Cryptography Reference
In-Depth Information
IKE Phase II — Quick Mode
1. Alice sends the following, where
S
ID
is a 32-bit session ID to differentiate
the phase-II session setup;
SA
2
is a list of parameters for IPSec SA; and
N
A
is a new nonce uniquely identifyingAlice's messae to thwart replay
attacks:
k
e
(
C
A
,
C
B
,
S
ID
,
SA
2
,
N
A
)
.
2. Bob responds with the followingwhere
SB
2
is his list of choices from
SA
2
;
SPI
B
is his security parameters index (see page 303) authorization; and
N
B
is his unique nonce to identify his message:
k
e
(
C
A
,
C
B
,
SPI
B
,
SB
2
,
N
B
,
k
a
(
N
A
))
.
3. Alice acknowledges receipt by sending
k
e
(
N
B
).
4. Using
k
d
, in part, Alice and Bob independently and simultaneously generate
a secret key
K
that they will use in part II for bulk data encryption.
In phase II there is an option for establishinga DiJe-Hellman shared secret
key
k
in order to calculate
K
. Since
k
would not be based upon any previously
shared secrets, it would have what is called
perfect forward secrecy
8.9
(PFS).
This means that if this particular secret,
k
, is compromised, not all of the
encrypted data is compromised. Without PFS, if
k
is compromised in phase I,
then all secrets derived from it, including
k
d
, are compromised. However, this
D-H option is not an automatic default since negotiating
k
is costly in terms
of time.
Part I Summary
: In phase I, Alice and Bob established an IKE SA and
shared secret keys for use in phase II. This makes phase II an eJcient mechanism
since only SKC keys are used rather than PKC devices (without the D-H option).
In phase II, usingthe phase-I keys, they establish an IPSec SA and thereby a
shared secret key for bulk data encryption as well as other parameters not
explicitly specified for IPSec SA in the above (such as protocol and mode).
There is a lifetime associated with the IPSec SA, and once it expires, Alice and
Bob's computers automatically reestablish a new IPSec SA, without Alice and
Bob beinginvolved, namely, a transparent process to them.
Diagram 8.14 IPSec Part I — Summary
Phase I
D-H keys and nonces
IKE SA and secret key k
−−−−→
Phase II
secret key k and nonces
−−−−→
IPSec SA and secret key K
8.9
This is not related to Shannon's notion of perfect secrecy that we will study in Chapter
11, nor is the forward secrecy we discussed on page 200.
Search WWH ::
Custom Search