Internet Key Exchange (IKE) protocol vulnerability risks

advertisement
Internet Key Exchange (IKE) protocol
vulnerability risks
Master's thesis seminar 18.5.2004
HUT, Networking Laboratory
Composed by Ari Muittari at Nokia Networks
Supervisor: Prof. Raimo Kantola
Instructor: M.Sc. Jussi Kohonen
Internet Key Exchange (IKE) protocol vulnerability risks
Contents
• Background
• Research methods
• Network security concepts
• IPsec and IKE protocols
• Experimental part
• Conclusions
Internet Key Exchange (IKE) protocol vulnerability risks
Background
• New types of uses for the Internet are emerging and amount of IP traffic
is growing; an ever increasing amount of attacks can be expected
• Lack of security is a major hindrance to the widespread use of the
Internet
• IPsec (and IKE as its key exchange protocol) promises network level IP
security
• Attacking on IKE is presumably difficult because it has been designed to
be robust
• Few studies analyze the weaknesses of IKE
• A couple of experimental attack programs are available (in contrast to
the tool arsenal targeted to TCP/IP)
Research problem: Is it feasible to successfully attack IKE protocol?
Internet Key Exchange (IKE) protocol vulnerability risks
Research methods
• Modeling network security concepts
• Reviewing the cryptography used, IPsec and IKE protocol
• Analyzing the papers written of IKE weaknesses
• Analyzing the existing IKE attack programs
• Applying selected theoretical attack scenarios into practise by
implementing them into attack programs
• Experimenting these attacks in a test environment
Internet Key Exchange (IKE) protocol vulnerability risks
Network security concepts 1(2)
• A basic model for network security
concepts constructed
• Green circle: Security is retained
inspite of the mounted attacks
• Helps to form a general view of the
related concepts and their relations
• Red circle: Security threats are
realized by successful attacks
Attacker's intentions to
adversely affect the
information flow of the network:
- Interception
- Fabrication
- Modification
- Interruption
Consist of:
- Confidentiality
- Authentication
- Integrity and non-repudiation
- Availability
Security threats threaten
security services
Security services
Security threats
Security services
defeat security threats
Security threats are
carried out by mounting
security attacks
Successful security
attacks realize
security threats
Communication
channel
Security services
make use of security
mechanisms
Security attacks try to
exploit vulnerabilities in
security mechanisms
Source
Security mechanisms
ensure security services
Destination
(a) Normal information flow
Security mechanisms
Security attacks
Attacker's actions to
penetrate the system:
- Passive attacks
- Disclosure of information
- Traffic analysis
- Active attacks
- Masquerade
- Replay
- Modification of messages
- Denial of service
Attacker tries to adversely affect
the information flow:
Security mechanisms try to
detect and prevent security
attacks, or recover from them
Internet Key Exchange (IKE) protocol vulnerability risks
Consist of:
- Security protocols
- Cryptographic algorithms and
functions
- Processes and practices
(b) Interruption
(c) Interception
(d) Modification
(e) Fabrication
Network security concepts 2(2)
Cryptographic methods are the building blocks of IPSec and IKE
• Secret and Public key encryption
• Provides confidentiality
• Digital signature and hash functions, MAC (Message Authentication Code)
• Provides integrity
• Random numbers
• Add unpredictability to cryptographic algorithms and protocols
• Used for example for creating keys, nonces and cookies
• Diffie-Hellman key exchange protocol
• Two parties agree over an insecure channel on a shared secret
• Shared secret is used to protect the following traffic
Internet Key Exchange (IKE) protocol vulnerability risks
IPsec and IKE protocols 1(2)
Internal structure of IPsec protocol suite
AH = Authentication Header
API = Application Programming Interface
DOI = Domain of Interpretation
Error logs
to system
audit file
System Manager
ISAKMP
Configures
IPsec policies
Oakley,SKEME
Negotiates, modifies
and deletes SAs
ESP = Encapsulated Security Payload
ISAKMP = Internet Security Association
DOI
Application
Process
Application
Protocol
IKE
SAD
and Key Management Protocol
Oakley = Key Exchange Protocol
Points to
Consults
SA = Security Association
SAD = Security Association Database
SKEME = Secure Key Exchange Mechanism
SPD = Security Policy Database
Internet Key Exchange (IKE) protocol vulnerability risks
SPD
API
Socket layer
Asks for
SA creation
Security Protocol
AH, ESP
Consults
Transport Protocol (TCP/UDP)
IP
Link Layer Protocol
IPsec and IKE protocols 2(2)
IKE SA and IPsec SA establisment
Initiator
Phase 1 negotiation
(Main mode or Aggressive mode)
establishes IKE SA
Initiator
Phase 2 negotiation
(Quick mode)
establishes IPsec SAs
Main mode :
Responder
message nr
HDR, SA
1
HDR, SA
2
Responder
...
