© 2006 Cisco Systems, Inc. All rights reserved. SND v Building IPsec VPNs Introducing IPsec VPNs

© 2006 Cisco Systems, Inc. All rights reserved. SND v Outline Overview IPsec Overview Internet Key Exchange IKE: Other Functions ESP and AH Protocols, Transport and Tunnel Modes Message Authentication and Integrity Check Symmetric vs. Asymmetric Encryption Algorithms PKI Environment Summary

© 2006 Cisco Systems, Inc. All rights reserved. SND v Introducing IPsec IPsec has these features: It is an IETT standard (RFC ). It defines how a VPN can be set up using the IP addressing protocol. It determines how the interface appears to the encryption protocol, not which type of encryption is used. It provides these essential functions: –Confidentiality –Integrity –Authentication

© 2006 Cisco Systems, Inc. All rights reserved. SND v Internet Key Exchange IPsec uses the IKE protocol to authenticate a peer computer and to generate encryption keys. The IKE protocol automates the key exchange process by: –Negotiating SA characteristics –Automatically generating keys –Automatically refreshing keys –Allowing manual configuration The IKE protocol uses these modes to secure communications: –Main mode –Agressive mode –Quick mode

© 2006 Cisco Systems, Inc. All rights reserved. SND v IKE Communication Negotiation Phases IKE uses these phases to secure a communication channel between two peers: IKE Phase 1: Transform sets, hash methods, and other parameters are determined. IKE Phase 1.5 (optional): XAUTH protocol can be used to provide user authentication of IPsec tunnels within the IKE protocol to provide additional authentication of the VPN clients. IKE Phase 2: SAs are negotiated by ISAKMP, where quick mode is used. In this phase, the IPsec SAs are unidirectional.

© 2006 Cisco Systems, Inc. All rights reserved. SND v IKE: Other Functions These IKE functions are also available: NAT traversal NAT detection NAT traversal decision UDP encapsulation of IPsec packets UDP encapsulated process for software engines: Transport mode and tunnel mode ESP encapsulation Mode configuration option Extended Authentication

© 2006 Cisco Systems, Inc. All rights reserved. SND v IKE: Other Functions (Cont.) IPsec and NAT: The Problem PAT Device Port Address Translation fails because ESP packet Layer 4 port information is encrypted. IPsec Gateway IPsec Remote Client Public Network Private Network

© 2006 Cisco Systems, Inc. All rights reserved. SND v IKE: Other Functions (Cont.) Need NAT traversal with IPsec over TCP and UDP NAT traversal detection NAT traversal decision UDP encapsulation of IPsec packets UDP encapsulated process for software engines PAT Device IPsec Gateway IPsec Remote Client Public Network External IP Header ESP Header Original IP Header TCP/UDP Header PayloadESP Trailer UDP Header ESP Header Original IP Header TCP/UDP Header PayloadESP Trailer External IP Header Private Network

© 2006 Cisco Systems, Inc. All rights reserved. SND v ESP and AH Header IP Hdr Data IP Hdr ESP Hdr New IP Hdr Data ESP Auth ESP Trailer Encrypted Authenticated IP Hdr AH New IP Hdr Data Authenticated Using ESPUsing AH ESP allows encryption and authenticates the original packet. AH authenticates the whole packet and does not allow encryption. Original Packet

© 2006 Cisco Systems, Inc. All rights reserved. SND v Transport and Tunnel Mode New IP Hdr ESP HdrIP HdrTCP UDP Data ESP Trailer ESP Auth Transport Mode Encrypted Authenticated Tunnel Mode Encrypted Authenticated IP Hdr ESP Hdr TCP UDP Data ESP Trailer ESP Auth

© 2006 Cisco Systems, Inc. All rights reserved. SND v Message Authentication and Integrity Check Using Hash Sender Receiver ? Insecure Channel HMAC Hash Output Message Hash

© 2006 Cisco Systems, Inc. All rights reserved. SND v MD5 and SHA-1 MD5 produces a 128-bit message digest. SHA-1 produces a 160-bit message digest. IPsec protocol uses only the first 96 bits of the SHA-1 message digest. SHA-1 is computationally slower than MD5, but more secure.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Symmetric vs. Asymmetric Encryption Algorithms Public key cryptography Encryption and decryption use different keys Typically used in digital certification and key management Example: RSA Secret key cryptography Encryption and decryption use the same key Typically used to encrypt the content of a message Examples: DES, 3DES, AES Symmetric Plain Text Encryption( ) or Decryption( ) Encryption( ) CipherText Plain Text Asymmetric CipherText Decryption( )

© 2006 Cisco Systems, Inc. All rights reserved. SND v Symmetric vs. Asymmetric Encryption Algorithms (Cont.) Symmetric Key LengthAsymmetric Key Length Comparing key lengths required for asymmetric keys and symmetric keys

© 2006 Cisco Systems, Inc. All rights reserved. SND v Symmetric vs. Asymmetric Encryption Algorithms (Cont.) Security LevelWork FactorAlgorithms WeakO(2 40 )DES, MD5 LegacyO(2 64 )RC4, SHA-1 BaselineO(2 80 )3DES StandardO(2 128 )AES-128, SHA-256 HighO(2 192 )AES-192, SHA-384 UltraO(2 256 )AES-256, SHA-512 Comparing security levels of cryptographic algorithms

© 2006 Cisco Systems, Inc. All rights reserved. SND v Symmetrical Key Encryption Algorithms DES –Uses a 56-bit key –Is considered outmoded and insecure Triple-DES –Uses a 168-bit key –Only provides baseline encryption protection AES –The 126–bit key version is deemed acceptable by the NSA for U.S. government nonclassified data.

