2)
IKE SA and IPsec SA establisment
Main mode :
1
In itia tor R esponder
H D R , S A
2H D R , S A
5
H D R , K E , N i
4
3
6
m essage nr
H D R , K E , N r
H D R *, ID ii, H A S H _I
H D R *, ID ir, H A S H _R
1
In itia tor R esponder
H D R , S A , K E , N i, ID ii
2H D R , S A , K E , N r, ID ir, H A S H _R
H D R , H A S H _I3
m essage nr
Aggressive mode:
HDR = ISAKMP Header, HDR* = Payloads are encrypted
SA = Security Association payloadKE = Key Exchange payload (Diffie-Hellman public value)Ni, Nr = Nonce payload (of Initiator, Responder)IDii, Idir = Identification payloadHASH_I, HASH_R = Hash payload (of Initiator, Responder)
U D P
IP
R esponder
IP sec(A H /E S P )
P hase 1 negotia tion(M ain m ode or A ggressive m ode)
estab lishes IK E S A
U D P
IP
In itia tor
IP sec(A H /E S P )
P hase 2 negotia tion(Q uick m ode)
estab lishes IP sec S A s
IP sec (A H /E S P ) pro tected IPtra ffic
...
![Page 9: Internet Key Exchange (IKE) protocol vulnerability risks Master's thesis seminar 18.5.2004 HUT, Networking Laboratory Composed by Ari Muittari at Nokia](https://reader038.vdocument.in/reader038/viewer/2022100508/56649ddf5503460f94ad7fe8/html5/thumbnails/9.jpg)
Internet Key Exchange (IKE) protocol vulnerability risks
Experimental part 1(6)
Test network• Three hosts in a LAN (Local Area Network)
running FreeBSD OS (operating system)• Hosts are operated via a switch matrix• Software of the IPsec hosts
• IPsec: KAME • IKE: racoon
• Software of the Attacker’s host• ettercap for enabling Man-in-the-middle
(MITM) attacks by using ARP tables poisoning technique
• ike-scan for discovering IKE services• ikeprobe for IKE packet fabrication• ikecrack for pre-shared key cracking
• Installation of OS and software• Configuration of IPsec policies
Host: PC (Initiator)OS: FreeBSD v. 4.8IPsec: KAMEIKE: racoonIP: 10.0.0.1MAC: 00:00:0E:9C:C6:E7
eth
Host: PC (A ttacker)OS: FreeBSD v. 4.8Attack program s: ettercap v. 0.6.7 ike-scan v. 1.5.1 ikeprobe.pl v. 1.0 ikecrack.pl v. 1.0IP : 10.0.0.3MAC: 00:00:0E:B8:85:78
eth
Host: PC (Responder)OS: FreeBSD v. 4.8 IPsec: KAME IKE: racoonIP: 10.0.0.2MAC: 00:00:0E:A1:D0:1A
eth
Hub
Monitor, keyboardand m ouse for operation
Switch m atrix
![Page 10: Internet Key Exchange (IKE) protocol vulnerability risks Master's thesis seminar 18.5.2004 HUT, Networking Laboratory Composed by Ari Muittari at Nokia](https://reader038.vdocument.in/reader038/viewer/2022100508/56649ddf5503460f94ad7fe8/html5/thumbnails/10.jpg)
Internet Key Exchange (IKE) protocol vulnerability risks
Experimental part 2(6)
Attacks on IKE are diverse:
• Exploit weaknesses of a protocol or an implementation by applying various techniques
• Active or passive, specific to an exchange (main or aggressive mode) or parameters used
• Differ in terms of required effort and level of difficulty to implement and mount
• The implications induced by an attack vary as do the benefits the attacker is able to gain
Categorization of demonstrated attacks
• Discovery of IKE service
• Denial-of-Service (DoS) attacks
• Authentication attacks
![Page 11: Internet Key Exchange (IKE) protocol vulnerability risks Master's thesis seminar 18.5.2004 HUT, Networking Laboratory Composed by Ari Muittari at Nokia](https://reader038.vdocument.in/reader038/viewer/2022100508/56649ddf5503460f94ad7fe8/html5/thumbnails/11.jpg)
Internet Key Exchange (IKE) protocol vulnerability risks
Experimental part 3(6)
Discovery of IKE service
• If the attacker knows a specific IPsec implementation on the network, he can focus his effort on its known vulnerabilities
• As IKE runs over UDP protocol, it needs a retransmission strategy:• Time to wait before resending the packet• Time to wait (delay) between subsequent packets• Count of packets to be resent before giving up
• IPsec implementations tend to have an individual IKE retransmission strategy which forms a kind of pattern (fingerprint)
• ike-scan discovers and identifies IPsec implementations:• A publicly available C program• Sends an initial main mode packet to the specified hosts• Collects timing information from responses• Matches that information against a database of the known
implementation’s patterns• Concludes the IPsec/IKE implementation (vendor)
![Page 12: Internet Key Exchange (IKE) protocol vulnerability risks Master's thesis seminar 18.5.2004 HUT, Networking Laboratory Composed by Ari Muittari at Nokia](https://reader038.vdocument.in/reader038/viewer/2022100508/56649ddf5503460f94ad7fe8/html5/thumbnails/12.jpg)
Internet Key Exchange (IKE) protocol vulnerability risks
