BÀI GIẢNG VPNChuong 3_cac Giao Thuc Tang 3

8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3

1/198

LOGOwww.themegallery.com

Ging vin:

Chng III Cc giao thcmng ring o ti tng 3


2/198

LOGO

Mc tiu

Chng ny tp trung nghin cu cc giao thcmng ring o ti tng 3Nghin cu chi tit v giao thc IPSecIPSec l g?

Kh nng m bo an ton ca IPSec chocc giao dch trong khi truyn d liu

M hnh ng hm, khun dng gi d liu,cc ch hot ng ca IPSec

8/4/2014 2


3/198


4/198

LOGO

Gii thiu v xc thc &m ha

www.themegallery.com


5/198

LOGO5

BO MT TRONG VPN

XC THC NGUN GC

BO MT TRONG VPN BAO GM HAI QU TRNH:XC THC

GUN GC

TON VN

XC THC MT KHU - PAP

XC THC YU CU BT TAY- CHAP H THNG IU KHIN TRUY CP U CUI -TACACS XC THC NGI DNG QUAY S T XA - RADIUS CC H THNG PHN CNG NH SMART CARD

H THNG SINH TRC HC

GIN LC THNG IP - MD

M XC THC THNG BO - MACCH K S - DS

Xc thc

V M HA

XC THC TNH TON VN

XC THC TNH TON VN


6/198

LOGO6

BO MT TRONG VPN

MD (Message Digest) l phng php s dng pht hinli truyn dn da trn hm bm (hash) mt chiu. Cc hmbm mt chiu c s dng tnh MD.

Ti liu hoc

bn tin

MD5 SHA-1

160 bit128 bit

Ti liu hoc

bn tin

Hm hash

Message Digest

Xc thc: Ton vn

GIN LC THNG IP


7/198LOGO7

Ti liu hoc bn tin Padding Length

Block N

512 bit

Block 2

512 bit

Block 1

512 bit

Hash HashHm hash

MD5/SHA

Hm hash

MD5/SHA

I

V

Hm hash

MD5/SHAHash

512bit XN

MD ca

bn tin

BO MT TRONG VPN Xc thc: Ton vn

Cu trc c bn ca MD5/SHA


8/198

LOGO8

BO MT TRONG VPN

MAC (Message Authentication Code) l phng php bo vchng sa i bt hp php ni dung ca bn tin. MAC cthc hin da trn hm bm mt chiu kt hp vi kha bmt

Ti liu hoc

bn tin

Key Hash

Function

Key Hash

Function

Key

MAC

MAC

MAC

Ti liu hoc

bn tin

Pha pht Pha thu

Key

So Snh

Knh truyn dn

Xc thc: Ton vn

M XC THC THNG BO


9/198

LOGO9

BO MT TRONG VPN

Ti liuhoc bn tin

Ch k

M ho vikho cng cng

M ho vikho ring

Hm hash

Gi tr hash

Ti liuhoc bn tin

Ch k

Gi tr hash

Gi tr hash

Pha pht Pha thu

Knh

truyn dn

So

snh

Xc thc: Ton vn

CH K SChk scthchinbngcch m ha gi trhash thu cthm bmmtchiu. Gi trhash (MD5 hay SHA) cabntin cm ha vikha b mtcapha pht tothnh chk sv ctruynicng vibntin tngn


10/198

LOGO10

BO MT TRONG VPN

EncryptEncrypt DecryptDecryptEcryption

Message

Clear

Message

Clear

Message

Shared

Secret Key

Shared

Secret Key

HAI PHNG PHP M HOM HO KHO B MT

M ho

M HO KHO CNG KHAI

B MT

CNG KHAI

THUT TON M HO KHO CNG KHAI

EncryptEncrypt DecryptDecrypt

Encrypted

Messageclear

Message

clear

Message

Transfers

Public Key

Receives

Public Key

Thut ton m ha kha b mt: s dng chung mt kha m ha vgii m bn tin.

Thut ton m ha kha cng khai: s dng kha cng khai m ha v kha bmt gii m nhng hai kha ny c lin quan vi nhau to thnh mt cp khaduy nht ca mt bn tin, ch c hai kha ny mi c th m ha v gii m chonhau

ReceiversPublic Key

ReceiversPrivate Key


11/198

LOGO11

BO MT TRONG VPN

Li-1 Ri-1 Khoi-1

Li Ri Khoi

S-Box (Thay th)

Hon v m rng

Hon v nn

DchDch

P-Box (Hon v)

32

56

48

48

56

32

32 32

32

Mng Fiestel

Key (64 bt)

Round 1

Paintext Block(64 bit)

Hon v khi to

(IP)

Round 2

Round 16

B Parity (56bit)

Hon v o (RP)

Ciphertext Block(64 bits)

Chun m ho d liu DES l s kt hp ca hai kthut c bn trong mt m l thay th (hp S) vhon v (P)

L m khi c cu trc Fiestel

S thut tonMng Fiestel

THUT TON DESM ho kho b mt

Key (64 bt)

Round 1

Paintext Block(64 bit)

Hon v khi to

(IP)

Round 2

Round 16

B Parity (56

bit)

Hon v o (RP)

Ciphertext Block

(64 bits)

CHUN M HO D LIU DES


12/198

LOGO


13/198

LOGO

3.1. Gii thiu chung

IPSec = Internet Protocol Securityc pht trin bi IETF

Thc hin vic bo mt cc gi IP

Cung cp kh nng: Xc thc ngun thng tin Kim tra tnh ton vn

B mt ni dung thng tin

8/4/2014 13

->3.2


14/198

LOGO

3.1. Gii thiu chung

IPSec cung cp mt khung bo mt ti tng 3ca m hnh OSI

8/4/2014 14

Application Layer

Presentation LayerSession Layer

Transport Layer

Data Link Layer

Physical Layer

IPSecNetwork Layer

->3.2


15/198

LOGO

Ni dung:3.1. Gii thiu

3.2. Kin trc IPSec

3.3. Trao i kho Internet

3.4. Qu trnh hot ng ca IPSec

3.5. X l h thng IPSec/IKE

8/4/2014 15


16/198

LOGO

3.2. Kin trc IPSec

3.2.1. Gii thiu chung v cc chun Thc hin vic bo mt ti tng IP

Cc giao thc tng trn v cc ng dng cth dng IPSec m bo an ton mkhng cn phi thay i g

8/4/2014 16


17/198

LOGO

3.2. Kin trc IPSec

3.2.1. Gii thiu chung v cc chun Cc gi IP s c bo v m khng ph

thuc vo cc ng dng to ra n

IPSec hon ton trong sut vi ngi dng

8/4/2014 17


18/198

LOGO

3.2. Kin trc IPSec

3.2.1. Gii thiu chung v cc chun IPSec c cc c trng sau:

Cung cp tnh bo mt, xc thc v ton vn dliu

Cung cp kh nng to v t ng lm ti khomt m mt cch an ton

8/4/2014 18


19/198

LOGO

3.2. Kin trc IPSec

3.2.1. Gii thiu chung v cc chun IPSec c cc c trng sau

S dng cc thut ton mt m mnh cung cptnh bo mt

Cung cp kh nng xc thc da trn chng ch Cung cp tnh nng bo mt cho cc giao thc

nh L2TP, PPTP,/.

8/4/2014 19


20/198

LOGO

3.2. Kin trc IPSec

3.2.1. Gii thiu chung v cc chun IPSec bao gm 2 giao thc: Tiu xc thc (AHAuthentication Header)

m bo tnh ton vn,

Cung cp kh nng bo v chng li s gi mo, Cung cp ch xc thc i vi my ch

ng gi ti bo mt (ESPEnscapsulatingSecurity Payload)

Thc hin cc chc nng nh AH, nhng c thm tnhnng bo mt d liu./.

8/4/2014 20


21/198

LOGO

3.2. Kin trc IPSec

3.2.1. Gii thiu chung v cc chun IPSec mang li 3 kh nng chnh:

m bo tnh xc thc v ton vn d liu

Tnh b mt

Qun l kha

8/4/2014 21

->3.2.2

AH & ESP

IKE


22/198

LOGO

3.2. Kin trc IPSec

3.2.1. Gii thiu chung v cc chun IPSec mang li 3 kh nng chnh

m bo tnh ton vn v xc thc IPSec cung cp mt c ch mnh m m bo

tnh xc thc ca ngi gi (Ai l ngi gi dliu?)