HDR, KE, Ni
3
HDR, KE, Nr
4
HDR*, IDii, HASH_I
5
HDR*, IDir, HASH_R
6
UDP
IP
IPsec (AH/ESP) protected IP
traffic
IPsec
IPsec
(AH/ESP)
(AH/ESP)
UDP
IP
Aggressive mode:
Initiator
message nr
Responder
HDR, SA, KE, Ni, IDii
1
HDR, SA, KE, Nr, IDir, HASH_R
2
HDR, HASH_I
3
HDR = ISAKMP Header,
HDR* = Payloads are encrypted
SA = Security Association payload
KE = Key Exchange payload (Diffie-Hellman public value)
Ni, Nr = Nonce payload (of Initiator, Responder)
IDii, Idir = Identification payload
HASH_I, HASH_R = Hash payload (of Initiator, Responder)
Internet Key Exchange (IKE) protocol vulnerability risks
Experimental part 1(6)
Test network
• Three hosts in a LAN (Local Area Network) running
FreeBSD OS (operating system)
• Hosts are operated via a switch matrix
• Software of the IPsec hosts
• IPsec: KAME
• IKE: racoon
Host: PC (Initiator)
OS: FreeBSD v. 4.8
IPsec: KAME
eth
IKE: racoon
IP:
10.0.0.1
MAC: 00:00:0E:9C:C6:E7
• Software of the Attacker’s host
• ettercap for enabling Man-in-the-middle (MITM)
attacks by using ARP tables poisoning technique
• ike-scan for discovering IKE services
• ikeprobe for IKE packet fabrication
• ikecrack for pre-shared key cracking
• Installation of OS and software
• Configuration of IPsec policies
Internet Key Exchange (IKE) protocol vulnerability risks
Monitor, keyboard
and mouse for operation
Switch matrix
Host: PC (Attacker)
OS: FreeBSD v. 4.8
Attack programs:
ettercap v. 0.6.7
ike-scan v. 1.5.1
ikeprobe.pl v. 1.0
ikecrack.pl v. 1.0
IP:
10.0.0.3
MAC: 00:00:0E:B8:85:78
eth
Hub
Host: PC (Responder)
OS: FreeBSD v. 4.8
IPsec: KAME
eth
IKE: racoon
IP:
10.0.0.2
MAC: 00:00:0E:A1:D0:1A
Experimental part 2(6)
Attacks on IKE are diverse:
• Exploit weaknesses of a protocol or an implementation
by applying various techniques
• Active or passive, specific to an exchange (main or
aggressive mode) or parameters used
• Differ in terms of required effort and level of difficulty to
implement and mount
• The implications induced by an attack vary as do the
benefits the attacker is able to gain
Categorization of demonstrated attacks
• Discovery of IKE service
• Denial-of-Service (DoS) attacks
• Authentication attacks
Internet Key Exchange (IKE) protocol vulnerability risks
Experimental part 3(6)
Discovery of IKE service
• If the attacker knows a specific IPsec implementation on the network, he
can focus his effort on its known vulnerabilities
• As IKE runs over UDP protocol, it needs a retransmission strategy:
• Time to wait before resending the packet
• Time to wait (delay) between subsequent packets
• Count of packets to be resent before giving up
• IPsec implementations tend to have an individual IKE retransmission
strategy which forms a kind of pattern (fingerprint)
• ike-scan discovers and identifies IPsec implementations:
• A publicly available C program
• Sends an initial main mode packet to the specified hosts
• Collects timing information from responses
• Matches that information against a database of the known
implementation’s patterns
• Concludes the IPsec/IKE implementation (vendor)
Internet Key Exchange (IKE) protocol vulnerability risks
Experimental part 4(6)
Denial-of-Service (DoS) attacks
• The attacker’s aim is to disable the Responder by exploiting IKE protocol or
implementation flaws
• Force Responder to spend computing or memory resources
• Force Responder to crash or jam by sending a malformed packet
• ikeprobe.pl, IKE packet fabrication tool
