The Drawbacks of IPSec In It's Current Status

Overview

What many people are unaware of however, is that even though word is out that IPSec specifications are complete, that's a two-edged sword. The Working Draft for part of the IPSec specifications is out, but not complete in anyway. They are still constantly updating and upgrading various features in it even as you read this.

What's really funny though is that the IPsec standards are supposed to allow users the tightest security that money can buy, but in it's present status, the "User Authorization" specifications and "Key Management" specifications haven't even been completed and won't be completed until 1Q 1999 at the earliest. And even then, that will be the earliest that the first finalized draft will be available.

Once the draft has been finalized in it's first form, then and only then can other vendors start to make their products compatible with each other. This could take anywhere from several weeks to several months or longer. That will put vendor compatible at the 2Q 1999 mark at the earliest.

Many times, new drafts are delayed at the very last moment as problems which were not previously conceived crop up and make cause for a work around with can throw things off quite a bit depending on the nature of the delay.

Once any delays have been overcome and all vendors are compatible (probably towards 3Q 1999), multi-vendor pilot test sites will start and various security holes will be patched, fine tweakings to the specifications, the equipment and the software will be performed and finally around the end of 1999, we'll have the sort of security system in which everybody is looking for at the end of 1998 (one year earlier than it's feasibly possible).

Security Basics

Encryption

Encryption protocols, algorythms, hashing methods, checking mechanisms, etc. are numerous to say the least. Listed below are just several of the encryption technologies currently being used and the level of security offered with each differs according to so many different factors that it makes it almost impossible for any individual to decide which is the strongest. And because the of the variying methods and algorythms and proposed uses, it's impossible to even begin to make a comparison chart for all of them.

You have "Symmetric Cryptography" and "Asymmetric Cryptography"; you have "One-Way Functions" and then "One-Way Hash Functions"; you have "Private (or Secret) Key Cryptography" as well as "Public-Key Cryptography". Then there is "Digital Signatures with Encryption" and "Random Sequences" and just as well, "Pseudo-Random Sequences" available too.

Then to ensure that the encrypted data has not been tamperd with, you have various forms of checks and balances such as "Authentication of Encryption Key Exchange"; "Multiple Key Cryptography" and "Public-Key Cryptography"; "Secret Splitting" as well as "Secret Sharing" and then there is "Encryption for encrypting the database holding all of the keys for encryption".

To confirm that all of this is done accurately, you have "Timestamping Services", "Subliminal Channel", "Undeniable Digital Signatures", "Designated Confirmer Signatures", "Proxy Signatures", "Group Signatures", "Fail-Stop Digital Signatures", "Bit Commitment", "Fair Coin Flips", "Mental Poker", "One-way Accumulators", "All-or-Nothing Disclosure of Secrets" and "Key Escrow".

Then there are more advanced methods such as "Zero-Knowledge Proofs of Identity", "Blind Signatures", Oblivious Transfer for Identity-Based Public-Key Cryptography" not to mention various Oblivious Signatures such as "Simultaneous Contract Signing", "Digital Certified Mail" and "Simultaneous Exchange of Secrets".

Of course, when you talk about Encryption, one thing that is always discussed is the length of the encryption key. So quite naturally, you'll find several of these as well for each such as "Symmetric Key Length" and "Public-Key Length" and because both of them are different, you must also compare "Symmetric and Public-Key Lengths" as well as the encryption methods themselves. The difficult of breaking an asymmetric key of the same length as a symmetric key differs as well depending on the algorythm.

Recently, we've been hearing over and over about how the "DES cracker" machine has made DES a dead technology, but what many people don't realize (most of them because they're too ignorant), is that there are various types of DES.

For symmetrical DES alone, you have ECB (Electronic CodeBook), EDE (Encrypt-Decrypt-Encrypt), CBC (Cipher Block Chaining). Then for asymmetrical DES, you have RCA.

For each of these, you then have several other options as well such as "Electronic Codebook Mode"; "Block Replay", "Stream Ciphers", "Self-Synchronizing Stream Ciphers", "Cipher-Feedback Mode"; "Synchronous Stream Ciphers", "Output-Feedback Mode", "Counter Mode", as well as various "Other Block-Cipher Modes". So you also have to compare all the different types of "Block Ciphers" to the various different"Stream Ciphers" as well to get a good grasp on the differences between the two.

