Upon completion of this phase, authentication and key exchange are com-

pleted, and the IKE SA is established.

In what follows, we give a description of the six steps involved in the three-

pass IKE main mode, followed by an illustration. What we describe is a sim-

plified version of the scheme, assumed to take place between Alice and Bob. In

fact, IKE itself, is a slim-down version of ISAKMP/Oakley.

Background Assumptions : For the DiJe-Hellman part of the exchange,

we need the followingnotation. We use ( p A ,s A ), and ( p B ,s B ), respectively for

Alice's, and Bob's, respectively public/secret DiJe-Hellman keys. Recall from

page 166 that ( p A ,s A )=( α x ,x ) and ( p B ,s B )=( α y ,y ), so

p s A

= p s B

= k.

This notational assumption will be made below. Moreover, I A and I B are

identifyingdata strings for Alice and Bob, respectively, and we assume that Alice

and Bob have RSA public/private key pairs ( e A ,d A ) and ( e B ,d B ), respectively,

where they have exchanged e A and e B in advance of the following.

IKE Phase I Using Main Mode

1. SA Negotiation Initialization : Alice sends Bob her list of proposed

parameters, S A , such as proposed encryption algorithms, hash functions,

pseudo-random generators for hashing messages to be signed, and so on.

These will be used to establish an IKE SA. Also, contained in the message

is a header , H A , containinga cookie, C A (see pages 323-325) for Alice

(in order to keep the session state information for her).

2. SA Agreement : Bob selects one of each of the parameters from Alice's

lists in S A , such as a single choice of hash function, sole choice of SKC,

and so forth. He sends back his list of choices, S B , together with a header,

H B , containinga cookie, C B , for his session state data.

3. Key Negotiation Initialization : Alice sends Bob her DiJe-Hellman

public key p A , a nonce N A , and H A .

4. Key Generation Completion : Bob sends his DiJe-Hellman public key,

p B , his nonce N B , and his header H B .

Alice and Bob independently compute p s A

= k and p s B

= k , respectively.

5. Alice's Identity Verified : Alice sends

( H A ,k ( I A ,d A ( N A , N B ,k, p A , p B , C A , C B , S A ))) ,

to Bob who now is able to use k − 1 and e A , to verify Alice's identity.

6. Bob's Identity Verified/SA Established : Bob sends to Alice

( H B ,k ( I B ,d B ( N A , N B ,k, p A , p B , C A , C B , S B ))) ,

and Alice may similarly verify Bob's identity.