Cryptography Reference
In-Depth Information
3.
Verification of Alice's Identity and SA Establishment
: Alice sends
(
H
A
,k
(
I
A
)), so Bob may verify Alice via
k
−
1
.
Diagram 8.13 IKE Aggressive Mode
First Pass
A
L
I
C
E
(
H
A
,
S
A
,
p
A
,
N
A
,
I
A
)
−−−−−−−−−−−−−−−−−−−−−−−→
←−−−−−−−−−−−−−−−−−−−−−−−−−−−−
(
H
B
,
S
B
,
p
B
,
N
B
,
I
B
,k
(
I
B
))
B
O
B
Second Pass
A
L
I
C
E
B
O
B
−−−−−−−−−−−−−−−→
(
H
A
,k
(
I
A
))
Since aggressive mode sacrifices identity protection in favour of speed, Alice
and Bob may exchange identifying information before this exchange. Also,
aggressive mode, unlike main mode, does not prevent against a
denial-of-service
attack
,
8.8
so there is a sacrifice in security as well.
One of main or aggressive modes is used to create an IKE SA as above with
a shared secret key
k
. Using
k
, and a keyed hash function plus other values from
phase I, they derive three more secret shared keys,
k
e
to encrypt all phase-II
messages,
k
a
, used as an HMAC to authenticate all phase-II messages, and
k
d
,
which is used to derive the second set of shared secret keys.
For phase II, there is only one mode, whose sole purpose is to transact IP
security and keyingmaterial, wherein Alice and Bob now have an authenticated
secure channel, so every packet is encrypted. Now, they wish to negotiate a
new SA called IPSec SA, and a secret key for bulk data encryption in IPSec
part II, as well as other parameters includingprotocol and mode. (Note that
IPSec SA, the commonly used term, should not cause confusion even though
the entire process is under the IPSec umbrella. The term IPSec SA is merely
used to distinguish it from the SA established in phase I under the tutelage of
IKE.)
8.8
A denial-of-service attack (DOS) is one that impedes the normal functioning of communi-
cations sites. This may involve anything from disruption of the entire network to
suppressing
all messages to a particular target site, the antithesis of which accomplishes the former, namely,
by
overloading
the network with messages.
Search WWH ::
Custom Search