Not to go into detail about any of them, but you also have (in alphabetical order): "3-WAY", "BLOWFISH", "CA-1.1", "CAST", "CRAB", "Feal-N", "GOST", "Idea", "Khufu and Khafre", "LOKI", "Lucifer", "Madryga", "Mmb", "Newdes", "RC2 & RC5", "Redoc", "SAFER K-64", "SKIPJACK" and "SXAL8/MBAL". And by the first part of next year, we can probably add a dozen or so more as well...

Then of course we cannot forget Pseudo-Random-Sequence Generators and Streams such as "A5", "Additive Generators", "Algorithm M", "GIFFORD", "HUGHES XPD/KPD", "Linear Congruential Generators", "Linear Feedback Shift Registers", "LFSRs in Software", "NANOTEQ", "PKZIP", "RAMBUTAN", "Stream Ciphers using LFSRs.

To make things even more interesting, because we have "Pseudo-Random-Sequence Generators", why not also have "Real Random-Sequence Generators" such as "Feedback with Carry Shift Registers", "Stream Ciphers Using FCSRS", "Non-Linear Feedback Shift Registers", "RC4", "SEAL", "WAKE", as well as "Other Stream Ciphers" and why not "Cascading Multiple Stream Ciphers" or "Generating Multiple Streams from a Single Pseudo-Random Sequence Generator" while your at it.

Then you need to include one of the following "HASH" functions such as "Background", "Haval", "Message Authentication Codes (MAC)", "MD2, MD4 or MD5", "N-HASH", "One-Way HASH Functions using Symmetric Block Algorithms", "RIPE-MD", "Secure Hash Algorithm (SHA)", "Snefru", "Using Public-key Algorithms", etc. For the Public-Key ALgorithms, we also have "Background", "Knapsack Algorithms", "RSA", "Pohlig-Hellman", "Rabin", "ElGamal", "McEliece", "Elliptic Curve", "LUC", etc.

Also for "Public-Key Digital Signature Algorithms", you have "Cellular Automata", "Digital Signature Algorithm (DSA)", "DISCRETE LOGARITHM SIGNATURE SCHEMES", "DSA VARIANTS", "Esign", "GOST", "Ong-Schnorr-Shamir", as well as numerous Other Public-Key Algorithms.

Basically put, there is no end to the list of possibilities, and this is only about "Encryption" and doesn't mention a thing about "User Authorization" or even more importantly "Key Management" which is the next topic I want to quickly brush through without getting into too much of the nitty gritty.

Key Management

A good example to help explain this is:

You go to the worlds largest locksmith and purchase a $10Mil lock (as of yet, unbreakable).
You then place this impenetrable lock on your front door, leave the key inside of it and drive away. Regardless of how strong that lock is, by leaving the key in the lock compromises any security that the lock itself might have been able to provide you.
Likewise, if you place the key on the ledge above the door, under your door mat or in a flower pot close by; these are the most likely places that burglars look to find easy entrance into homes.
Thus, "WHERE" and "HOW" you store your key is the whole key to breaking into your home.
Similarly, if you keep your key with you, then they must attack you to get the key. If you are weak and have no bodyguard or self protection, then your key can be compromised fairly easily.

On the other hand, if you keep you key stored in a strong box which itself is again quite strong and requires three different combinations to open, and none of those who know only one combination are known by any of the others, then you can give up on finding an easy access route through that lock & key as well as strong box combination.

A practical computer model of this could be:

If you buy a very strong encryption system from a vendor offering IPSec Triple DES encryption and leave Key Management up to a weak Key Management vendor (i.e. using SSL or other weak key management scheme), then the chances of having your keys compromised regardless of how strong the encryption method itself is.
IPSec is based around asymmetrical encryption, and the "Key Management" specifications have yet to be completed, so where does that leave you!?!?!?!?!
Under symmetrical encryption, both devices share the same DES-56 bit "Secret" key but if that "Secret" key must be electronically transmitted in clear form, it can easily be compromised, thus that "Secret" key (or "Session" Key) requires being encrypted using another DES-56 bit "Private" key which is never electronically transmitted and is unique per user/device. It usually uses a SmartCard or similar means to transport the "Private" key to the devices.
This "Private" key is then used to encrypt the "Secret" or "Session" key which changes every time a session is established, so even if (and that's a big if) one Session key is compromised, data for that session only will be ledgible to the attacker. Other sessions will be encrypted using separate session keys and the Master Key is still in tact (not compromised).
DES-56 bit has 72,000,000,000,000,000 or 72 Quadrillion permeations which the DES cracker claims that it can easily break. If a DES-56 bit key is then encrypted using another DES-56 bit key, the key itself is not plain ledgible text, thus to find out which of the 72 Quadrillion "Private" keys was used to encrypt the other DES-56 bit "Session" key would make breaking it a 72 Quadrillion to the 72 Quadrillionth power equation. Something I'd like to see a greatly modified DES cracker with new and much faster hardware attempt to take on even in the year 2000!!!
Mind you now, we're only talking about symmetrical DES-56 bit keys too. It would be much easier to break asymmetrical DES-56 bit which is the main hype around the DES cracker. That's assuming that it has a clue as to what it is looking for too!!!