• Largely rewritten and enhanced from the IKEProber.pl
• Aggressive and main mode packet flooding
• Initiates an IKE negotiation without trying to complete it
• DoS protection means of IKE
• Cookies (IKE fails to protect against even simple DoS attacks)
• Discarding of malformed packets
• Limited logging of abnormal events
Internet Key Exchange (IKE) protocol vulnerability risks
Experimental part 5(6)
DoS attacks classified according to a mechanism they
effect on the IKE service
EFFECT
MECHANISM
ATTACK
INDUCED ACTIVITY
IMPLICATION
Exhaustion of
processing
capacity
Initiate many IKE
negotiations by
sending many fake
requests in a short
time period
(flooding).
Responder spends
processing capacity by
computing expensive DH
modular exponentiations or
parsing vast amount of
payloads of each request.
Decreases performance of
computer. Responder is unable
to serve legitimate users.
Exhaustion of
memory capacity
Initiate many IKE
negotiations by
sending many fake
requests in a short
time period
(flooding).
Responder reserves
memory by creating a state
for each half-open
connection (in a similar
way like in TCP SYN
flooding attack).
Decreases amount of available
physical memory. When the
physical memory runs out,
virtual memory (disk memory) is
used which causes swapping
and a radical decrease in
computer’s performance.
Exhaustion of disk
storage capacity
Initiate many IKE
negotiations by
sending many fake
requests (flooding).
Responder writes error
logs of abnormal events,
e.g. of timed connections.
Decreases amount of disk
storage. Disk quota of process
may exceed.
Exploit of
implementation
flaw
Send a specially
fabricated packet.
Responder crashes (e.g.
because of a buffer
overflow).
Responder becomes
unavailable.
Exploit of
implementation
flaw
Send a specially
fabricated packet.
Responder jams because it
loops endlessly using all
the available processing
capacity.
Responder becomes
unavailable. Also other services
of a computer, which have lower
priority than the Responder has,
become unavailable.
Internet Key Exchange (IKE) protocol vulnerability risks
Experimental part 6(6)
Authentication attacks
• Cracking a weak pre-shared key
• ikecrack.pl, IKE message parser and pre-shared key cracking tool
• Largely rewritten and enhanced from the ikecrack-snarf-1.00.pl
• The attacker captures the exchange by “tcpdump –nxq –s 600 > file”
• ikecrack parses the capture file, computes needed keying material and
MAC values and starts dictionary, hybrid and brute-force cracking
• In aggressive mode only a capture of an exchange needed
• In main mode also a MITM attack needed to forge a DH public key by
using an ettercap plug-in program developed
• Use of degenerated DH public keys
• racoon accepts degenerated DH public keys and thus allows revealing
of DH shared secret (implementation flaw)
Internet Key Exchange (IKE) protocol vulnerability risks
Conclusions
• IKE is a complex protocol. Security suffers from complexity
• Attacking on IKE is feasible, although not trivial
• Serious vulnerabilities demonstrated in various areas, including
• Denial-of-Service
• Resources can be exhausted (computing, memory and disk)
• Implementation flaws (crashes and endless loops)
• Authentication
• Cracking a pre-shared key (aggressive and main mode)
• MITM attacks on DH
• It is only a matter of time when there are advanced attack tools available
• IKE will probably remain in use for years (IKEv2 is an Internet-draft)
