As Secure Socket Layer (SSL) Virtual Private Network (VPN) technology has become more mature and has rapidly been deployed over recent years, it has gained the attention of network and IT administrators who are looking for remote access VPN solutions that provide ubiquitous access and low-cost deployment and management. At present, no official standards exist for SSL VPN technologies; various vendors use different implementations. This chapter takes a close look at the evolution of the SSL VPN technology to help you understand how this technology works.
Cryptographic Building Blocks of SSL VPNs
A VPN carries private traffic over public networks. A secure VPN meets the following basic requirements:
Authentication guarantees that the VPN entity communicates with the intended party. The authentication can apply to either a VPN device or a VPN user. For example, in a remote access VPN, the VPN head-end device can authenticate the user PC to make sure that it is indeed the PC that owns the IP address that it uses to connect to the concentrator. The concentrator can also authenticate the end user who is using the PC to properly assign user privileges based on the user's information.
Confidentiality ensures the data's privacy by encrypting the data.
Message integrity guarantees that the data's content has not been modified during the transmission.
The following sections examine how these requirements are fulfilled through the use of various cryptographic algorithms. Readers who are already familiar with these cryptographic algorithms can skip these sections and move directly to the SSL section.
Hashing and Message Integrity Authentication
The following sections describe hashing and its use in cryptography.
Hashing plays an important role in a security system by ensuring the integrity of the transmitted message. A hashing algorithm converts a variable-length text field into a fixed-size string. Hashing algorithms used in a security system have the following two properties:
One-way hashing mechanism: This means that given the hash output, it is difficult to invert the hashing function to get the original message.
Collision-free output: This means that for a hashing algorithm, it is computationally infeasible to find any two messages that have the same hash output.
Because of these properties, a hash is also known as a message digest or digital fingerprint. People can generate a small hash output from a large document and use the hash output as the digital fingerprint of the document. This digital fingerprint can then be used to ensure that the message has not been tampered with during its transmission over an insecure channel. In addition, from the digital fingerprint, it is impossible to reveal the content of the original message.
Up to now, the most commonly used cryptographic hash algorithms have been message digest algorithm 5 (MD5) and Secure Hash Algorithm 1 (SHA-1). Both of these have been considered one-way and strongly collision-free hashing algorithms. MD5 provides 128-bit output, and SHA-1 provides 160-bit output. Because of its larger size, SHA-1 is normally considered more secure, but computationally more expensive, than MD5. With hardware and software implementation in today's networks, the performance difference is usually not a concern. Therefore, SHA-1 is the preferred hashing algorithm for use in a VPN deployment.
Message Authentication Code
Message authentication code (MAC) is a cryptographic checksum that is used to ensure the integrity of the message during transmission. To generate a MAC, you can use either an encryption algorithm, such as Data Encryption Standard (DES), or a hashing algorithm. Hashing is generally much faster than encryption algorithms, so the hash-based MAC (HMAC) is the most popular way. HMAC is a keyed hash function. Here is how it works: To generate an HMAC of a message M, you need to pick two system parameters, a hashing function H (normally MD5 or SHA-1) and a key K. The HMAC of the message is calculated as follows:
HMAC(K,M) = H(K XOR opad,H (K XOR ipad,M))
where opad is the string 0X5c and ipad is the string 0x36.
In a crypto system, the key K used here is normally generated during the key negotiation and establishment process between the two peers. Note that the two-level hash makes an HMAC function much more secure than a simple keyed hash function.
Figure 2-1 illustrates how HMAC functions between the sender and recipient of the message.
The Security of MD5 and SHA-1 - Recent research conducted by a group of Chinese cryptographers, including Xiaoyun Wang, has shown that MD5 and SHA-1 are not collision free, and algorithms have been developed to find collisions faster than using brute force. For example, SHA-1 has a 160-bit output, so if you hash 280 random messages, you will find one pair of messages that have the same hash output. Three Chinese cryptographers proved that they can find collisions in SHA-1 with 269 operations, which is 2000 times faster than using brute force.
The implications of these findings are described by Bruce Schneier at his web blog (http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html) and by Eric Rescorla at http://www.rtfm.com/movabletype/archives/2004_08.html#001059.
Here is a brief summary:
The attack threatens the nonrepudiation property provided by hashing algorithms in digital certificates.
It is believed that HMAC is still secure against this attack.
The current attack is on the far edge of feasibility with current technology.
These findings push industry toward developing more secure hash algorithms such as SHA-256 or other crypto methods. More details on SHA-2 can be found at http://en.wikipedia.org/wiki/SHA-2.
Encryption algorithms transfer plain text into cipher text. Different from hashing, encryption algorithms require keys for encryption and decryption. Two main types of encryption algorithms exist:
Symmetric encryption: Uses the same key for encryption and decryption. It is also known as secret-key cryptography. The symmetric algorithms are normally used to encrypt the content of a message. Two main types of symmetric encryption algorithms exist:
— Stream ciphers, such as RC4
— Block ciphers, such as DES, Triple DES (3DES), and Advanced Encryption Standard (AES)
Asymmetric encryption: Uses different keys for encryption and decryption. Asymmetric encryption is also known as public-key cryptography. An asymmetric encryption system consists of two computationally associated keys. One, known to the public domain, is called the public key; the other is known only to the owner of the key pair. Depending on the use of the public and private key pairs, asymmetric algorithms can be used for either encryption or authentication purposes. Figure 2-2 illustrates the usage of asymmetric algorithms. Consider the example of Alice and Bob, who want to use asymmetric algorithms for secure communications. For encryption purposes, Alice would encrypt the message using Bob's public key and send the cipher text to Bob. Upon receiving the cipher text, Bob, who is the only owner of the corresponding private key, can then decrypt the message with his private key. For authentication purposes, Alice would encrypt (or sign) the message using her own private key. Other people such as Bob can then verify the authenticity of the message by using Alice's public key, which is the only key that matches the signing private key. The real-world use of asymmetric algorithms in crypto systems involves other components. We discuss them in the next few sections.
