Information Technology Reference
In-Depth Information
{
1. A -> B : Ca,SAi
2. B -> A : Cb,SAr
3. A -> B : Ca, Cb, p,g,Xa, Na, certreq
4. B -> A : Ca, Cb,p,g,Xb, Nb, certreq
5. A -> B : Ca,Cb, {{A,certA,Attcert,
Na,Nb,p,g,Xa,Xb, certreq}_(SK(A))^alg}_Ks
6. B -> A : Ca,Cb, {{B,certB,Nb,Na,p,g,Xa,Xb, cer-
treq}_(SK(B))^alg}_Ks
}
//Sessions and properties
s. session* {Ca,Cb,Na,Nb,p,g,Xa,Xb,Ks} A=A, B=B
assume secret (SK(B)@s.B),
secret (SK(A)@s.A),
secret(Ks@s.A),
secret(Ks@s.B)
We can divide the first phase of IKE v1 protocol into five parts. In the first part,
Principals (A, B, EDHCP for Attribute Authority and CA for Certificate Authority)
and variables (called numbers, algo and, key) are explicitly declared. It contains the
definition of all necessary Diffie Hellman parameters like n, g and the public DH
values Xa,Xb, are for the principals A, and B respectively. The two principals A and
B will be authenticated using their two constructors PK and SK that represent respec-
tively the public and private key of each principal.
The X.509 certificates of A and B concatenate the identity and the public key of
each principal under a signature. The signature is done using the private key SK(CA)
of a trusted certificate Authority (CA). The attribute certificate of the principal A is
signed with the private key of the E-DHCP attribute certificate.
The second part (commented by initial knowledge) specifies the initial knowledge
of each principal. It indicates also that some variables could be defined as public val-
ues under the 'everybody knows' syntax.
In the third part (describing the messages to be exchanged) comes a sequence of
message that is exchanged between the two principals. A message in the sequence is
expressed in the form A -> B: M, meaning that entity A sends the message M to entity
B. Typically cryptographic algorithms with special representation are required to
construct the messages that are exchanged. For example, {M}_SK(H) means that the
message M is signed with the private Key of H but {M}_K means that the message M
is encrypted with the secret key K.
The extended IKE protocol is represented with six steps providing a protection
against replay attacks, message authentication, secure session negotiation and dual
entity authentication. In the first four messages, the two entities A and B exchange
cookies (Ca, Cb), nonces (Na and Nb), security associations (SAa and SAb) and their
ephemeral public DH values n, g, Xa and Xb) that represents the group module of
DH. The two entities send also the message
certreq
forcing the use of certificates in
authentication. In the last exchange the two entities will authenticate each other with a
signature on all exchanged data. A should also send his attribute certificate explained
previously that contains all its attributes. All data except the cookie messages will be
encrypted using an encryption Key (Ks) derived from the DH and Nonces.