© 2006 Cisco Systems, Inc. All rights reserved. SND v DH and RSA Asymmetric Encryption Algorithms Diffie-Hellman key agreement protocol: The first practical method for establishing a shared secret over an unprotected communications channel Vulnerable to a man-in-the-middle attack because there is no requirement to authenticate the sender and receiver RSA cryptosystem: Most popular asymmetric encryption system available Provides encryption and digital signatures for authentication RSA keys are typically 1024–2048 bits long

© 2006 Cisco Systems, Inc. All rights reserved. SND v PKI Environment Certificate Authority Key Recovery Registration and Certification Issuance Support for Nonrepudiation Key Storage Trusted Time Service Key Generation Certificate Distribution Certificate Revocation

© 2006 Cisco Systems, Inc. All rights reserved. SND v PKI Certificates A PKI uses a CA to: –Manage certificate requests and issue certificates –Provide a centralized trusted source for key management –Provide a trusted source to validate identities and to create digital certificates The CA starts by generating its own public key pair and creates a self-signed CA certificate. Then the CA can sign certificate requests and begin peer enrollment for the PKI. Use a third-party CA vendor, or use the Cisco IOS certificate server for your own CA-signed certificates.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Hierarchical CA Frameworks A PKI allows a hierarchical CA framework supporting multiple CAs with these features: The root CA holds a self-signed certificate and an RSA key pair. Subordinate CAs enroll with either the root CA or with another subordinate CA. Each enrolled peer can validate the certificate of another enrolled peer. Multiple CAs provide users with added flexibility and reliability. A subordinate CA can be placed in a branch office, and the root CA can be placed at office headquarters. One CA can automatically grant certificate requests, while another CA can require only manually granted certificate requests.

© 2006 Cisco Systems, Inc. All rights reserved. SND v PKI Certificates Version Serial Number Signature Algorithm ID Issuer (CA) X.500 Name Validity Period Subject X.500 Name Subject Public Key Info. Issuer Unique ID Subject Unique ID Extension CA Digital Signature Algorithm ID Public Key Value Signing Algorithm Example: SHA-1with RSA CA Identity Lifetime of Certificate Public Key of Users (Bound to Users Subject Name of User) Other User Information Example: subAltName, Cisco Discovery Protocol Signed by Private Key of CA X.509 v3 Certificate

© 2006 Cisco Systems, Inc. All rights reserved. SND v PKI Message Exchange Certificate Authority Alice Convey Trust in Her Public Key Bob Request for CA Public Key 1 CA Sends Its Public Key 2 4 Alice Hash Message Digest Sign Bob trusts the Alice public key after verifying her signature using the CA public key. Cert Req. Alice Alice.. 5 CA Private Key

© 2006 Cisco Systems, Inc. All rights reserved. SND v PKI Credentials Storing PKI credentials: RSA keys and certificates NVRAM or eToken storage eToken prerequisites: Cisco 871 Integrated Service Router; Cisco 1800, 2800, or 3800 Series Integrated Service Routers Cisco IOS Release 12.3(14)T image USB eToken supported by Cisco A Cisco K9 image

© 2006 Cisco Systems, Inc. All rights reserved. SND v Summary IPsec is an IETF standard that defines how a VPN can be set up using the IP addressing protocol. IPsec provides confidentiality, integrity, and authentication security functions. IPsec relies on the IKE protocol to provide the negotiation of SA characteristics, automatic key generation, the automatic refreshing of keys, and a way to manage the manual configuration of keys. The IKE protocol supports the verification of peer device activity, the passing of IPsec packets through NAT devices, and the exchange of additional configuration parameters between peer devices.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Summary (Cont.) Together the ESP and AH protocols provide an undecipherable data flow and a tamper-evident seal. The ESP and AH protocols can use the IPsec transport mode when packet size is a concern or the IPsec tunnel mode when packet expansion is not a concern. The IPsec protocol uses HMAC to provide an iterative cryptographic hash function. The strength of HMAC depends on the properties of the underlying hash function. IPsec uses symmetric and asymmetric encryption. In symmetric encryption the sender and the receiver use the same secret key; in asymmetric encryption, one key is used for encryption and another key is used for decryption. PKI provides a scalable, secure mechanism for distributing, managing, and revoking encryption and identity information in a secured data network.

© 2006 Cisco Systems, Inc. All rights reserved. SND v