Experimental part 4(6)
Denial-of-Service (DoS) attacks
• The attacker’s aim is to disable the Responder by exploiting IKE protocol or implementation flaws
• Force Responder to spend computing or memory resources• Force Responder to crash or jam by sending a malformed
packet
• ikeprobe.pl, IKE packet fabrication tool• Largely rewritten and enhanced from the IKEProber.pl• Aggressive and main mode packet flooding• Initiates an IKE negotiation without trying to complete it
• DoS protection means of IKE• Cookies (IKE fails to protect against even simple DoS attacks)• Discarding of malformed packets• Limited logging of abnormal events
![Page 13: Internet Key Exchange (IKE) protocol vulnerability risks Master's thesis seminar 18.5.2004 HUT, Networking Laboratory Composed by Ari Muittari at Nokia](https://reader038.vdocument.in/reader038/viewer/2022100508/56649ddf5503460f94ad7fe8/html5/thumbnails/13.jpg)
Internet Key Exchange (IKE) protocol vulnerability risks
Experimental part 5(6)
DoS attacks classified according to a mechanism they effect on the IKE service
EFFECT MECHANISM
ATTACK INDUCED ACTIVITY IMPLICATION
Exhaustion of processing capacity
Initiate many IKE negotiations by sending many fake requests in a short time period (flooding).
Responder spends processing capacity by computing expensive DH modular exponentiations or parsing vast amount of payloads of each request.
Decreases performance of computer. Responder is unable to serve legitimate users.
Exhaustion of memory capacity
Initiate many IKE negotiations by sending many fake requests in a short time period (flooding).
Responder reserves memory by creating a state for each half-open connection (in a similar way like in TCP SYN flooding attack).
Decreases amount of available physical memory. When the physical memory runs out, virtual memory (disk memory) is used which causes swapping and a radical decrease in computer’s performance.
Exhaustion of disk storage capacity
Initiate many IKE negotiations by sending many fake requests (flooding).
Responder writes error logs of abnormal events, e.g. of timed connections.
Decreases amount of disk storage. Disk quota of process may exceed.
Exploit of implementation flaw
Send a specially fabricated packet.
Responder crashes (e.g. because of a buffer overflow).
Responder becomes unavailable.
Exploit of implementation flaw
Send a specially fabricated packet.
Responder jams because it loops endlessly using all the available processing capacity.
Responder becomes unavailable. Also other services of a computer, which have lower priority than the Responder has, become unavailable.
![Page 14: Internet Key Exchange (IKE) protocol vulnerability risks Master's thesis seminar 18.5.2004 HUT, Networking Laboratory Composed by Ari Muittari at Nokia](https://reader038.vdocument.in/reader038/viewer/2022100508/56649ddf5503460f94ad7fe8/html5/thumbnails/14.jpg)
Internet Key Exchange (IKE) protocol vulnerability risks
Experimental part 6(6)
Authentication attacks
• Cracking a weak pre-shared key• ikecrack.pl, IKE message parser and pre-shared key cracking
tool • Largely rewritten and enhanced from the ikecrack-snarf-1.00.pl• The attacker captures the exchange by “tcpdump –nxq –s 600
> file” • ikecrack parses the capture file, computes needed keying
material and MAC values and starts dictionary, hybrid and brute-force cracking
• In aggressive mode only a capture of an exchange needed• In main mode also a MITM attack needed to forge a DH public
key by using an ettercap plug-in program developed
• Use of degenerated DH public keys• racoon accepts degenerated DH public keys and thus allows
revealing of DH shared secret (implementation flaw)
![Page 15: Internet Key Exchange (IKE) protocol vulnerability risks Master's thesis seminar 18.5.2004 HUT, Networking Laboratory Composed by Ari Muittari at Nokia](https://reader038.vdocument.in/reader038/viewer/2022100508/56649ddf5503460f94ad7fe8/html5/thumbnails/15.jpg)
Internet Key Exchange (IKE) protocol vulnerability risks
Conclusions
• IKE is a complex protocol. Security suffers from complexity• Attacking on IKE is feasible, although not trivial• Serious vulnerabilities demonstrated in various areas, including
• Denial-of-Service • Resources can be exhausted (computing, memory and disk)• Implementation flaws (crashes and endless loops)
• Authentication • Cracking a pre-shared key (aggressive and main mode)• MITM attacks on DH
• It is only a matter of time when there are advanced attack tools available• IKE will probably remain in use for years (IKEv2 is an Internet-draft)
