internet key exchange (ike) protocol vulnerability risks master's thesis seminar 18.5.2004 hut,...

Internet Key Exchange (IKE) protocol vulnerability risks


Master's thesis seminar 18.5.2004

HUT, Networking Laboratory

Composed by Ari Muittari at Nokia Networks

Supervisor: Prof. Raimo Kantola

Instructor: M.Sc. Jussi Kohonen


Contents

• Background

• Research methods

• Network security concepts

• IPsec and IKE protocols

• Experimental part

• Conclusions


Background

• New types of uses for the Internet are emerging and amount of IP traffic is growing; an ever increasing amount of attacks can be expected

• Lack of security is a major hindrance to the widespread use of the Internet

• IPsec (and IKE as its key exchange protocol) promises network level IP security

• Attacking on IKE is presumably difficult because it has been designed to be robust

• Few studies analyze the weaknesses of IKE • A couple of experimental attack programs are available (in

contrast to the tool arsenal targeted to TCP/IP)

Research problem: Is it feasible to successfully attack IKE protocol?


Research methods

• Modeling network security concepts

• Reviewing the cryptography used, IPsec and IKE protocol

• Analyzing the papers written of IKE weaknesses

• Analyzing the existing IKE attack programs

• Applying selected theoretical attack scenarios into practise by implementing them into attack programs

• Experimenting these attacks in a test environment


Network security concepts 1(2)

• Green circle: Security is retained inspite of the mounted attacks

• Red circle: Security threats are realized by successful attacks

Attacker tries to adversely affect the information flow:

• A basic model for network security concepts constructed

• Helps to form a general view of the related concepts and their relations

(b ) In te rrup tion

(a) N orm al in form ation flow

S ource D estina tion

(c) In terception

(d) M od ifica tion (e) Fabrica tion

C om m unicationchannel

S ecurity servicesS ecurity th reats

S ecurity a ttacks S ecurity m echan ism s

Security m echanism sensure security services

Security servicesm ake use of security

m echanism s

Security threats threatensecurity services

Security servicesdefeat security threats

Security threats arecarried out by m ounting

security a ttacks

Security m echanism s try todetect and prevent security

attacks, or recover from them

Attacker's in tentions toadversely affect theinform ation flow of the network :- In terception- Fabrication- M odification- In terruption

C onsist o f:- C onfidentia lity- Authentication- In tegrity and non-repudiation- Availab ility

C onsist o f:- Security protocols- C ryptographic a lgorithm s and functions- P rocesses and practices

A ttacker's actions topenetrate the system :- Passive attacks - D isc losure of in form ation - T raffic analys is- Active attacks - M asquerade - R eplay - M odification of m essages - D enia l o f service

Successfu l securityattacks rea lizesecurity threats Security a ttacks try to

explo it vu lnerabilities insecurity m echanism s


Network security concepts 2(2)

Cryptographic methods are the building blocks of IPSec and IKE

• Secret and Public key encryption• Provides confidentiality

• Digital signature and hash functions, MAC (Message Authentication Code)

• Provides integrity

• Random numbers• Add unpredictability to cryptographic algorithms and protocols• Used for example for creating keys, nonces and cookies

• Diffie-Hellman key exchange protocol• Two parties agree over an insecure channel on a shared secret• Shared secret is used to protect the following traffic


IPsec and IKE protocols 1(2)

Internal structure of IPsec protocol suite

AH = Authentication Header

API = Application Programming Interface

DOI = Domain of Interpretation

ESP = Encapsulated Security Payload

ISAKMP = Internet Security Association

and Key Management Protocol

Oakley = Key Exchange Protocol

SA = Security Association

SAD = Security Association Database

SKEME = Secure Key Exchange Mechanism

SPD = Security Policy Database

S ocket layer

T ransport P ro toco l (TC P /U D P )

IP

L ink Layer P ro toco l

A pplica tionP rocess

A pplica tionP ro toco l

IK E

A P I

S ecurity P ro toco lA H , E S PSPD

System Manager

D O IIS A K M P

O akley,S K E M E

A sks forS A creation

N egotia tes, m odifiesand de le tes S A s

C onfiguresIP sec po lic ies

C onsu lts

C onsu lts

E rror logsto systemaudit file

SAD

P oin ts to


IPsec and IKE protocols 2(2)

IKE SA and IPsec SA establisment

Main mode :