Ngi nhn: c th kim chng bt k s thay ino v ni dung ca gi d liu nhn c.

Giao thc IPSec mang li s bo v mnh chng

li cc dng tn cng: Gi mo, do thm hoc tchi dch v.

8/4/2014 22

->3.2.2


23/198

LOGO

3.2. Kin trc IPSec

3.2.1. Gii thiu chung v cc chun (c) IPSec mang li 3 kh nng chnh Tnh b mt:

IPSec m ho d liu bng cc thut ton mt m

mnh, ngn cn ngi cha chng thc truy cpd liu trn ng truyn.

S dng c ch to ng hm n a ch IPngun v ch, trnh nhng k nghe trm.

8/4/2014 23

->3.2.2


24/198

LOGO

3.2. Kin trc IPSec

3.2.1. Gii thiu chung v cc chun IPSec mang li 3 kh nng chnh

Qun l kho: IPSec s dng mt giao thc th ba IKE

(Internet Key Exchange) tha thun:+ Giao thc bo mt

+ V thut ton m ha

Quan trng hn, IPSec phn phi, kim sot

kho v cp nht cc kho ny khi c yucu.

8/4/2014 24

->3.2.2

trc v trong mt phin lm vic.


25/198

LOGO

3.2. Kin trc IPSec

3.2.2. Lin kt bo mt IPSec (IPSec SA) SA (Security Associations) l mt khi nim c

bn ca b giao thc IPSec.

SA l mt kt ni logic theo mt hng duy nht

gia hai thc th s dng cc dch v IPSec. C hai kiu SA:

ISAKMP SA (hay IKE SA)

IPSec SA

8/4/2014 25


26/198

LOGO

3.2. Kin trc IPSec

3.2.2. Lin kt bo mt IPSec (IPSec SA) Mt IPSec SA s xc nh cc thng tin sau:

Dng giao thc bo mt no: AH hay ESP

Thut ton m ha/gii m & kha no: DES | 3 DES

Phng php v kha xc thc no c dng choAH | ESP: Hm bm (HMAC, MD5, SHA1), ch k s(RSA), chng ch s, Diffie-Hellman qun l kha

Thng tin lin quan n kho nh: khong thi gian

thay i v khong thi gian lm ti ca kho. Thng tin lin quan n chnh SA, bao gm: a chngun SA, khong thi gian lm ti.

8/4/2014 26


27/198

LOGO

3.2. Kin trc IPSec

3.2.2. Lin kt bo mt IPSec (IPSec SA) Mt SA gm 3 phn:

8/4/2014 27

SercurityProtocol

SPI Destination

IP Address


28/198

LOGO

3.2. Kin trc IPSec

3.2.2. Lin kt bo mt IPSec (IPSec SA)

SPI

L mt trng 32 bit, dng xc nh mt SA gnvi mt gi d liu

L mt ch s duy nht cho mi bn ghi ca c s dliu SADB (ging kha chnh).

c nh ngha bi ngi to SA, c la chn bih thng ch khi thng lng SA.

SPI nhn cc gi tr trong khong t 1255

8/4/2014 28

SercurityProtocol

SPI Destination

IP Address


29/198

LOGO

3.2. Kin trc IPSec


a ch IP ch:

L a ch IP ca Node ch Giao thc bo mt:

M t giao thc bo mt IPSec c dng, c th lAH hoc ESP

8/4/2014 29

SercurityProtocol

SPI Destination

IP Address


30/198

LOGO

3.2. Kin trc IPSec


Vi hai im lin lc: cn mt SA cho mi hng.

SA c th cung cp cc dch v bo mt cho mtphin VPN (c bo v bi AH hay ESP)

Nu mt phin VPN c bo v kp bi c AH v ESPth mi hng kt ni cn nh ngha 2 SA.

8/4/2014 30

SercurityProtocol

SPI Destination

IP Address


31/198

LOGO

3.2. Kin trc IPSec3.2.2. Lin kt an ton IPSec (IPSec SA) Mt SA s dng 2 c s d liu

C s d liu lin kt bo mt (SAD - SecurityAssociation Database)

Duy tr thng tin lin quan ti mi SA, bao gm: cc kho,

thut ton, thi gian c hiu lc ca SA, chui s tun t. C s d liu chnh sch bo mt (SPD - Security

Policy Database) Lu cc chnh sch thit lp cc SA

Duy tr thng tin v cc dch v bo mt km theo vi mtdanh sch chnh sch cc im vo v ra.

nh ngha lung lu lng c x l/b qua

8/4/2014 31

->3.2.3


32/198

LOGO

SPI: cc kho, thut ton,thi gian c hiu lc ca SA,chui s tun t.

3.2. Kin trc IPSec3.2.2. Lin kt an ton IPSec (IPSec SA)

8/4/2014 32

->3.2.3

SAD SPD

SercurityProtocol

SPI Destination

IP Address

SPI:- Danh sch chnh sch ccim vo v ra.- Lung lu lng c xl/b qua

SAD, SPDc lu trongmi my tnh


33/198

LOGO




34/198


35/198

LOGO

3.2. Kin trc IPSecThchin: (Host1)

1. Host 1: To2 file CSDL cho SA l: Test.sad v Test.spd (2 file trng).2. Host 1: Thm mtsecurity policy vo Test.spd mboan ton lu

lnggiaHost 1 v Host 2


Tn trngcafile Test.spd Gi tr v d

Policy 2

RemoteIPAddr FE80::2AA:FF:FE92:D0F1LocalIPAdrr - *

Protocol - *

RemotePort - *

LocalPort -*

IPSecProtocol AHIPSecMode Transport

SABundleIndex NONE

Direction BIDIRECT

Action APPLY

InterfaceIndex 0RemoteGWIPAdrr *

/c Host 2

Giao thcIPSec = AHCh hotng =Transport

Khng sdng kp:c AH vESP

Gi tr nyphi c t

theo th tgim dn(kha chnh)

Test.spd

Thc hin: (Host1)


36/198

LOGO

Thchin: (Host1)3. Host 1: Thm 2 SA vo file Test.sad mboan ton ttclulng

giaHost 1 v Host 2

+ SA1 (SPI=3001) mboan ton lulngtHost1 -> Host2 (Outbound

+ SA2 (SPI=3000) mboan ton lulngtHost2 -> Host1 (Inbound)


SPI=3001

Cc trngny theopolicy slide trc

Gi tr nytheo th tgim dn(kha chnh)

Test.sad

Tn trng ca file Test.sad Gi tr v d

SAEntry 2

SPI 3001

SADestIPAddr FE80::2AA:FF:FE92:D0F1

SADestIPAddr Policy

SrcIPAddr Policy

Protocol Policy

DestPort PolicySrcPort Policy

AuthAlg HMAC-MD5

KeyFile Test.key

Direction OUTBOUND

SetPolicyIndex 2

SA1

Thut tonxc thc lHMAC-MD5

Fijle chakha lTest.KeyTham chiun chnhsch = 2

a chHost2

Thc hin: (Host1)


37/198

LOGO

Thchin: (Host1)3. Host 1: Thm 2 SA vo file Test.sad mboan ton ttclulng

giaHost 1 v Host 2

+ SA1 (SPI=3001) mboan ton lulngtHost1 -> Host2 (Outbound

+ SA2 (SPI=3000) mboan ton lulngtHost2 -> Host1 (Inbound)


SPI=3000



Test.sad


SAEntry 1

SPI 3000

SADestIPAddr FE80::2AA:FF:FE53:A92C

SADestIPAddr Policy

SrcIPAddr Policy

Protocol Policy

DestPort PolicySrcPort Policy

AuthAlg HMAC-MD5

KeyFile Test2.key

Direction INBOUND

SetPolicyIndex 2

SA2


Fijle chakha lTest2.Key

Tham chiun chnhsch = 2

a chHost1


38/198

LOGO

3.2. Kin trc IPSecThchin(Host 2):

1. Host 2: To2 file CSDL cho SA l: HTest.sad v HTest.spd (2 file trng).2. Host 2: Thm mtsecurity policy vo HTest.spd mboan ton lu

lnggiaHost 2 v Host 1


Tn trngcafile HTest.spd Gi tr v d

Policy 2

RemoteIPAddr FE80::2AA:FF:FE53:A92C

LocalIPAdrr - *

Protocol - *

RemotePort - *

LocalPort -*

IPSecProtocol AHIPSecMode Transport

SABundleIndex NONE

Direction BIDIRECT

Action APPLY

InterfaceIndex 0RemoteGWIPAdrr *

/c Host 1

Giao thcIPSec = AHCh hotng =Transport

Khng sdng kp:c AH vESP

Gi tr nyphi c t

theo th tgim dn(kha chnh)