• Still, IPsec is the current best practice in IP security
• Realize the weaknesses and enforce respective countermeasures
• Focus on security testing (traditionally inter-operation testing)
Further research
• Test other IPsec implementations
• Verify the robustness of the forthcoming IKEv2
• Develop a security testing tool suite (move from Perl to C)
Internet Key Exchange (IKE) protocol vulnerability risks
Additional material 1(4)
An example of a DoS attack which floods responder with expensive
modular exponentiation computations in aggressive mode
• perl ikeprobe.pl –d 10.0.0.2 –s 1:1:1:2 –ip 10.0.0.3 –k user 99 –n user
77 –c 30000 –wait –b 8
• racoon uses all the available processing capacity (95 % CPU usage)
• Disk storage is exhausted at the rate of 10 Mbytes/hour
• Virtual memory is exhausted at the rate of 30 Mbytes/hour
memory remains reserved until racoon has been killed)
Request count
Reserved size
of racoon.log file
(Mbytes)
Reserved size of
virtual memory
(Mbytes)
Reserved size of
physical memory
(Mbytes)
Elapsed
time (s)
1000
0.4
1.5
1.5
117
10000
3.3
10
8.8
1178
30000
9.9
29
9.3
3535
Internet Key Exchange (IKE) protocol vulnerability risks
(the
Additional material 2(4)
An example of a MITM attack (cracking a pre-shared key in main mode)
• To decrypt the HASH_I the MITM has to know the encryption key which is derived
from DH shared secret
• MITM forges Responder’s DH public key gy to a value of which DH private key y he
knows, and can compute DH shared secret (gx)y
• g is defined to be 2, so if gy = 2 then y = 1 and DH shared secret is (gx)y = gx
Main mode exchange and a respective ettercap snapshot:
Initiator
MITM
HDR, SA
Responder
message nr
1
2
HDR, SA
HDR, KE(gx), Ni
3
patch gy := 2
4
HDR*, IDii, HASH_I
5
HDR, KE(gy), Nr
Internet Key Exchange (IKE) protocol vulnerability risks
Additional material 3(4)
Diffie Hellman (DH) Key Exchange protocol
Published values:
prime number p
generator g (a primitive element modulo p, 2  g p - 2)
Alice
Bob
Choose a random private key
1  x p-2
Compute a public key
gx mod p
Send the public key to Bob
gx mod p
Choose a random private key
1  y p-2
Compute a public key
gy mod p
gy mod p
Send the public key to Alice
Compute a shared secret key
K = (gy)x mod p = gxy mod p
Internet Key Exchange (IKE) protocol vulnerability risks
Compute a shared secret key
K = (gx)y mod p = gxy mod p
Additional material 4(4)
RFC 2409 The Internet Key Exchange (IKE)
• IKE keying material and MACs in a pre-shared key authentication
Keying material
SKEYID = prf(pre-shared key, Ni_b | Nr_b)
xy
SKEYID_d = prf(SKEYID, g | CKY-I | CKY-R | 0)
A key seed. A string derived from
secret material known only to the active
players in the exchange.
The keying material used to derive
keys for IPSec SAs.
xy
The keying material used by the IKE
SA to authenticate its messages.
xy
The keying material used by the IKE
SA to protect the confidentiality of its
messages. Provides keying material for
session key (encryption key).
SKEYID_a = prf(SKEYID, SKEYID_d | g | CKY-I | CKY-R | 1)
SKEYID_e = prf(SKEYID, SKEYID_a | g | CKY-I | CKY-R | 2)
Message Authentication Codes (MACs)
x
y
HASH_I = prf(SKEYID, g | g | CKY-I | CKY-R | SAi_b | IDii_b)
y
x
HASH_R = prf(SKEYID, g | g | CKY-R | CKY-I | SAi_b | IDir_b)
Internet Key Exchange (IKE) protocol vulnerability risks
Authenticates initiator’s exchange
Authenticates responder’s exchange
Download