• Still, IPsec is the current best practice in IP security • Realize the weaknesses and enforce respective countermeasures• Focus on security testing (traditionally inter-operation testing)
Further research • Test other IPsec implementations• Verify the robustness of the forthcoming IKEv2• Develop a security testing tool suite (move from Perl to C)
![Page 16: Internet Key Exchange (IKE) protocol vulnerability risks Master's thesis seminar 18.5.2004 HUT, Networking Laboratory Composed by Ari Muittari at Nokia](https://reader038.vdocument.in/reader038/viewer/2022100508/56649ddf5503460f94ad7fe8/html5/thumbnails/16.jpg)
Internet Key Exchange (IKE) protocol vulnerability risks
Additional material 1(4)
An example of a DoS attack which floods responder with expensive modular exponentiation computations in aggressive mode
• perl ikeprobe.pl –d 10.0.0.2 –s 1:1:1:2 –ip 10.0.0.3 –k user 99 –n user 77 –c 30000 –wait –b 8
• racoon uses all the available processing capacity (95 % CPU usage)
• Disk storage is exhausted at the rate of 10 Mbytes/hour
• Virtual memory is exhausted at the rate of 30 Mbytes/hour (the memory remains reserved until racoon has been killed) Request count Reserved size
of racoon.log file (Mbytes)
Reserved size of virtual memory (Mbytes)
Reserved size of physical memory (Mbytes)
Elapsed time (s)
1000 0.4 1.5 1.5 117
10000 3.3 10 8.8 1178
30000 9.9 29 9.3 3535
![Page 17: Internet Key Exchange (IKE) protocol vulnerability risks Master's thesis seminar 18.5.2004 HUT, Networking Laboratory Composed by Ari Muittari at Nokia](https://reader038.vdocument.in/reader038/viewer/2022100508/56649ddf5503460f94ad7fe8/html5/thumbnails/17.jpg)
Internet Key Exchange (IKE) protocol vulnerability risks
Additional material 2(4)
An example of a MITM attack (cracking a pre-shared key in main mode)
• To decrypt the HASH_I the MITM has to know the encryption key which is derived from DH shared secret
• MITM forges Responder’s DH public key gy to a value of which DH private key y he knows, and can compute DH shared secret (gx)y
• g is defined to be 2, so if gy = 2 then y = 1 and DH shared secret is (gx)y = gx
Main mode exchange and a respective ettercap snapshot:
In itia tor R esponder
H D R , S A
H D R , S A
H D R , K E (g x), N i
m essage nr
H D R , K E (g y), N r
H D R *, ID ii, H A S H _I
M ITM
1
2
3
5
patch g y := 24
![Page 18: Internet Key Exchange (IKE) protocol vulnerability risks Master's thesis seminar 18.5.2004 HUT, Networking Laboratory Composed by Ari Muittari at Nokia](https://reader038.vdocument.in/reader038/viewer/2022100508/56649ddf5503460f94ad7fe8/html5/thumbnails/18.jpg)
Internet Key Exchange (IKE) protocol vulnerability risks
Additional material 3(4)
Diffie Hellman (DH) Key Exchange protocol
Alice Bob
Published values: prim e num ber p generator g (a prim itive e lem ent m odulo p, 2 g p - 2)
C hoose a random private key 1 x p - 2
C om pute a public key g x m od p
Send the public key to Bobg x m od p
g y m od p
C om pute a shared secret key K = (g y)x m od p = g xy m od p
C hoose a random private key 1 y p - 2
C om pute a public key g y m od p
Send the public key to A lice
C om pute a shared secret key K = (g x)y m od p = g xy m od p
![Page 19: Internet Key Exchange (IKE) protocol vulnerability risks Master's thesis seminar 18.5.2004 HUT, Networking Laboratory Composed by Ari Muittari at Nokia](https://reader038.vdocument.in/reader038/viewer/2022100508/56649ddf5503460f94ad7fe8/html5/thumbnails/19.jpg)
Internet Key Exchange (IKE) protocol vulnerability risks
Additional material 4(4)
RFC 2409 The Internet Key Exchange (IKE)
• IKE keying material and MACs in a pre-shared key authentication
Keying material
SKEYID = prf(pre-shared key, Ni_b | Nr_b) A key seed. A string derived from secret material known only to the active players in the exchange.
SKEYID_d = prf(SKEYID, gxy | CKY-I | CKY-R | 0) The keying material used to derive keys for IPSec SAs.
SKEYID_a = prf(SKEYID, SKEYID_d | gxy | CKY-I | CKY-R | 1) The keying material used by the IKE SA to authenticate its messages.
SKEYID_e = prf(SKEYID, SKEYID_a | gxy | CKY-I | CKY-R | 2) The keying material used by the IKE SA to protect the confidentiality of its messages. Provides keying material for session key (encryption key).
Message Authentication Codes (MACs)
HASH_I = prf(SKEYID, gx | gy | CKY-I | CKY-R | SAi_b | IDii_b) Authenticates initiator’s exchange
HASH_R = prf(SKEYID, gy | gx | CKY-R | CKY-I | SAi_b | IDir_b) Authenticates responder’s exchange