HTest.spd

Thc hin: (Host2)


39/198

LOGO

Thchin: (Host2)3. Host 2 Thm 2 SA vo file HTest.sad mboan ton ttclulng

giaHost 2 v Host 1

+ HSA1 (SPI=2001) mboan ton lulngtHost2 -> Host1 (Outbound

+ HSA2 (SPI=2000) mboan ton lulngtHost1 -> Host2 (Inbound)


SPI=3001



Test.sad


SAEntry 2

SPI 2001

SADestIPAddr FE80::2AA:FF:FE53:A92C

SADestIPAddr Policy

SrcIPAddr Policy

Protocol Policy

DestPort Policy

SrcPort Policy

AuthAlg HMAC-MD5

KeyFile HTest.key

Direction OUTBOUND

SetPolicyIndex 2

HSA1


Fijle chakha lHTest.KeyTham chiun chnhsch = 2

a chHost1

Thc hin: (Host2)


40/198

LOGO

Thchin: (Host2)3. Host 2 Thm 2 SA vo file Test.sad mboan ton ttclulng

giaHost 2 v Host 1

+ HSA1 (SPI=2001) mboan ton lulngtHost2 -> Host1 (Outbound)

+HSA2 (SPI=2000) mboan ton lulngtHost1 -> Host2 (Inbound)


SPI=3000



Test.sad


SAEntry 1

SPI 2000

SADestIPAddr FE80::2AA:FF:FE92:D0F1

SADestIPAddr Policy

SrcIPAddr Policy

Protocol Policy

DestPort Policy

SrcPort Policy

AuthAlg HMAC-MD5

KeyFile HTest2.key

Direction INBOUND

SetPolicyIndex 2

HSA2


Fijle chakha lHTest2.KeyTham chiun chnhsch = 2

a chHost2


41/198


42/198

LOGO

3.2. Kin trc IPSec


ICMP Echo Request

SA1 (SPI = 3001, /c ch = MAC

(Host2), IPSecprotocol =AH,IPSecMode = Transport,Authen=HMAC-MD5, Key (Test.key)

Host 1:Bc 1: Tm trong 2 CSDL: Test.spd, Test.sad tm mt SA thch hp cho gi tin (kt ni 2 CSDL)Bc 2: Tm c SA1

Host1 Host2

Gi tin ny c baobi AH Header, vc p dng bi SA1

Host 2:Bc 1: Nhn c gi tin RequestBc 2: Tm trong 2 CSDL: HTest.spdHTest.sad thy HSA2 (SPI=2000) phhp vi gi tin ny,Bc 3: Dng HSA2 xc thc gi

tinHSA2(SPI = 2000, /c ch = MAC(Host1), IPSecprotocol =AH,IPSecMode = Transport,Authen=HMAC-MD5, Key (HTest2.key)

Cc SA v Khaphin c thathun trc quaIKE

ICMP Echo Response

Qu trnh thchin tng t


43/198

LOGO


V d v SA

Reference:

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ip_v6_imp_cont5.mspx?mfr=true

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ip_v6_imp_cont5.mspx?mfr=truehttp://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ip_v6_imp_cont5.mspx?mfr=truehttp://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ip_v6_imp_cont5.mspx?mfr=truehttp://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ip_v6_imp_cont5.mspx?mfr=truehttp://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ip_v6_imp_cont5.mspx?mfr=truehttp://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ip_v6_imp_cont5.mspx?mfr=truehttp://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ip_v6_imp_cont5.mspx?mfr=truehttp://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ip_v6_imp_cont5.mspx?mfr=true


44/198

LOGO

IKE (Internet Key Exchange)

- RFC 2409

3.2. Kin trc IPSec

8/4/2014 44

AH (Authentication Header)-RFC 2402

ESP (Encapsulating Security Payload)- RFC 2406

IPSec


45/198

LOGO

3.2. Kin trc IPSec

8/4/2014 45

AH (AuthenticationHeader)

ESP (EncapsulatingSecurity Payload)

IPSec

AH c ng gibi giao thc IP(trng protocoltrong IP l 51)

ESP c nggi bi giao thcIP (trng protocoltrong IP l 50)

B giao thc IPSechot ng 2 modechnh: Tunnel Modev Transport Mode

Tunnel Mode: To thm mt IP

Header mi cho gi tin

Transport Mode: Khng tothm mt IP Header mi


46/198

LOGO

3.2. Kin trc IPSec

8/4/2014 46

AH (AuthenticationHeader)

ESP (EncapsulatingSecurity Payload)

IPSec

B giao thc IPSechot ng 2 modechnh: Tunnel Modev Transport Mode

Xc thc

Ton vn

Xc thc

Ton vn

M ha

-Thut ton m ha: DES, 3DES,AES, -Thut ton bm: MD5, SHA-1,


47/198

LOGO

3.2. Kin trc IPSec

3.2.3. Cc giao thc ca IPSec

Giao thc AH

8/4/2014 47


48/198

LOGO

3.2. Kin trc IPSec

3.2.3.1. Giao thc AH: Giao thc AH thm mt tiu vo gi IP

Xc thc ngi gi: Tiu ny dng cho vic xcthc gi d liu IP gc ti ngi nhn (Ai l ngi gigi tin?)

Ton vn gi tin: Tiu ny cng gip nhn bit btk s thay i no v ni dung ca gi d liu.

AH khng m ha bt k phn no ca gi tin.

8/4/2014 48


49/198


50/198

LOGO

3.2. Kin trc IPSec

3.2.3.1. Giao thc AH Giao thc AH c cc c trng c bn sau y:

Cung cp tnh ton vn v xc thc

S dng m xc thc thng ip c bm (HMAC)

Ni dung cc gi tin khng c m ho.

8/4/2014 50


51/198

LOGO

3.2. Kin trc IPSec

3.2.3.1. Giao thc AH

8/4/2014 51

Cc ch hot ng ca AH


52/198

LOGO

3.2. Kin trc IPSec

3.2.3.1. Giao thc AH Ch hot ng:

AH c th s dng c 2 ch :Truyn ti (TransportMode) v ng hm (Tunnel Mode)

Ch Transport: Trong ch ny tiu AH c chn vosau tiu IP v trc mt giao thc lp trnnh TCP hoc UDP.

Khng to mt IP Header mi

8/4/2014 52


53/198

LOGO

3.2. Kin trc IPSec

3.2.3.1. Giao thc AH Ch Transport:

8/4/2014 53

Gi tin IP

ban u

Gi tin AH trong ch transport

IP Hdr TCP| UDP Header Data

IP Hdr TCP| UDP Header DataAH Hdr

Bo v ton vn xc thc

Payload


54/198


55/198

LOGO

3.2. Kin trc IPSec

3.2.3.1. Giao thc AH Ch Tunnel:

8/4/2014 55

Gi tin IP

ban u

Gi tin AH trong ch Tunnel

IP Hdr TCP| UDP Header Data

Bo v ton vn xc thc

New IP Hdr IP Hdr TCP| UDP Header DataAH Hdr


56/198

LOGO

3.2. Kin trc IPSec


8/4/2014 56

Khun dng gi tin AH


57/198

LOGO

3.2. Kin trc IPSec3.2.3.1. Giao thc AH

Khun dng gi tin: Cc trng trong AH Header u l bt buc

8/4/2014 57

Authentication Data (ICV -Integrity Check Value)

Next HeaderPayloadLength Reserved

Security Parameter Index(SPI)

Sequence Number

IP Header PayloadAH Header


58/198

LOGO


8/4/2014 58

Authentication Data

(Integrity Check Value)



Sequence Number

IP Header PayloadAH HeaderNext Header:-Di 8 bit-Cha ch sgiao thc IP

Trong TunnelMode: Payload

l gi tin IP nngi tr NextHeader c cit l 4

Trong Transport Mode:- Payload lun l giao thc tngTransport.+ Nu giao thc tng Transport lTCP, th Next Header =6+ Nu l UDP th Next Header = 17


59/198

LOGO


8/4/2014 59

Authentication Data (ICV

Integrity Check Value)



Sequence Number


PayloadLength:-Cha chiudi ca thngip sau AHHeader.