1

In itia tor R esponder

H D R , S A

2H D R , S A

5

H D R , K E , N i

4

3

6

m essage nr

H D R , K E , N r

H D R *, ID ii, H A S H _I

H D R *, ID ir, H A S H _R

1


H D R , S A , K E , N i, ID ii

2H D R , S A , K E , N r, ID ir, H A S H _R

H D R , H A S H _I3

m essage nr

Aggressive mode:

HDR = ISAKMP Header, HDR* = Payloads are encrypted

SA = Security Association payloadKE = Key Exchange payload (Diffie-Hellman public value)Ni, Nr = Nonce payload (of Initiator, Responder)IDii, Idir = Identification payloadHASH_I, HASH_R = Hash payload (of Initiator, Responder)

U D P

IP

R esponder

IP sec(A H /E S P )

P hase 1 negotia tion(M ain m ode or A ggressive m ode)

estab lishes IK E S A

U D P

IP

In itia tor

IP sec(A H /E S P )

P hase 2 negotia tion(Q uick m ode)

estab lishes IP sec S A s

IP sec (A H /E S P ) pro tected IPtra ffic

...


Experimental part 1(6)

Test network• Three hosts in a LAN (Local Area Network)

running FreeBSD OS (operating system)• Hosts are operated via a switch matrix• Software of the IPsec hosts

• IPsec: KAME • IKE: racoon

• Software of the Attacker’s host• ettercap for enabling Man-in-the-middle

(MITM) attacks by using ARP tables poisoning technique

• ike-scan for discovering IKE services• ikeprobe for IKE packet fabrication• ikecrack for pre-shared key cracking

• Installation of OS and software• Configuration of IPsec policies

Host: PC (Initiator)OS: FreeBSD v. 4.8IPsec: KAMEIKE: racoonIP: 10.0.0.1MAC: 00:00:0E:9C:C6:E7

eth

Host: PC (A ttacker)OS: FreeBSD v. 4.8Attack program s: ettercap v. 0.6.7 ike-scan v. 1.5.1 ikeprobe.pl v. 1.0 ikecrack.pl v. 1.0IP : 10.0.0.3MAC: 00:00:0E:B8:85:78

eth

Host: PC (Responder)OS: FreeBSD v. 4.8 IPsec: KAME IKE: racoonIP: 10.0.0.2MAC: 00:00:0E:A1:D0:1A

eth

Hub

Monitor, keyboardand m ouse for operation

Switch m atrix



Attacks on IKE are diverse:

• Exploit weaknesses of a protocol or an implementation by applying various techniques

• Active or passive, specific to an exchange (main or aggressive mode) or parameters used

• Differ in terms of required effort and level of difficulty to implement and mount

• The implications induced by an attack vary as do the benefits the attacker is able to gain

Categorization of demonstrated attacks

• Discovery of IKE service

• Denial-of-Service (DoS) attacks

• Authentication attacks



Discovery of IKE service

• If the attacker knows a specific IPsec implementation on the network, he can focus his effort on its known vulnerabilities

• As IKE runs over UDP protocol, it needs a retransmission strategy:• Time to wait before resending the packet• Time to wait (delay) between subsequent packets• Count of packets to be resent before giving up

• IPsec implementations tend to have an individual IKE retransmission strategy which forms a kind of pattern (fingerprint)

• ike-scan discovers and identifies IPsec implementations:• A publicly available C program• Sends an initial main mode packet to the specified hosts• Collects timing information from responses• Matches that information against a database of the known

implementation’s patterns• Concludes the IPsec/IKE implementation (vendor)



Denial-of-Service (DoS) attacks

• The attacker’s aim is to disable the Responder by exploiting IKE protocol or implementation flaws

• Force Responder to spend computing or memory resources• Force Responder to crash or jam by sending a malformed

packet

• ikeprobe.pl, IKE packet fabrication tool• Largely rewritten and enhanced from the IKEProber.pl• Aggressive and main mode packet flooding• Initiates an IKE negotiation without trying to complete it

• DoS protection means of IKE• Cookies (IKE fails to protect against even simple DoS attacks)• Discarding of malformed packets• Limited logging of abnormal events



DoS attacks classified according to a mechanism they effect on the IKE service

EFFECT MECHANISM

ATTACK INDUCED ACTIVITY IMPLICATION

Exhaustion of processing capacity

Initiate many IKE negotiations by sending many fake requests in a short time period (flooding).

Responder spends processing capacity by computing expensive DH modular exponentiations or parsing vast amount of payloads of each request.

Decreases performance of computer. Responder is unable to serve legitimate users.

Exhaustion of memory capacity

Initiate many IKE negotiations by sending many fake requests in a short time period (flooding).