Because symmetric algorithms are much faster than asymmetric algorithms, digital certification or key management is more commonly used for data encryption than asymmetric algorithms. The popular examples of asymmetric algorithms are Diffie-Hellman (DH) algorithms and Rivest, Shamir, and Adelman (RSA).
Applications of Asymmetric Algorithms
Designed by Ron Rivest in 1987 for RSA Security, RC4 is the mostly widely used stream cipher. Because of its speed and simplicity, RC4 has been deployed in many applications, such as the SSL Protocol and the Wired Equivalent Privacy (WEP) Protocol, which are used to secure wireless network traffic.
As a stream cipher, RC4 works on bits of plain-text data and encrypts them one at a time by XORing the keystream with the plain text. The keystream is generated by passing the encryption key and initialization vector (IV) through a pseudorandom number generator.
For SSL, most web browsers support RC4 encryption with two different key sizes: RC4-40bit and RC4-128bit. Newer browsers, such as Internet Explorer 7.0 and Firefox, have started to support stronger ciphers such as AES.
DES and 3DES
Data Encryption Standard (DES) is by far the most widely used symmetric encryption algorithm. DES is a 64-bit block cipher that works on an 8-byte data block. The output cipher block has the same 8-byte length. At the decryption side, the same algorithm is applied in reverse with the same key. Due to the requirement of having parity bits, the effective key strength of DES is 56 bits.
To encrypt a message that exceeds the DES block size, the individual cipher blocks are chained using a certain mode of operations. There are various modes of operations, such as Electric Code Book (ECB), cipher block chaining (CBC), and so on. The CBC mode is the commonly used mode of operation in commercial implementations. In CBC mode, each block of cipher text is XORed with the next plain-text block to be encrypted, thus making all the blocks dependent on all the previous blocks. The first block of data is XORed with the IV. The CBC mode adds more security compared to the ECB mode because of its extra XOR steps.
Since its design by IBM in 1970s, the DES algorithm has withheld aggressive cryptoanalysis over the years. However, its 56-bit key length is too short, and it has become weak over the years with the rapidly increasing computational power of consumer-grade systems.
3DES addresses DES's insufficient key length problem. 3DES performs DES three times with three sets of keys for a total of a 168-bit key length. To perform 3DES, the popular operation is to Encrypt-Decrypt-Encrypt (EDE). That is, DES encrypts the message using key 1, decrypts the message using key 2, and finally, encrypts the message using key 3.
AES is one of the cipher options for SSL v3 and Transport Layer Security (TLS).
To replace the aging DES standard, the National Institute of Standards and Technology (NIST) called for the submission of an Advanced Encryption Standard (AES) in 1997. Out of several candidates such as MARS, Twofish, Serpent, Rijndael, and RC6, Rijndael was chosen as the final standard.
AES is also a block cipher that works on a 128-bit data block and has a key size of 128, 192, and 256 bits. More information on AES can be found at: http://en.wikipedia.org/wiki/Advanced_Encryption_Standard.
As a new federal standard and one that is less computationally intensive and cryptographically stronger than 3DES, AES has been rapidly added in vendors' implementations and deployed in VPN networks. Currently, many vendors also support AES hardware acceleration. AES is one of the cipher options for SSL v3 and TLS.
Published in 1976, Diffie-Hellman (DH) was the first published public-key algorithm. Diffie-Hellman is a key agreement protocol that enables communication parties to agree on a shared secret without any prior-known secrets. Diffie-Hellman is often used in key exchange and during the establishment phase of a VPN tunnel. The Diffie-Hellman algorithm works as follows:
The communication parties agree on two system parameters: a large prime p and a generator g. These are chosen such that for any value V < p, there exists a value w so that gw mod p = V. With this requirement, g can be used to generate all the numbers from 1 to p–1.
Each communication party, say X and Y, generates a private key, x and y, each of which is a random number smaller than p. To calculate the corresponding public keys, Xx and Yy, the following formulas are used:
— Public key for party X: Xx = gx mod p
— Public key for party Y: Yy = gy mod p
The two communication parties then exchange the public key over the insecure channel. Upon receiving the other side's DH public key, each party calculates the shared secret (SS) using the following formulas:
Party X: SS = (Yy)x mod p = gyx mod p
Party Y: SS = (Xx)y mod p = gxy mod p
Both parties come up with the same common secret.
The DH parties must share the system parameters p and g, which are called DH group parameters. The following are several common DH groups with a different p:
Group 1: 768-bit modulus
Group 2: 1024-bit modulus
Group 5: 1536-bit modulus
Note that during the DH public key exchange process, no authentication process is defined. This ensures that the communication parties are getting the right public key from the intended party. Thus, DH is vulnerable to a man-in-the-middle attack, in which an attacker can intercept the communication channel and spoof the identity of the communication parties to perform DH exchange with party X and Y, respectively. Thus, the attacker establishes two shared secrets with X and Y separately, and can use these shared secrets to intercept further communication between the two communication parties protected by the DH secrets. An authenticated DH exchange mitigates this vulnerability.