60/198

LOGO


8/4/2014 60





Sequence Number


Reserved:- di 16 bit- trng nykhng cs dng- Cc bit ubng 0.


61/198

LOGO


8/4/2014 61





Sequence Number


SPI- C di 32bt- Mi u cui cakt ni IPSec ty chn gi tr SPI.

SPI- Bn nhn da trngi trSPI cng viIP ch v loai giaothc IPSec ( y

l AH) => Xc nhc chnh sch SAdng cho gi tin

SA:- Loi giao thc IPSec noc chn (AHhay ESP)- Cc thut ton no cdng p cho gi tin


62/198

LOGO


8/4/2014 62





Sequence Number


SequenceNumber:- C di 32bit.- S tun tca gi AH.

SequenceNumber:

Ch s ny tngln 1 cho mi

AH datagramkhi mt hostgi c lin

quan n chnhsch SA tngng.

3 2 i


63/198

LOGO


8/4/2014 63





Sequence Number


AuthenticationData (ICV):

- C di lbi ca 32 bit.- Phi cpadding nuchiu di caICV trong ccbyte cha y.

AuthenticationData (ICV):

-c dng kim tra tnhxc thc ngigi.- Tnh ton vn

ca thng ip

Authentication Data (ICV):ICV = Hash (IP Header + Payload + Key)

3 2 Ki t IPS


64/198

LOGO

3.2. Kin trc IPSec


8/4/2014 64

X l gi AH u vo & u ra

3 2 Ki t IPS


65/198

LOGO

3.2. Kin trc IPSec

3.2.3.1. Giao thc AH Cc thut ton xc thc:

Cc thut ton xc thc c xc nh bi SA

Thch hp l MD5, SHA1.

8/4/2014 65

3 2 Ki t IPS


66/198

LOGO

3.2. Kin trc IPSec

3.2.3.1. Giao thc AH X l gi u vo:

Ghp mnh: Nu cn thit, s tin hnh ghp mnh gi d

liu trc khi x l AH

8/4/2014 66

3 2 Ki t IPS


67/198

LOGO

3.2. Kin trc IPSec

3.2.3.1. Giao thc AH X l gi u vo

Tm kim SA Khi nhn mt gi tin cha tiu AH, pha thu s xc nh

mt SA ph hp vi a ch IP ch, AH v SPI

Khi nhn c mt gi tin cha AH Header, pha thu s xcnh mt SA ph hp vi a ch IP ch, AH v SPI. (da vo 2c s d liu: SAD & SPD)

Thng tin trong SA cho bit:

C cn kim tra trng Sequence Number(SN) hay khng,

c cn thm trng Authentication Data hay khng Cc thut ton v kho gii m ICV.

Nu khng c SA no ph hp th pha thu s loi b gi tin.

8/4/2014 67

3 2 Ki t IPS


68/198

LOGO

3.2. Kin trc IPSec

3.2.3.1. Giao thc AH X l gi u vo

Kim tra SN (Sequence Number): Nu bn thu khng s dng dch v chng lp

th khng cn kim tra SN. Nu bn thu c s dng th b m gi thu

phi c khi to =0 khi thit lp SA

Vi mi gi tin vo khi pha thu tip nhn, s

kim tra gtr SN c trng vi gi no trc hay khng.

8/4/2014 68

3 2 Ki t IPS


69/198

LOGO

3.2. Kin trc IPSec

3.2.3.1. Giao thc AH X l gi u ra:

Tm SA AH c thc hin trn mt gi tin khi xc nh

gi tin c lin kt vi mt SA

Do , cn tm mt SA (SPI, IP ch, AH) gnvi gi tin ny.

SA s yu cu x l gi tin (chng hn: dnghm bm l SHA1, Kha =K1, giao thc IPSec l

AH,)

8/4/2014 69

3 2 Ki t IPS


70/198

LOGO

3.2. Kin trc IPSec

3.2.3.1. Giao thc AH X l gi u ra

To SN (Sequence Number): B m pha pht c khi to =0 khi thit lp SA

Khi truyn mt gi tin, b m c tng ln 1 vchn gi tr ny vo trng SN.

Nu pha pht la chn dch v AntiReplay, n skim tra m bo khng b lp trc khi chnmt gi tr mi vo trng SN.

8/4/2014 70

3 2 Ki t IPS


71/198

LOGO

3.2. Kin trc IPSec


X l gi u ra Tnh ICV: ICV c tnh da trn cc gi tr sau

Cc trng trong tiu IP

D liu ca cc giao thc lp trn./.

8/4/2014 71->3.2.3.2

3 2 Kin trc IPSec


72/198

LOGO

3.2. Kin trc IPSec


X l gi u ra Padding: c hai kiu chn

Authenticaiton Data: Nu u ra ca HMAC

(ICV) l 96 bit th khng cn chn, nhng nu ICVc kch thc khc th phi chn thm d liu voICV.

8/4/2014 72->3.2.3.2

3 2 Kin trc IPSec


73/198

LOGO

3.2. Kin trc IPSec


X l gi u ra Padding: c hai kiu chn

Implicit Packet Padding (chn ngm nh):

i vi mt s thut ton xc thc, chui byte tnh ICV phi l mt s nguyn ln ca khi n byte.

Nu di gi IP khng tho mn iu kin thImplicit Packet Padding s c thm vo phacui ca gi. Cc byte ny bng 0 v khng c

truyn i cng gi.

8/4/2014 73->3.2.3.2

3 2 Kin trc IPSec


74/198

LOGO

3.2. Kin trc IPSec


X l gi u ra Phn mnh

Khi cn thit, phn mnh gi tin s c thc hin

8/4/2014 74->3.2.3.2


75/198

3 2 Kin trc IPSec


76/198

LOGO


8/4/2014 76

ICV

Data l phn Payload

AH m bo ton vn,xc thc cho c Payloadv IP Header

3 2 Kin trc IPSec


77/198

LOGO

3.2. Kin trc IPSec


8/4/2014 77

PHN TCH GI TIN AH

3 2 Kin trc IPSec


78/198

LOGO


8/4/2014 78

V d: gi tin AH trong ch Transport

1. y l mt gi AH ch Transport (chc mt IP Header)

2. Phn Payload cha ICMP echo Request(Ping). Ping gc cha chui mu t tng dnbi gi tr Hex

3. Sau khi p dng AH, phn ICMP Payloadkhng thay i (khng c m ha)V AH ch cung cp ton vn, xc thc.

4. Phn tch cctrng trong AHHeader

3 2 Kin trc IPSec


79/198

LOGO

3.2. Kin trc IPSec


8/4/2014 79

4 gi tin u tin trong phin AH gia host A v host B

Next Header (1B)=1 => ICMP

Payload Length(1B) =4, phn

Payload c 4Byte

Reserved (2B)

=0000, khng sdng.

SPI ca A (4B)

=cdb59934

SPI ca B (4B)=a6be2c00

Nh vy mi kt

ni AH s dngmt SA ring (ktni mt chiu)


80/198

3 2 Kin trc IPSec


81/198

LOGO

3.2. Kin trc IPSec


8/4/2014 81

4 gi tin u tin trong phin AH gia host A v host B

Authentication

Information:phn ICV cbm m botnh ton vn, xcthc ca mi gitin


82/198


83/198

3 2 Kin trc IPSec


84/198

LOGO

3.2. Kin trc IPSec

3.2.3.2. Giao thc ESP

Mc ch ca ESP l m bo tnh:

Ton vn

Xc thc B mt (m ha)

8/4/2014 84

3 2 Kin trc IPSec


85/198

LOGO

3.2. Kin trc IPSec

3.2.3.2. Giao thc ESP Trong IPSec version 1, ESP ch cung cp m ha

cho phn Payload.

Trong IPSec version 2, ESP cung cp c: xcthc, ton vn, m ha.

Gi IP sau khi tiu ESP c thm vo nhtrong hnh v

8/4/2014 85

IP Header ESP Header ESPTrailer ESPAuthenticationPayLoad

3 2 Kin trc IPSec


86/198

LOGO

3.2. Kin trc IPSec


8/4/2014 86

Cc ch hot ng ca ESP

3 2 Kin trc IPSec


87/198

LOGO

3.2. Kin trc IPSec

3.2.3.2. Giao thc ESP Ch hot ng:

ESP cng c s dng 2 ch :

Transport :

Dng IP Header gcCh m ha v/hoc m bo ton vn

cho ni dung gi tin v mt s thnh

phn ESP, nhng khng c IP Header.