Responder reserves memory by creating a state for each half-open connection (in a similar way like in TCP SYN flooding attack).

Decreases amount of available physical memory. When the physical memory runs out, virtual memory (disk memory) is used which causes swapping and a radical decrease in computer’s performance.

Exhaustion of disk storage capacity

Initiate many IKE negotiations by sending many fake requests (flooding).

Responder writes error logs of abnormal events, e.g. of timed connections.

Decreases amount of disk storage. Disk quota of process may exceed.

Exploit of implementation flaw

Send a specially fabricated packet.

Responder crashes (e.g. because of a buffer overflow).

Responder becomes unavailable.

Exploit of implementation flaw

Send a specially fabricated packet.

Responder jams because it loops endlessly using all the available processing capacity.

Responder becomes unavailable. Also other services of a computer, which have lower priority than the Responder has, become unavailable.



Authentication attacks

• Cracking a weak pre-shared key• ikecrack.pl, IKE message parser and pre-shared key cracking

tool • Largely rewritten and enhanced from the ikecrack-snarf-1.00.pl• The attacker captures the exchange by “tcpdump –nxq –s 600

> file” • ikecrack parses the capture file, computes needed keying

material and MAC values and starts dictionary, hybrid and brute-force cracking

• In aggressive mode only a capture of an exchange needed• In main mode also a MITM attack needed to forge a DH public

key by using an ettercap plug-in program developed

• Use of degenerated DH public keys• racoon accepts degenerated DH public keys and thus allows

revealing of DH shared secret (implementation flaw)


Conclusions

• IKE is a complex protocol. Security suffers from complexity• Attacking on IKE is feasible, although not trivial• Serious vulnerabilities demonstrated in various areas, including

• Denial-of-Service • Resources can be exhausted (computing, memory and disk)• Implementation flaws (crashes and endless loops)

• Authentication • Cracking a pre-shared key (aggressive and main mode)• MITM attacks on DH

• It is only a matter of time when there are advanced attack tools available• IKE will probably remain in use for years (IKEv2 is an Internet-draft)

• Still, IPsec is the current best practice in IP security • Realize the weaknesses and enforce respective countermeasures• Focus on security testing (traditionally inter-operation testing)

Further research • Test other IPsec implementations• Verify the robustness of the forthcoming IKEv2• Develop a security testing tool suite (move from Perl to C)


Additional material 1(4)

An example of a DoS attack which floods responder with expensive modular exponentiation computations in aggressive mode

• perl ikeprobe.pl –d 10.0.0.2 –s 1:1:1:2 –ip 10.0.0.3 –k user 99 –n user 77 –c 30000 –wait –b 8

• racoon uses all the available processing capacity (95 % CPU usage)

• Disk storage is exhausted at the rate of 10 Mbytes/hour

• Virtual memory is exhausted at the rate of 30 Mbytes/hour (the memory remains reserved until racoon has been killed) Request count Reserved size

of racoon.log file (Mbytes)

Reserved size of virtual memory (Mbytes)

Reserved size of physical memory (Mbytes)

Elapsed time (s)

1000 0.4 1.5 1.5 117

10000 3.3 10 8.8 1178

30000 9.9 29 9.3 3535



An example of a MITM attack (cracking a pre-shared key in main mode)

• To decrypt the HASH_I the MITM has to know the encryption key which is derived from DH shared secret

• MITM forges Responder’s DH public key gy to a value of which DH private key y he knows, and can compute DH shared secret (gx)y

• g is defined to be 2, so if gy = 2 then y = 1 and DH shared secret is (gx)y = gx

Main mode exchange and a respective ettercap snapshot:


H D R , S A

H D R , S A

H D R , K E (g x), N i

m essage nr

H D R , K E (g y), N r

H D R *, ID ii, H A S H _I

M ITM

1

2

3

5

patch g y := 24



Diffie Hellman (DH) Key Exchange protocol

Alice Bob

Published values: prim e num ber p generator g (a prim itive e lem ent m odulo p, 2 g p - 2)

C hoose a random private key 1 x p - 2

C om pute a public key g x m od p

Send the public key to Bobg x m od p

g y m od p

C om pute a shared secret key K = (g y)x m od p = g xy m od p

C hoose a random private key 1 y p - 2

C om pute a public key g y m od p

Send the public key to A lice

C om pute a shared secret key K = (g x)y m od p = g xy m od p

internet key exchange (ike) protocol vulnerability risks master's thesis seminar 18.5.2004 hut,...

Documents