Without a clue of what to look for, even asymmetrical DES-56 would become more difficult, not to mention that symmetrical DES would be even harder."

This brings me to the final point about "Encryption" and "Encryption Key Management" in that regardless of how strong of an encryption method you use, or how strong of a Key Management system you have, if strong cryptography can withstand the targeted attacks, the attacker will look for other easier ways in which to get the information (other than decryption). For example "Espionage", "Corporate Spies", "Buying Inside Information", etc. So strong encryption and key management are very important, but by themselves, they are not enough. They are definately a good beginning, but not the only components of a totally secure system (if there is such a thing!?!?!).

Let me just go back and refresh your memory on one point now... Remember that IPSec won't have their final "Key Management" specifications completed until 1Q 1999 at the earliest. Thus a really safe, corporate production environment friendly, IPSec compatible Key Management system probably won't be available until towards the end of 1999.

Now that this point has been clarified, let's move on to the next. And that concerns "Authentication" of the sender of that encrypted data as well as authentication of the integrity of that data itself.

Authentication

User Authentication

When most people hear about "Authentication", they originally think of "User Authentication", but you can also have "Device Authentication" and "Message or Packet Authentication" along with "User Authentication". Each of these plays an integral part with the other and all work together to ensure that neither the data sender has been falsified nor that any of the content of that data has been modified.

Once all of this "Authentication" has been implemented, if it were all passed in clear (unencrypted) text, it would probably be penetrable, thus to ensure it is not, you must have "Strong Encrypted Authentication" to ensure validity and integrity of both the data and the user.

In the past, "User Authentication" only meant entering a "User Name" and a "Password" combination to allow access to server data, but these schemes alone have proven time and again to be inefficient, so now a days, with everybody attached to the Internet via penetrable Firewalls, "Re-usable Passwords" alone just don't cut it anymore. Thus systems which offer "One-Time Passwords" have started to flourish, but even "One-Time Passwords" alone (without Encryption) are shown time and again to be penetrable without much trouble. Hackers have their own 500,000 word Password Libraries which will just about guarantee unauthorized access when using conventional "Re-usable Passwords" and even for some "Unencrypted One-Time Passwords".

Hackers, crackers and attackers, usually modify the IP address of packets (often called IP Address Spoofing) to hide their original addresses. To prevent this, some form of check-and-balance system is required to ensure that this data is not modified. One major drawback to this is that dial-up users receive DHCP assigned addresses from their ISP's when they call up.

Each time users call an ISP, they are assigned a DHCP IP address from within the range of addresses which that ISP has control over, thus IP address filtering becomes virtually impossible other than limiting the range of addresses assignable by that ISP, but this can be very large depending on the vendor and you have no way of assuring that a non-employee using that range isn't trying to gain access to your system because they fall within the address range of your IP filters.

And then you must allow for users to dial-in from several different ISP's due to the location(s) from which they are calling. ISP addresses in Europe are quite different than those for America and also quite different again from those in South East Asia, etc. If there is quite a distance between Home or Remote work site and Office, you have similar problems although the range is narrower.

Thus you basically render the IP address Filtering function (which most routers are well known to perform quite well) virtually useless in that to allow one user to login from around the world, you basically have to open up just about all public addresses or at least the range of IP addresses for all of the ISPs from which you will be dialing through. This opens up the possibility for anywhere from several thousand to several hundred-thousand addresses which you could use to login from. It also leaves that many holes for others to gain access to your system as well.

This means that you must use a method (other than IP Address) to identify the user and it must not be of a re-usuable password type. A One-Time password would do the job, but if the password is complex, it requires the user to type it in within a specified timeout amount of time. Because this password changes each time you login, it must be generated and if that generation method is not well protected, then it can be either copied, reproduced or regenerated via other means.

Such a method could be one of many forms, but it should be simple for the user to use, but yet complex enough to prevent unauthorized reproduction or even worse unauthorized access. It should offer a fool proof method to ensure authenticity.

