Internet Key Exchange (IKE) protocol vulnerability risks

1
Internet Key Exchange (IKE) protocol
vulnerability risks

• Master's thesis seminar 18.5.2004
• HUT, Networking Laboratory
• Composed by Ari Muittari at Nokia Networks
• Supervisor Prof. Raimo Kantola
• Instructor M.Sc. Jussi Kohonen

2
Contents

• Background
• Research methods
• Network security concepts
• IPsec and IKE protocols
• Experimental part
• Conclusions

3
Background

• New types of uses for the Internet are emerging
  and amount of IP traffic is growing an ever
  increasing amount of attacks can be expected
• Lack of security is a major hindrance to the
  widespread use of the Internet
• IPsec (and IKE as its key exchange protocol)
  promises network level IP security
• Attacking on IKE is presumably difficult because
  it has been designed to be robust
• Few studies analyze the weaknesses of IKE
• A couple of experimental attack programs are
  available (in contrast to the tool arsenal
  targeted to TCP/IP)
• Research problem Is it feasible to successfully
  attack IKE protocol?

4
Research methods

• Modeling network security concepts
• Reviewing the cryptography used, IPsec and IKE
  protocol
• Analyzing the papers written of IKE weaknesses
• Analyzing the existing IKE attack programs
• Applying selected theoretical attack scenarios
  into practise by implementing them into attack
  programs
• Experimenting these attacks in a test environment

5
Network security concepts 1(2)

• Green circle Security is retained inspite of the
  mounted attacks
• Red circle Security threats are realized by
  successful attacks
• Attacker tries to adversely affect the
  information flow

• A basic model for network security concepts
  constructed
• Helps to form a general view of the related
  concepts and their relations

6
Network security concepts 2(2)

• Cryptographic methods are the building blocks of
  IPSec and IKE
• Secret and Public key encryption
• Provides confidentiality
• Digital signature and hash functions, MAC
  (Message Authentication Code)
• Provides integrity
• Random numbers
• Add unpredictability to cryptographic algorithms
  and protocols
• Used for example for creating keys, nonces and
  cookies
• Diffie-Hellman key exchange protocol
• Two parties agree over an insecure channel on a
  shared secret
• Shared secret is used to protect the following
  traffic

7
IPsec and IKE protocols 1(2)

• Internal structure of IPsec protocol suite
• AH Authentication Header
• API Application Programming Interface
• DOI Domain of Interpretation
• ESP Encapsulated Security Payload
• ISAKMP Internet Security Association
• and Key Management Protocol
• Oakley Key Exchange Protocol
• SA Security Association
• SAD Security Association Database
• SKEME Secure Key Exchange Mechanism
• SPD Security Policy Database

8
IPsec and IKE protocols 2(2)

• IKE SA and IPsec SA establisment

• Main mode

Aggressive mode
HDR ISAKMP Header, HDR Payloads are
encrypted SA Security Association payload KE
Key Exchange payload (Diffie-Hellman public
value) Ni, Nr Nonce payload (of Initiator,
Responder) IDii, Idir Identification
payload HASH_I, HASH_R Hash payload (of
Initiator, Responder)
9
Experimental part 1(6)

• Test network
• Three hosts in a LAN (Local Area Network) running
  FreeBSD OS (operating system)
• Hosts are operated via a switch matrix
• Software of the IPsec hosts
• IPsec KAME
• IKE racoon
• Software of the Attackers host
• ettercap for enabling Man-in-the-middle (MITM)
  attacks by using ARP tables poisoning technique
• ike-scan for discovering IKE services
• ikeprobe for IKE packet fabrication
• ikecrack for pre-shared key cracking
• Installation of OS and software
• Configuration of IPsec policies

10
Experimental part 2(6)

• Attacks on IKE are diverse
• Exploit weaknesses of a protocol or an
  implementation by applying various techniques
• Active or passive, specific to an exchange (main
  or aggressive mode) or parameters used
• Differ in terms of required effort and level of
  difficulty to implement and mount
• The implications induced by an attack vary as do
  the benefits the attacker is able to gain
• Categorization of demonstrated attacks
• Discovery of IKE service
• Denial-of-Service (DoS) attacks
• Authentication attacks

