Internet Key Exchange Protocol

PrateekBapna 9,382 views 21 slides Aug 10, 2012

Slide 1 of 21

About This Presentation

The Internet Key Exchange (IKE) protocol, described in RFC 2409, is a key management protocol standard which is used in conjunction with the IPsec standard. IPsec can be configured without IKE, but IKE enhances IPsec by providing additional features, flexibility, and ease of configuration for the IP...

Size: 408.47 KB

Language: en

Added: Aug 10, 2012

Slides: 21 pages

Slide Content

INTERNET KEY EXCHANGE PROTOCOL PRESENTED BY PRATEEK SINGH BAPNA

Described in RFC 2409 Used for Key Management in IPSec Networks Allows automatic negotiation and creation of IPSec SAs between IPSec Peers Internet Key Exchange (IKE)

IKE is a hybrid protocol based on: ISAKMP (RFC 2408), the protocol for negotiated establishment of security associations Oakley (RFC 2412), the key agreement/exchange protocol SKEME, another key exchange protocol IKE History

Expands as Internet Security Association and Key Management Protocol Establishes a secure management session between IPSec peers Negotiates SAs between IPSec peers ISAKMP

Defines the mechanisms for key exchange over the IKE session Determines AH/ESP keying material for each IPSec SA automatically By default, it uses an authenticated Diffie-Hellman Algorithm for key exchange Oakley Protocol

Algorithm for secure key exchange over unsecured channels Based on the difficulty of finding discreet algorithms Used to establish a shared secret between parties (usually the secret keys for symmetric encryption or HMACs) Diffie-Hellman Algorithm

The parties agree on two non-secret numbers , g (generator ), and p ( modulus), where g is small and p is very large Each party generates a random secret X Based on g, p, and X, each party generates a public value Y= mod p Peers then exchange public values Diffie-Hellman Algorithm (Contd.)

Diffie-Hellman in Action A Private Value, X Public Value, Y Private Value, X Public Value, Y B = mod p = mod p (Shared Secret)

IPSec needs SAs to protect traffic If no SAs are in place, IPSec will ask IKE to provide IPSec SAs IKE opens a management session with relevant peer, and negotiates all SAs and keying material for IPSec IPSec protects traffic IPSec and IKE Relationship

IPSec and IKE Relationship (Contd.) A’s Laptop B’s Laptop IPSec A IPSec B IKE A IKE B IKE Session Outbound packet from A to B, no SA 2. A’s IKE begins negotiations with B’s 3. Negotiations complete, A and B now have complete SAs in place 4. Packet is sent from A to B protected by IPSec SA

An IKE session runs over UDP (source and destination port 500) IKE session establishment results in the creation of IKE SAs IKE then establishes all requested IPSec SAs on demand IKE Protocol

IKE sessions are protected by cryptographic algorithms/protocols The peers need to agree on a bundle of algorithms and protocols, known as IKE protection suites, to protect the IKE session Protection suites can be Encryption Algorithm, Hashing MAC Algorithm, Peer Authentication Procedure, DH group for Initial Key Exchange, SA Lifetime IKE Session Protocol

IKE has 2 phases: IKE Phase 1 Uses main or aggressive mode exchange Negotiates IKE SA IKE Phase 2 Uses quick mode exchange Negotiates IPSec SAs IKE Phases and Modes

Authentication Method Pre-shared key Digital signatures (DSS or RSA) Public key encryption (RSA or El- Gamal ) Group Description (pre-defined) Group Type (negotiated) MODP (modular exponentiation group) ECP (elliptic curve group over GF[P]) EC2N (elliptic curve group over GF[ ]) Phase 1 Attributes

Group Description (for PFS) Encryption Algorithm (if any) Key Length Key Rounds Group Description (for PFS) Life duration (seconds and/or kilobytes) Encapsulation mode (transport or tunnel) Phase 2 Attributes

Expensive 1 st phase creates main SA Cheaper 2 nd phase allows to create multiple child SA (based on main SA) between same hosts Why Two-Phase Design?

To establish the IKE SA, peers have to authenticate each other (two way) 3 defined mechanisms: Pre-shared keys RSA encrypted nonce RSA signatures IKE Peer Authentication

IKE session is encrypted either by DES or 3DES Keying material is generally derived from the initial DH change In main mode, peer identity is also encrypted IKE Session Encryption

IKE uses HMAC functions to guarantee session integrity Choice between keyed SHA-1 and MD5 Keying material is generally derived from the initial DH exchange IKE Session Integrity

Interaction with other network protocols Error handling Protocol management Legacy authentication Other Aspects of IKE

Internet Key Exchange Protocol

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Internet Key Exchange Protocol

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

DTI BPI Pivot Small Business - BUSINESS START UP PLAN

CATHOLIC EDUCATIONAL Corporate Responsibilities

Karin Schaupp – Evocation; lançamento: 2000

Pillars of Biblical Oneness in the Book of Acts

7-10. STP + Branding and Product &amp; Services Strategies.pptx

Business Legislation PPT - UNIT 1 jimllpkggg

7-10. STP + Branding and Product & Services Strategies.pptx