8/4/2014 87

3 2 Kin trc IPSec


88/198

LOGO

3.2. Kin trc IPSec

3.2.3.2. Giao thc ESP Ch hot ng:

ESP cng c s dng 2 ch :

Tunnel:

To mt IP Header mi: lit k cc ucui ca ESP Tunnel (nh 2 IPSecGateway)

M ha v/hoc m bo ton vn choni dung gi tin, c c IP Header v mts thnh phn ESP.

8/4/2014 88

3.2. Kin trc IPSec


89/198

LOGO

3.2. Kin trc IPSec

3.2.3.2. Giao thc ESP Ch Transport:

8/4/2014 89

Gi tin IP ban u

Gi ESP trong ch Transport

IP Hdr DataTCP|UDP Hdr

IP Hdr PayloadESP Hdr ESP Trl ESP AuthDataTCP|UDP Hdr

c m hoc xc thc

3.2. Kin trc IPSec


90/198

LOGO

3.2. Kin trc IPSec

3.2.3.2. Giao thc ESP Ch Transport:

Cho php bo v giao thc lp trn nhng khngbo v tiu IP

Gi IP ban u c chn thm tiu ESP vogia phn tiu IP v d liu c ti (Payload =TCP|UDP Header + Data))

8/4/2014 90

3.2. Kin trc IPSec


91/198

LOGO

3.2. Kin trc IPSec

3.2.3.2. Giao thc ESP Ch Tunnel:

8/4/2014 91

3.2. Kin trc IPSec


92/198

LOGO

3.2. Kin trc IPSec


8/4/2014 92

Gi tin IP ban u

Gi ESP trong ch Tunnel

IP Hdr DataTCP|UDP Hdr

c m hoc xc thc

New IP Hdr Payload ESP Trl ESP AuthESP Hdr DataIP Hdr TCP|UDP Hdr

3.2. Kin trc IPSec


93/198

LOGO

3.2. Kin trc IPSec


Gi IP mi c xy dng cng vi mt tiu IPmi

ESP bo v c gi tin ban u, bao gm c tiu IPv Payload = TCP|UDP Header + Data

8/4/2014 93

3.2. Kin trc IPSec


94/198

LOGO

3.2. Kin trc IPSec


8/4/2014 94

Khun dng gi tin ESP

3.2. Kin trc IPSec


95/198

LOGO

3.2. Kin trc IPSec

3.2.3.2. Giao thc ESP Khun dng gi d liu da trn ESP:

Cc trng trong ESP u l bt buc

8/4/2014 95

3.2. Kin trc IPSec


96/198

LOGO

3.2. Kin trc IPSec


Khun dng gi d liu ESP:

8/4/2014 96

32 32 0-255 8 8 Bits

IP Hdr PayloadESPHdr

ESPTrl

ESPAuth

SecurityParameters

Index (SPI)

Sequence

Number Padding

Pad

Length

Next

Header

3.2. Kin trc IPSec


97/198

LOGO

3.2. Kin trc IPSec

8/4/2014 97

32 32 0-255 8 8 Bits

IP Hdr PayloadESP

Hdr

ESP

Trl

ESP

Auth

SecurityParameters

Index (SPI)

Sequence

NumberPadding

Pad

Length

Next

Header

SPI:

-Mi bn lin lc ty chn gtri SPI-Bn nhn da vo SPI, /c IPch, gthc IPSec (ESP) => xmt SA duy nht p cho gi tinnhn c.

3.2. Kin trc IPSec


98/198

LOGO

3 t c Sec

8/4/2014 98

32 32 0-255 8 8 Bits

IP Hdr PayloadESP

Hdr

ESP

Trl

ESP

Auth

SecurityParameters

Index (SPI)

Sequence

NumberPadding

Pad

Length

Next

Header

Sequence Number:

- Khi to bng 0- Tng ln 1 nu mi gi tin cgi- chng trng lp gi tin

3.2. Kin trc IPSec


99/198

LOGO8/4/2014 99

32 32 0-255 8 8 Bits

IP Hdr PayloadESP

Hdr

ESP

Trl

ESP

Auth

SecurityParameters

Index (SPI)

Sequence

NumberPadding

Pad

Length

Next

Header

Payload:

- L phn payload data c mha

3.2. Kin trc IPSec


100/198

LOGO8/4/2014 100

32 32 0-255 8 8 Bits

IP Hdr PayloadESP

Hdr

ESP

Trl

ESP

Auth

SecurityParameters

Index (SPI)

Sequence

NumberPadding

Pad

Length

Next

Header

Padding (0-255 bytes):

-L phn d liu c thm vo gi tin (trckhi m ha) on d liu c m ho lmt s nguyn ln ca mt khi cc byte- N cng c dng che du di thcca Payload


101/198

3.2. Kin trc IPSec


102/198

LOGO8/4/2014 102

32 32 0-255 8 8 Bits

IP Hdr PayloadESP

Hdr

ESP

Trl

ESP

Auth

SecurityParameters

Index (SPI)

Sequence

NumberPadding

Pad

Length

Next

Header

Next Header:

- Trong Tunnel Mode, Payload lgi tin IP, th Next Header =4 (IPin-IP)

3.2. Kin trc IPSec


103/198

LOGO8/4/2014 103

32 32 0-255 8 8 Bits

IP Hdr PayloadESP

Hdr

ESP

Trl

ESP

Auth

SecurityParameters

Index (SPI)

Sequence

Number PaddingPad

Length

Next

Header

Next Header:

-Trong Transport Mode, Payloadl giao thc tng 4 Transport.+ Nu l TCPth Next Header = 6+ Nu l UDPth Next Header =17

3.2. Kin trc IPSec


104/198

LOGO8/4/2014 104

32 32 0-255 8 8 Bits

IP Hdr PayloadESP

Hdr

ESP

Trl

ESP

Auth

SecurityParameters

Index (SPI)

Sequence

Number PaddingPad

Length

Next

Header

Authentication Data:

- Cha gi trICV (Integrity Check Value)ICV = HMAC(ESP Hdr + Payload + ESPTrl + Key)- ICV phi l bi ca 32 bit

c xc thc

3.2. Kin trc IPSec


105/198

LOGO8/4/2014 105

32 32 0-255 8 8 Bits

IP Hdr PayloadESP

Hdr

ESP

Trl

ESP

Auth

SecurityParameters

Index (SPI)

Sequence

Number PaddingPad

Length

Next

Header

Lu : trong AH, xc thc c c phn IP Header,

trong ESP th khng

c xc thc

3.2. Kin trc IPSec


106/198

LOGO


8/4/2014 106

X l gi tin ESP u vo & u ra

3.2. Kin trc IPSec


107/198

LOGO

3.2.3.2. Giao thc ESP Cc thut ton s dng:

Thut ton m ha:AES-CBC, AES-CTR, 3DES

Thut ton m ha: MD5, SHA1

8/4/2014 107

3.2. Kin trc IPSec


108/198

LOGO

3.2.3.2. Giao thc ESP X l gi tin u ra:

Tm kim SA Ging nh AH, ESP ch x l gi tin gn vi SA

Cn tm mt SA ph hp cho mi gi tin trc khigi i

8/4/2014 108

3.2. Kin trc IPSec


109/198

LOGO


X l gi tin u ra: M ho gi tin: Tu thuc vo ch Tunnel hay Transport m

ESP ng gi ton b gi tin hay ch phn d liu

ti Thm Padding nu cn.

M ho:

Nu l Transport: cc trng Payload, ESP

Trailer (Padding, PadLength, NextHeader). Nu l Tunnel: cc trng IP Header,

Payload, ESP Trailer (Padding, PadLength,NextHeader).

8/4/2014 109

3.2. Kin trc IPSec


110/198

LOGO


X l gi tin u ra: To SN

Qu trnh ny c thc hin ging vi AH

8/4/2014 110

3.2. Kin trc IPSec


111/198

LOGO


Tnh ICV

Nu dch v xc thc c la chn th pha pht

s tnh gi tr ICV trn gi d liu ESP: ESPHeader, Payload, ESP Trailer

Bao gm cc trng: SPI, SN, Payload, Padding,Padlength v NextHeader.

(Lu : khng c trng IP Header)

8/4/2014 111

3.2. Kin trc IPSec


112/198

LOGO


Phn mnh

Nu cn thit th tin hnh phn mnh gi

tin sau khi x l ESP./.