11
Experimental part 3(6)

• Discovery of IKE service
• If the attacker knows a specific IPsec
  implementation on the network, he can focus his
  effort on its known vulnerabilities
• As IKE runs over UDP protocol, it needs a
  retransmission strategy
• Time to wait before resending the packet
• Time to wait (delay) between subsequent packets
• Count of packets to be resent before giving up
• IPsec implementations tend to have an individual
  IKE retransmission strategy which forms a kind of
  pattern (fingerprint)
• ike-scan discovers and identifies IPsec
  implementations
• A publicly available C program
• Sends an initial main mode packet to the
  specified hosts
• Collects timing information from responses
• Matches that information against a database of
  the known implementations patterns
• Concludes the IPsec/IKE implementation (vendor)

12
Experimental part 4(6)

• Denial-of-Service (DoS) attacks
• The attackers aim is to disable the Responder by
  exploiting IKE protocol or implementation flaws
• Force Responder to spend computing or memory
  resources
• Force Responder to crash or jam by sending a
  malformed packet
• ikeprobe.pl, IKE packet fabrication tool
• Largely rewritten and enhanced from the
  IKEProber.pl
• Aggressive and main mode packet flooding
• Initiates an IKE negotiation without trying to
  complete it
• DoS protection means of IKE
• Cookies (IKE fails to protect against even simple
  DoS attacks)
• Discarding of malformed packets
• Limited logging of abnormal events

13
Experimental part 5(6)

• DoS attacks classified according to a
  mechanism they effect on the IKE service

14
Experimental part 6(6)

• Authentication attacks
• Cracking a weak pre-shared key
• ikecrack.pl, IKE message parser and pre-shared
  key cracking tool
• Largely rewritten and enhanced from the
  ikecrack-snarf-1.00.pl
• The attacker captures the exchange by tcpdump
  nxq s 600 gt file
• ikecrack parses the capture file, computes needed
  keying material and MAC values and starts
  dictionary, hybrid and brute-force cracking
• In aggressive mode only a capture of an exchange
  needed
• In main mode also a MITM attack needed to forge a
  DH public key by using an ettercap plug-in
  program developed
• Use of degenerated DH public keys
• racoon accepts degenerated DH public keys and
  thus allows revealing of DH shared secret
  (implementation flaw)

15
Conclusions

• IKE is a complex protocol. Security suffers from
  complexity
• Attacking on IKE is feasible, although not
  trivial
• Serious vulnerabilities demonstrated in various
  areas, including
• Denial-of-Service
• Resources can be exhausted (computing, memory and
  disk)
• Implementation flaws (crashes and endless loops)
• Authentication
• Cracking a pre-shared key (aggressive and main
  mode)
• MITM attacks on DH
• It is only a matter of time when there are
  advanced attack tools available
• IKE will probably remain in use for years (IKEv2
  is an Internet-draft)
• Still, IPsec is the current best practice in IP
  security
• Realize the weaknesses and enforce respective
  countermeasures
• Focus on security testing (traditionally
  inter-operation testing)
• Further research
• Test other IPsec implementations
• Verify the robustness of the forthcoming IKEv2
• Develop a security testing tool suite (move from
  Perl to C)

16
Additional material 1(4)

• An example of a DoS attack which floods responder
  with expensive modular exponentiation
  computations in aggressive mode
• perl ikeprobe.pl d 10.0.0.2 s 1112 ip
  10.0.0.3 k user 99 n user 77 c 30000 wait b
  8
• racoon uses all the available processing capacity
  (95 CPU usage)
• Disk storage is exhausted at the rate of 10
  Mbytes/hour
• Virtual memory is exhausted at the rate of 30
  Mbytes/hour (the memory remains
  reserved until racoon has been killed)

17
Additional material 2(4)

• An example of a MITM attack (cracking a
  pre-shared key in main mode)
• To decrypt the HASH_I the MITM has to know the
  encryption key which is derived from DH shared
  secret
• MITM forges Responders DH public key gy to a
  value of which DH private key y he knows, and can
  compute DH shared secret (gx)y
• g is defined to be 2, so if gy 2 then y 1 and
  DH shared secret is (gx)y gx
• Main mode exchange and a respective ettercap
  snapshot

18
Additional material 3(4)

• Diffie Hellman (DH) Key Exchange protocol

19
Additional material 4(4)

• RFC 2409 The Internet Key Exchange (IKE)
• IKE keying material and MACs in a pre-shared key
  authentication