Thursday, September 30, 2010

IPSec Key Exchange (IKE) (2)

Posted by OurTech Team | Thursday, September 30, 2010 | Category: |

IKE Operation
So, IKE doesn't strictly implement either OAKLEY or SKEME but takes bits of each to form its own method of using ISAKMP. Clear as mud, I know. Since IKE functions within the framework of ISAKMP, its operation is based on the ISAKMP phased negotiation process. There are two phases:
  • ISAKMP Phase 1: The first phase is a “setup” stage where two devices agree on how to exchange further information securely. This negotiation between the two units creates a security association for ISAKMP itself; an ISAKMP SA. This security association is then used for securely exchanging more detailed information in Phase 2.
  • ISAKMP Phase 2: In this phase the ISAKMP SA established in Phase 1 is used to create SAs for other security protocols. Normally, this is where the parameters for the “real” SAs for the AH and ESP protocols would be negotiated.
An obvious question is why IKE bothers with this two-phased approach; why not just negotiate the security association for AH or ESP in the first place? Well, even though the extra phase adds overhead, multiple Phase 2 negotiations can be conducted after one Phase 1, which amortizes the extra “cost” of the two-phase approach. It is also possible to use a simpler exchange method for Phase 2 once the ISAKMP security association has been established in Phase 1.
The ISAKMP security association negotiated during Phase 1 includes the negotiation of the following attributes used for subsequent negotiations:
  • An encryption algorithm to be used, such as the Data Encryption Standard (DES).
  • A hash algorithm (MD5 or SHA, as used by AH or ESP).
  • An authentication method, such as authentication using previously shared keys.
  • A Diffie-Hellman group. Diffie and Hellman were two pioneers in the industry who invented public-key cryptography. In this method, instead of encrypting and decrypting with the same key, data is encrypted using a public key knowable to anyone, and decrypted using a private key that is kept secret. A Diffie-Hellman group defines the attributes of how to perform this type of cryptography. Four predefined groups derived from OAKLEY are specified in IKE and provision is allowed for defining new groups as well.
Note that even though security associations in general are unidirectional, the ISAKMP SA is established bidirectionally. Once Phase 1 is complete, then, either device can set up a subsequent SA for AH or ESP using it.

Currently have 0 Comments:


Leave a Reply