8/4/2014 112

3.2. Kin trc IPSec


113/198

LOGO

3.2.3.2. Giao thc ESP X l gi tin u vo:

Ghp mnh

Qu trnh ghp mnh c thc hin trc khi x

l ESP Tm kim SA

Khi nhn c mt gi tin cha tiu ESP, phathu s xc nh mt SA ph hp da trn: SPI, IP

ch, giao thc IPSec (l ESP)=> X chnh sch SA ph hp gii m, xc thc

gi tin ny.

8/4/2014 113

3.2. Kin trc IPSec


114/198

LOGO


X l gi tin u vo: Kim tra SN

Ging vi kim tra SN trong giao thc AH.

8/4/2014 114

3.2. Kin trc IPSec


115/198

LOGO


X l gi tin u vo: Kim tra ICV

Nu dch v xc thc c la chn, pha thu s

tnh ICV ca gi ESP ri so snh vi ICV ca gitin nhn c

8/4/2014 115 ->3.3


116/198

3.2. Kin trc IPSec


117/198

LOGO


8/4/2014 117

ESP: m ha d liu

3.2. Kin trc IPSec


118/198

LOGO


8/4/2014 118

ESP s dngm ha ixng m

ha cc gi tin

M ha ch Tunnel

ESP s dngthut ton mha: AES-CBC, AES-

CTR, 3DES

3.2. Kin trc IPSec


119/198

LOGO


8/4/2014119

Phn tch gi tin ESP

3.2. Kin trc IPSec


120/198

LOGO


8/4/2014120

ESP HeaderSPI=df30de3c,Sequence Number=00000001Phn d liu khngth xc nh c,v c m ha

3.2. Kin trc IPSec


121/198

LOGO

Tm lc v Giao thc ESP ESP l giao thc m bo tnh ton vn, xc thc v b

mt, chng replay gi tin c.

Hot ng trong 2 ch : Transport v Tunnel

ESP version1 ch m ha cho phn Payload data.

ESP version 2: m bo c ton vn v xc thc

ESP version 3: h tr thm thut ton EAS Counter

ESP Tunnel thng s dng ph bin trong IPSec v nm ha IP Header gc, c th che giu /c source, desttht ca gi tin

8/4/2014121

->3.3


122/198

3.2. Kin trc IPSec


123/198

LOGO

Tm lc v IPSec vi AH v ESP

8/4/2014 123

->3.3

CC GIAO THC NG HM

GIAO THC BO MT IP (IPSec)


124/198

125

KHUNG GIAO THC IPSec

GIAO THC BO MT IP (IPSec)

3.2. Kin trc IPSec


125/198

LOGO

IPSec cung cp an ton cho 3 tnh hung:

Hosttohost Hosttogateway

Gatewayto gateway

IPSec hot ng 2 ch : Ch Transport (end- toend)

Ch Tunnel (cho VPN)

8/4/2014 126

->3.3


126/198

3.2. Kin trc IPSec


127/198

LOGO

Cc ch hot ng ca giao thc IPSec

Ch Transport : Ch ny dng bo mt kt ni gia 2 host: bo v thng tin v ccgiao thc lp trn ca IP datagram. Ch c IP Payload c m ha

8/4/2014 128

->3.3IPSec Transport Mode

3.2. Kin trc IPSecC h h t i th IPS


128/198

LOGO

Cc ch hot ng ca giao thc IPSec Ch Tunnel :

Ch ny bo v ton b gi d liu, ton b gi IP c nggi trong mt gi IP khc. Router thc hin m ha thay cho host.

8/4/2014 129

->3.3IPSec Tunnel Mode

Ni dung


129/198

LOGO

3.1. Gii thiu3.2. Kin trc IPSec


3.4. Qu trnh hot ng ca IPSec3.5. X l h thng IPSec/IKE

8/4/2014 130

3.3. Trao i kho Internet (IKE)


130/198

LOGO

3.3.1 Gii thiu chung Bn thn IPSec khng c kh nng thit lp SA

8/4/2014 131


131/198



132/198

LOGO

3.3.1 Gii thiu chung Giao thc IKE (Internet Key Exchange RFC

2409): L giao thc qun l kha trong IPSec

Cho php thng lng v to t ng ccIPSec SA gia cc bn lin lc IPSec.

8/4/2014 133



133/198

LOGO

3.3.1 Gii thiu chung

IKE cng chu trch nhim xo cc kho, SAsau khi mt phin truyn tin kt thc

IKE khng nhanh nhng hiu qu v mt s

lng ln SA c thng lng ch vi mts thng ip va phi./.

8/4/2014 134



134/198

LOGO

3.3.1 Gii thiu chung Lch s IKE IKE c a ra u tin vo nm 1998 bi IETF c xy dng da trn nn tng ca hai giao thc:

Giao thc tha thun kha Oakley(Key Distribution)RFC 2412

Giao thc qun l kha ISAKMP(Key Management)RFC 2408

(SKEME, mt giao thc trao i kha khc)

IKE C th c s dng bn ngoi IPSec

8/4/2014 135



135/198

LOGO

ISAKMP (Internet Security Association and Key ManagementProtocol):

Thit lp mt phin an ton gia cc bn lin lc IPSec.

Thng lng cc SA gia cc bn lin lc IPSec

Oakley:

Xc nh cc c ch trao i kha trn phin IKE

Xc nh kha cho AH/ESP mt cch t ng cho miIPSec SA.

Mc nh s dng Diffie-Hellman trao i kha

SKEME:

Mt giao thc trao i kha nh ngha cch a ra cckha c xc thc, vi tc lm ti kha nhanh.



136/198



137/198

LOGO8/4/2014 138

Mi quan h gia IKE v IPSec



138/198

LOGO

Mi quan h gia IPSec v IKE:

IPSec cn cc SA bo v lu lng Nu cha c cc SA, IPSec s yu cu IKE

cung cp cc IPSec SA.

IKE m mt phin qun l vi cc bn thamgia, v thng lng tt c cc SA v cckha cho IPSec.

IPSec bt u thc hin bo v lu lng.




139/198

LOGO

Mi quan h gia IPSec v IKE




140/198

LOGO

Giao thc IKE:

Mt phin IKE chy trn giao thc UDP vicc cng ngun v ch c thit lp = 500.

Kt qu ca phin IKE = cc IKE SA ( bov phin IKE hot ng an ton)

Sau , IKE thit lp tt c cc IPSec SAc yu cu


3.3. Trao i kho Internet (IKE)V d SA:


141/198

LOGO

V dSA: Lu: c 2 loiSA l

IKE SAs (cthitlptrong IKE session) IPSec SAs (cc SA ny cIKE thnglng)

Mt SA c thcha mtsthng tin sau:



142/198

LOGO8/4/2014 143

Yu cu qun l kha ca IPSec



143/198

LOGO

3.3.2 Cc yu cu qun l kho i vi IPSec

Cc giao thc AH v ESP yu cu phi c khob mt c chia s gia cc bn lin lc

Kho c th c yu cu th cng hoc bng phnphi kho

Vn t ra l kho c th b mt, b l, hoc ngin l b ht hn

8/4/2014 144



144/198

LOGO


K thut th cng khng mm do khi c nhiuSA cn c thit lp v qun l

Cn phi c c ch phn phi v qun l kho mtcch hiu qu./.

8/4/2014 145



145/198

LOGO


C ch phn phi v qun l kho phi p ngcc yu cu c bn sau:

c lp vi cc thut ton mt m c th

c lp vi cc giao thc trao i kho c th

Xc thc cc thc th qun l kho S dng hiu qu cc ti nguyn

IKE c thit k p ng cc yu cu ./.

8/4/2014 146


146/198


147/198



148/198

LOGO


IKE gm 2 pha: 2 pha trao i kho s to raIKE SA v mt ng hm an ton gia 2 hthng

Mt bn s a ra mt trong cc thut ton, pha kias chp nhn hoc loi b kt ni.

Khi 2 bn thng nht c thut ton s dng ths to kho cho IPSec

Kho ny c c nh s dng thut ton Diffie-Hellman./.

8/4/2014 149

->3.3.2

3.3. Trao i kho Internet (IKE)3 3 2 Cc yu cu qun l kho i vi IPSec


149/198

LOGO


IKE hot ng trn 2 pha:Pha 1:+ Mc tiu: Xc thc cc bn tham gia v cung cp bo

v cho vic thng lng pha 2.

