IKE Internet Key Exchange IKE is the main key es tablishment protocol used for

Ike internet key exchange ike is the main key es

This preview shows page 9 - 10 out of 13 pages.

IKEInternet Key Exchange (IKE) is the main key es-tablishment protocol used for IPsec VPNs. There are twoversions, IKEv1 [22] and IKEv2 [25], which differ in mes-sage structure but are conceptually similar. For the sake ofbrevity, we will use IKEv1 terminology.Each IKE session begins with a Phase 1 handshake, inwhich the client and server select a Diffie-Hellman groupfrom a small set of standardized parameters and perform akey exchange to establish a shared secret. The shared secretis combined with other cleartext values transmitted by eachside, such as nonces and cookies, to derive a value calledSKEYID. IKE provides several authentication mechanisms,including symmetric pre-shared keys (PSK); when IKEv1 isauthenticated with a PSK, this value is incorporated intothe derivation ofSKEYID.The resultingSKEYIDis used to encrypt and authenticatea Phase 2 handshake. Phase 2 establishes the parametersand key material,KEYMAT, for a cryptographic transportprotocol used to protect subsequent traffic, such as Encapsu-lating Security Payload (ESP) [27] or Authenticated Header(AH) [26]. In some circumstances, this phase includes anadditional round of Diffie-Hellman. Ultimately,KEYMATisderived fromSKEYID, additional nonces, and the result ofthe optional Phase 2 Diffie-Hellman exchange.NSA’s VPN exploitation processThe documents pub-lished by Der Spiegel describe a system named TURMOILthat is used to collect and decrypt VPN traffic. The evidenceindicates that this decryption is performed using passiveeavesdropping and does not require message injection orman-in-the-middle attacks on IPsec or IKE. Figure 4, anexcerpt from one of the documents [67], illustrates the flowof information through the TURMOIL systemThe initial phases of the attack involve collecting IKE andESP payloads and determining whether the traffic matchesany tasked selector [65].If so, TURMOIL transmits thecomplete IKE handshake and may transmit a small amountof ESP ciphertext to NSA’s Cryptanalysis and ExploitationServices (CES) [56,65] via a secure tunnel. Within CES, aspecialized VPN Attack Orchestrator (VAO) system managesa collection of high-performance grid computing resourceslocated at NSA Headquarters and in a data center at OakRidge National Laboratory, which perform the computationrequired to generate the ESP session key [61,62,67]. VAOalso maintains a database, CORALREEF, that stores cryp-tographic values, including a set of known PSKs and theresulting “recovered” ESP session keys [60,61,67].The ESP traffic itself is buffered for up to 15 minutes [64],until CES can respond with the recovered ESP keys if theywere generated correctly. Once keys have been returned, theESP traffic is decrypted via hardware accelerators [59] orin software [68,69]. From this point, decrypted VPN trafficis reinjected into TURMOIL processing infrastructure andpassed to other systems for storage and analysis [69]. Thedocuments indicate that NSA is recovering ESP keys at largescale, with a target of 100,000 per hour [64].
Background image
Image of page 10

You've reached the end of your free preview.

Want to read all 13 pages?

  • Spring '14
  • Cryptography, Real World Cryto, Prime number, Logarithm, Transport Layer Security, Integer factorization, discrete log

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

Stuck? We have tutors online 24/7 who can help you get unstuck.
A+ icon
Ask Expert Tutors You can ask You can ask You can ask (will expire )
Answers in as fast as 15 minutes