Many systems on the market today offer "User Authorization" only at the initial logon process, but perform no further checking once the user has logged in. Thus it may be difficult to spoof a login, but once logged in, it's easy to spoof the IP address if there isn't some continuous (packet-per-packet) checking method of some sort set into place. Thus "Message Authentication" per packet goes hand-in-hand with "User Authentication" thus combined you have in effect a continuous "User Authentication" process, but there's more to it than just that.

Message Authentication

Continuous "Message Authentication" or "Packet Authentication" as some people call it, assures that each and every packet delivered is exactly the way it was originally sent, without modification what-so-ever. If you don't perform such a check, the chances of IP spoofing increase and there's no real way to tell whether any part of that packet was modified or not, thus integrity of that data cannot be guaranteed.

Doctoring E-mail messages (purchase orders, etc.) may seem bad enough, but if you want to conduct E-commerce or some other form of Electronic Money transfers, etc. things could get way out of proportion unless you had some way to prevent this. Imagine, you purchase a $29.95 book from Amazon.com and somebody modifies that data so that you get charged $75.00 or more. Then think about doctoring a fund-transfer of several thousand dollars or more and have it modified such that the funds are transferred to a different bank account, or what about if fraudulent transfers of similar ore greater amounts are made?

Conclusion

today

future

IPSec Not Fully Ready in it's Present Status

Thus for Internet E-commerce of any large scale is to truely come about, all of the above must be an integral part of that package. As E-commerce will expound to include millions of users throughout the world, a multi-vendor interoperable solution will be required and IPSec will probably become the future of E-commerce, but what about today?

Absolute Musts:

You must have strong (proven) encryption that works today and will be expandable in the future, but the latest encryption on the market has not yet received the corporate "approval" status yet, so the next best thing is the previously strongest system for corporate networks until such time as new technology has reached the proven stage. New technology is just to risky for anything larger than pilot test systems.
You must have strong (proven) key management to ensure the strong encryption is kept strong. Again, as IPSec standards concerning key management have yet to be finalized, how can you be assured what you want is actually what you'll get without having a good solid proven track record.
You must have a strong user authorization method to ensure the user is who he says he is. Here too, IPSec is still lacking in finalization of which user authentication method is to be used.
You must have message or packet authorization to ensure that the integrity of the data is in tact. Many software solutions that try to offer this for triple DES will find performance a major drawback with current systems. Hardware message authentication will probably be the wave of the future.

Desires/Wants:

You want to have multi-vendor compatibility in the future, but that is not possible today as the final standards are yet to be finalized.
You want to have a flexible growth path to meet your simple needs of today, but also to be able to grow into your future needs without having to completely replace the system you choose today, but which vendors will remain in the market in the future?
You want to have an inexpensive, but secure system. (You can't have your cake and eat it too!!!) Either delay purchase until the price drops or purchase strong, but expensive equipment today.
You want to have many other things, but let's be practical, "What can you get today?", "Will it really meet your needs both today and in the future?", and "Is it worth what you pay for it at today's prices?".

Security Management Blues

Just to recap from above (expounding a little as we go), you are left with the following doledrums:

Re-useable Passwords are out, but that's all that you're currently using.
IP Address Filtering doesn't mean what it used to, but that's all that your current routers will support.
Your number of mobile users are expanding in greater numbers than ever before and asking for more and more access from more and more possible remote sites.
The RAS Dial-back feature just doesn't cut it anymore, you were always worried about back-door unauthorized access through it and the cost of keeping it up isn't feasible tomorrow.
Dedicated lines to each and every possible remote access point is just out of the question.
You've just upgraded your Firewall to the latest version to cover security holes that it's previous version gave birth to shortly after you bought it.
You want to implement a Proxy Server, but have read that single-proxy servers are better than none, but still penetrable and don't have the capital to purchase nor staff to manage multi-proxy servers.
You want to just pull the plug on the Internet issue, but you'll catch all kinds of hell from end users who've become used to web-surfing and receiving E-mails via the Internet and you'll probably lose your job by even suggesting such a thing.
Everybody is placing their complete security risk in your hands and it will be your head if any security breach occurs.
To properly perform your job, you'll need Millions of dollars but you are appropriated a budget of only several Thousand in which to do the same.
New Technology is coming out quicker than you can keep up with and every vendor says that their system is the best.
You ask your tech buddies what they think is the best and receive about six or seven different response and each of them swear that their studies show that their solution is the best.
To quote a famous movie: "You've got a loaded gun pointed directly at your head... What do you do?" And this just about sums up your situation in one phrase.