+ S dng Diffie-Hellman sinh mt kha b mt chias cho vic m ha sau ny.

+ Kt qu l mt IKE SA (2 hng)

Pha 2:

+ Mc ch chnh l tha thun c cc kha mt ms dng bo v ng truyn cho cc thc th, vcc SA cho trao i d liu

8/4/2014 150

->3.3.3



150/198

LOGO


IKE gm 2 pha: IKE pha 1:

S dng Main mode hocaggressive mode.

Thng lng IKE SA thit lp mt phin IKA an ton

IKE pha 2: S dng Quick mode

Thng lng cc IPSec SAs

8/4/2014 151

->3.3.2



151/198

LOGO

3.3.3. Pha IKE th 1

IKE pha 1

8/4/2014 152

->3.3.2



152/198

LOGO

3.3.3. Pha IKE th 1

IKE pha 1 (Bo v IKE sesion) Xc thc cc bn tham gia phin IKE

M ha phin IKE

Ton vn phin IKE

8/4/2014 153

->3.3.2

3.3. Trao i kho Internet (IKE)3 3 3 Pha IKE th 1


153/198

LOGO

3.3.3. Pha IKE th 1

IKE pha 1 (Bo v IKE sesion) Xc thc cc bn tham gia phin IKE: thit lp IKE SA, cc bn tham gia phi xc

thc ln nhau (2-chiu)

Cc phng php xc thc: Dng kha b mt chia s trc

Dng cc s Nonce c m ha RSA

Ch k s RSA

Chng ch s -certificate

.

8/4/2014 154

->3.3.2



154/198

LOGO

3.3.3. Pha IKE th 1

IKE pha 1 (Bo v IKE sesion) M ha phin IKE: Phin IKE c m ha bi DES hoc 3DES

Kha dng cho m ha c a ra bi trao i

kha DH. Trong Main mode, nh danh cc bn cng c

m ha

TrongAggressive mode, nh danh cc bn khng

c m ha

8/4/2014 155

->3.3.2



155/198

LOGO

3.3.3. Pha IKE th 1

IKE pha 1 (Bo v IKE sesion) Ton vn phin IKE IKE s dng cc hm HMAC m bo ton

vn phin IKE.

Thng la chn: SHA-1 hay MD5 Kha dng cho ton vn c ly t trao i kha

DH.

8/4/2014 156

->3.3.2


156/198

3.3. Trao i kho Internet (IKE) IKE pha 1 (Bo v IKE sesion):


157/198

LOGO

p ( ) Chi tit cc bc viMain mode:

8/4/2014 158

->3.3.2

MainMode

Bc 1: Thng tho chnh sch

- Mt bn s a ra mt danh sch ccthut ton, bn nhn s la chn hocc yu cu khc.



158/198

LOGO


8/4/2014 159

->3.3.2

MainMode


-2 bn s thng lng 4 tham s sau:+ Thut ton m ha: DES | 3DES+ Thut ton ton vn: MD5 | SHA-1

+ Nhm DH c dng trao i kha+ Phng php xc thc:

Group 1: Modulo 768 bit





159/198

LOGO


8/4/2014 160

->3.3.2

MainMode


-2 bn s thng lng 4 tham s sau:+ Thut ton m ha: DES | 3DES+ Thut ton ton vn: MD5 | SHA-1

+ Nhm DH c dng trao i kha+ Phng php xc thc:

1. Dng kha b mt chias trc

2. Dng chng ch

3. Kerberos V5

4. Dng ch k s RSA


160/198



161/198

LOGO


8/4/2014 162

->3.3.2

MainMode

Bc 3: Xc thc cc bn

- Kt hp:+ Kt qu bc 1 ->Thut ton bm +Phng php xc thc

+ Kt qu bc 2 -> Kha KM- Identity payload c bm sau c m ha bng KM

Identity payload= Identity

type+ port + protocol

Nu phng php xcthc = certificate

=> Identity type =name,general name

Nu phng php xcthc = kha b mt chias trc

=> Identity type = FQDN(Fully qualified domainname)


3 3 3 Pha IKE th 1


162/198

LOGO

3.3.3. Pha IKE th 1

IKE pha 1 (Bo v IKE sesion): Chi tit cc bc viMain mode:

0tyytt

8/4/2014 163

->3.3.2

MainMode


Bc 2: Trao i kha Diffie-Hellman

Bc 3: Xc thc cc bn

Kt qu pha 1:-2 bn thng lng c IKE SA (thutton xc thc, m ha, phng php xcthc, kha phin) => cho phin IKE-Bo mt phin IKE v xc thc c nhau.


163/198


3 3 4 Pha IKE th 2


164/198

LOGO

3.3.4. Pha IKE th 2

IKE pha 2

8/4/2014 165

->3.3.2

3.3. Trao i kho Internet (IKE)3.3.4. Pha IKE th 2


165/198

LOGO

IKE pha 2 (thng lng IPSec SAs): Chi tit cc bc viQuick mode:

8/4/2014 166

->3.3.2

QuickMode


Bc 2: Kha phin c lm tihoc trao i qua DH

Bc 3: Cc SA, Keys, cng vi SPIc truyn ti IPSec driver



166/198

LOGO

Chi tit cc bc viQuick mode:

8/4/2014 167

->3.3.2

QuickMode


- Mt bn s a ra mt danh sch ccgiao thc IPSec v cc thut ton, bnnhn s la chn hoc c yu cu khc.

3.3. Trao i kho Internet (IKE) IKE pha 2 (thng lng IPSec SAs):


167/198

LOGO


8/4/2014 168

->3.3.2

QuickMode


- Giao thc IPSec: AH | ESP- Hm bm ton vn & xc thc: SHA-1 | MD5- Thut ton m ha (nu yu cu: 3DES | DES

Sau khi thng lng xong. 2 SA c thit lpcho mi bn- Mt SA cho lu lng INBOUND- Mt SA cho lu lng OUTBOUND



168/198

LOGO


8/4/2014 169

->3.3.2

QuickMode

Kha ny lm nhim v cho: xc thc, tonvn, m ha (nu cn) trong phin IPSec.

Bc 2: Kha phin c lm tihoc trao i qua DH

C 2 la chn:- Lm ti kha KMthu c bng DH trong pha 1- Thc hin trao i kha DH ln 2, thu c Ks

(rekey)



169/198

LOGO


8/4/2014 170

->3.3.2

QuickMode

Kt qu pha 2:-L mt cp SA mi (inbound & outbound) c dng bov lu lng IP-Mi SA c SPI v key ring ca n

- Cc kha mi c to cho: xc thc, ton vn hay m ha.- Sau khi cp SA mi c to ra, cp SA c b xa, v lulng c bo v vi cp SA mi

Bc 3: Cc SA, Keys, cng vi SPIc truyn ti IPSec driver


3 3 4 Pha IKE th 2


170/198

LOGO

3.3.4. Pha IKE th 2

IKE pha 2 - V d: (thng lng IPSec SA)

8/4/2014 171

->3.3.2

Hnh v tng qut ca 2 phin IKE


171/198

LOGO

Hnh v tng qut ca 2 phin IKE


3.3. Trao i kho Internet (IKE)Reference:


172/198

LOGO

1.IKE Internet Key Exchange Pekka [email protected]

2.IKE ProtocolCopyright 2001, Cisco Systems, Inc

3.http://technet.microsoft.com/en-us/library/cc784994(WS.10).aspx



173/198


3 3 5 Cc ch IKE


174/198

LOGO

3.3.5. Cc ch IKE

3.3.5.1. Main Mode Hai thng ip u tin c dng thng lng

chnh sch bo mt

Hai thng ip tip theo c dng trao i kho

DH v Nonce Hai thng ip cui dng xc thc cc bn lin

lc./.

8/4/2014 175

3.3. Trao i kho Internet (IKE)3.3.5. Cc ch IKE


175/198

LOGO

3.3.5.1. Main Mode

M hnh

8/4/2014 176

`Sender Recipient

`

SA

NonceS

HeaderSAHeader

KE HeaderNonceRKEHeader

SigS [Cert] Header IDusSigR[Cert]IDuRHeader

->3 3 5 2

Tiu IKE-C thl s0-Hay l mtmessege digest

(1)(2)

(3)(4)

(6)(5)

SA mtds thuctnh an ton:-HMAC?-DH Group?-Key length?-Authen mothod?-



176/198

LOGO

3.3.5.1. Main Mode

M hnh

8/4/2014 177

`Sender Recipient

`

SA

NonceS

HeaderSAHeader



->3 3 5 2

(1)(2)

(3)(4)

(6)(5)

Bn nhn:-Lachncc thuctnh an ton trong dsSA nhnc.-Gilicho bn gi

2 gi ny chacm ha v chac

kha!



