Cryptography Reference
In-Depth Information
such as antireplay protection, as well as on-demand creation of SAs for the pur-
poses of, say, session-key creation. Although IPSec supports many standards,
IKE is the default IPSec key-exchange protocol.
IPSec is divided into two major parts: part one consists of user authentica-
tion and key exchange using IKE, and part two consists of bulk data confiden-
tiality and integrity for message and file transfer.
IPSec Part I: IKE Identity Authentication and Key Exchange
Internet Key Exchange (IKE)
What is IKE?
: IKE is an IPsec standard used to ensure security for VPN
negotiations and access to networks or remote hosts. IKE is specified in RFC
2409 [212], which specifies an automatic mechanism for establishingsecurity,
and does so without the preconfiguration necessary for manual mode, which we
discussed above. IKE is a hybrid protocol that evolved from two older protocols
called
Oakley
and
SKEME
with an
ISAKMP
(Internet Security Association
and Key Management Protocol) TCP/IP-based configuration. The Oakley pro-
tocol defines a sequence of key exchanges and specifies their services, typically
authentication and identity protection. SKEME is a protocol that defines the
methodology for negotiating key exchange.
Why Use IKE?
: Although it is not specified that IPSec use IKE, its em-
ployment ensures automatic authentication for antireplay security; certification
authority services; and on-demand change of IPSec session-based encryption
keys (amongother built-in services).
How Does IKE Work?
: There are two phases to IPSec IKE. In phase one,
two IKE peers establish a secure authentication communication channel via an
IKE SA and establish a shared secret key. In phase two, the secret key and
secure IKE SA, established in phase, are used to send encrypted messages. In
these messages, they agree upon secret keys for bulk encryption, cryptographic
methods for usingthem, and other parameters. Different modes for IKE are
available for accomplishingthe above.
IKE Modes
Main Mode
: In this mode, there is a three-pronged approach for creating
the first phase of an IKE SA, which is used for later transactions. This is similar
to the initial phase of SSL/TLS where negotiation to determine cryptographic
parameters is done largely in plaintext.
In main mode, there is a six-step message exchange between, say, Alice and
Bob, consistingof three two-way passes.
(1) They agree on cryptographic algorithms for use as the IKE SA.
(2) They exchange public keys to be used for DiJe-Hellman exchange, and
exchange nonces.
(3) They verify identities via signed nonces.
Search WWH ::
Custom Search