177/198

LOGO

3.3.5.1. Main Mode

M hnh

8/4/2014 178

`Sender Recipient

`

SA

NonceS

HeaderSAHeader



->3 3 5 2

(1)(2)

(3)(4)

(6)(5)

NonceS:-L mtsngunhin dng cho vick s( gi sau)

KE (Key Exchange) :-L kha cng khaidng cho trao ikha DH-(VD: yA= g

xA)

Bn nhn:-GiliNonceR- v KE (VD: yB= g

xB)

Header:- C thchatn CA(trung tm chngthc)m bn giyu cu- Hoc(0): any CA

2 gi ny chacmha v chac kha!



178/198

LOGO

3.3.5.1. Main Mode

M hnh

8/4/2014 179

`Sender Recipient

`

SA

NonceS

HeaderSAHeader



->3 3 5 2

(1)(2)

(3)(4)

(6)(5)

Sau 2 gi (3),(4), c2bn uc kha b mtchung l KM m ha

SigS:-L chk caSender- Tnh bng=EKRS[H(NonceS+DataS)]

CertS:-L chngchscaSender- Chakha cng khai caSender KUS(tngngviKRS dng tnh SigS)

IDUS:-nhdanh caSender- C thl: /c IP, FQDN /cemail,

Bn nhn:- Kimtra chk caSender+ Lykha cng khai KUS caSender trong [CertS]+ Kimtra chk:SigS=EKRS[H(NonceS+DataS)]



179/198

LOGO

3.3.5.1. Main Mode

M hnh

8/4/2014 180

`Sender Recipient

`

SA

NonceS

HeaderSAHeader



->3 3 5 2

2 gi ny ucm ha bikha KM

(1)(2)

(3)(4)

(6)(5)

Nu2 bn kimtrachk thnh cng=> Qu trnh xcthcthnh cng!

Ktthc Pha 1 IKE:-2 bn xc thccnhau.-Thu ckha KMm ha cc gi pha 2



180/198

LOGO

Mt s kiu ID IPSec



3.3.5. Cc ch IKE


181/198

LOGO

3 3 5 Cc c

3.3.5.2. Agressive Modec thit lp tng t nh trong Main Mode

Khc ch l ch c 3 thng ip c trao i

Nhanh hn ch Main Mode./.

8/4/2014 182


3.3.5. Cc ch IKE


182/198

LOGO

3.3.5.2. Agressive Mode Cc thng ip c trao i bao gm:

Thng ip th nht dng h tr chnh sch bomt, d liu to kho, s ngu nhin dng cho vic

k s v nh danh

8/4/2014 183


3 3 5 2 Agressive Mode


183/198

LOGO

3.3.5.2. Agressive Mode

Cc thng ip c trao i bao gm: Thng ip th 2 p li thng ip th nht. N

xc thc ngi nhn v thng nht chnh sch bomt, d liu to kho

Thng ip cui dng xc thc ngi gi./.

8/4/2014 184


3.3.5. Cc ch IKE


184/198

LOGO

3.3.5.2. Agressive Mode M hnh

8/4/2014 185

>3 3 5 3

`

Sender Recipient

SANonceS HeaderSAHeader

[KE]

Header

NonceR

[Cert]

IDusSigR[Cert][IDur][KE]

SigR

`

TngtnhMain Mode,nhngcc bccrt gihn, thng ipdi hn


3.3.5. Cc ch IKE


185/198

LOGO

3.3.5.3. Quick Mode L ch pha IKE th 2

c dng thng lng SA cho cc dchv bo mt IPSec

N cng c th to kho mi nu cn thit./.

8/4/2014 186

3.3. Trao i kho Internet (IKE)3.3.5. Cc ch IKE3 3 5 3 Q i k M d


186/198

LOGO

3.3.5.3. Quick Mode

M hnh

8/4/2014 187

`

Sender Recipient

SANonceS Header

SAHeader

[KE]

Header

NonceR

[IDus] [IDur]

[KE]

`

Hash1

[IDus][IDur]Hash2

Hash3

>3 4

C3 gi u

cm habngkha KMpha 1

SA (ds cc thuctnh anton):-cipher?-HMAC?-Key length?

-IPSec protocol? (AH, ESP)?-

Ktthc pha 2:- Tora 2 SA:+ MtSA Inbound+ MtSA Outbound- MiSA c SPI v key ring.

KE:- Kha cng khai trao ikha DH (ln2)- Tora mtkha phin miKScho xc thc, m ha lulngIP thc(phin IPSec)- C thkhng cnkha ny,lylun kha KM pha trc

3 gi lm nhimv:-ThnglngSA-Xc thclnnhau- Rekey hocrefresh kha bngDH.


3.3.5. Cc ch IKE


187/198

LOGO

Trong pha 1, c mt s mode nh: Main Mode, Aggressive Mode, Base Mode, New GroupMode

Base Mode v New Group Mode t c dng, cc nhcung cp thng khng h tr.

New Group Mode: Gip cho qtrnh trao i kha DH d dng hn

Thng lng theo nhm ring

8/4/2014 188

>3 4


3.3.5. Cc ch IKE


188/198

LOGO

3.3.5.4. NewGroup Mode M hnh

8/4/2014 189

>3 4

`

Sender Recipient

SA Header SAHeader

`

Hash1 Hash2

Tng quan v giao thc IKEv2

Ra i 10/2005 trong RFC 4306.


189/198

LOGO

g

c pht trin nhm gii quyt nhng vn ca IKEv1 nh: Vn phc tp Mc an ton

Tnh hiu qu ca IKEv1.IKEv2 cng bao gm hai pha.

Pha 1 gm hai th tc IKE_SA_INIT vIKE_AUTH.

Pha 2 gm th tc CREAT_CHILD_SA v/ hocc thm th tc INFORMATION.

ng dng ca giao thc IKE.

c s dng rt rng ri.


190/198

LOGO

S dng nh mt phn ca b giao thcIPSec - c th trin khai trn Windows 2000,Windows XP, Windows Server 2003,Windows Vista, v Windows Server 2008.

Trong cc sn phm m ngun m. OpenIKEv2.

StrongSwan.

Openswan.

Racocon v Racocon2 ca d n KAM.

Ni dung:


191/198

LOGO




8/4/2014 192

3.4. Qa trnh hot ng ca IPSec

c thc hin nh sau:


192/198

LOGO

c thc hin nh sau:

Ban u, lung lu lng cn bo v c chra cho IPSec

Tip theo pha IKE th 1 s tho thun mt SA

Thit lp mt knh truyn thng an ton v xc thci tc

8/4/2014 193


c thc hin nh sau:


193/198

LOGO

c thc hin nh sau: Pha IKE th 2 tho thun cc thng s ca

IPSec SA trn knh an ton va c thit lp Nhng thng s ny c s dng thng nht

vic trao i d liu gia 2 bn

Cc kho c lu tr trong csdl SAD./.

8/4/2014 194


c thc hin nh sau:


194/198

LOGO

Sau cc gi d liu c x l AH hoc ESPvi cc thut ton m ho, xc thc v khoc ch ra bi SA

Cui cng, khi kt thc, ng hm IPSec s bxo./.

8/4/2014 195

>3 5

Ni dung


195/198

LOGO




8/4/2014 196

3.5. X l h thng IKE/IPSec


196/198

LOGO

(Gio trnh)

8/4/2014 197

>3 5

Tng kt chng III

trnh by chi tit v giao thc IPSecXem xt cc c s ca IPSec cc lin kt an ton


197/198

LOGO

Xem xt cc c s ca IPSec, cc lin kt an ton

SA Xc thc tiu (AH) v ng gi ti bo mt

(ESP) l 2 giao thc ch cht Trong khi AH khng m ho d liu th ESP m ho d

liu Ta cng xem xt cc ch s dng ca IPSec

Cui cng l trnh by v giao thc trao i vqun l kho IKE

N gi mt vai tr quan trng trong vic phn phi vqun l kho cho b giao thc IPSec./.

8/4/2014 198


198/198

The End!

Documents

BÀI GIẢNG VPNChuong 3_cac Giao Thuc Tang 3