the ike internet key exchange protocol l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
The IKE (Internet Key Exchange) Protocol PowerPoint Presentation
Download Presentation
The IKE (Internet Key Exchange) Protocol

Loading in 2 Seconds...

play fullscreen
1 / 24

The IKE (Internet Key Exchange) Protocol - PowerPoint PPT Presentation


  • 365 Views
  • Uploaded on

The IKE (Internet Key Exchange) Protocol. Sheila Frankel Systems and Network Security Group NIST sheila.frankel@nist.gov. IKE Overview. Negotiate: Communication Parameters Security Features Authenticate Communicating Peer Protect Identity

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

The IKE (Internet Key Exchange) Protocol


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
the ike internet key exchange protocol

The IKE (Internet Key Exchange) Protocol

Sheila Frankel

Systems and Network Security Group

NIST

sheila.frankel@nist.gov

ike overview
IKE Overview
  • Negotiate:
    • Communication Parameters
    • Security Features
  • Authenticate Communicating Peer
  • Protect Identity
  • Generate, Exchange, and Establish Keys in a Secure Manner
  • Manage and Delete Security Associations
ike overview continued
IKE Overview (continued)
  • Threat Mitigation
    • Denial of Service
    • Replay
    • Man in Middle
    • Perfect Forward Secrecy (PFS)
  • Usable by IPsec and other domains
ike overview continued4
IKE Overview (continued)
  • Components:
    • Internet Security Association and Key Management Protocol (ISAKMP)

RFC 2408

    • Internet Key Exchange (IKE)

<draft-ietf-ipsec-ike-01.txt>

    • Oakley Key Determination Protocol

RFC 2412

    • IPSec Domain of Interpretation (IPsec DOI)

RFC 2407

constructs underlying ike
Constructs Underlying IKE
  • Security Association (SA)
  • Security Association Database (SAD)
  • Security Parameter Index (SPI)
ike negotiations phase 1
IKE Negotiations - Phase 1
  • Purpose:
    • Establish ISAKMP SA (“Secure Channel”)
  • Steps (4-6 messages exchanged):
    • Negotiate Security Parameters
    • Diffie-Hellman Exchange
    • Authenticate Identities
  • Main Mode vs. Aggressive Mode vs. Base Mode
phase 1 attributes
Phase 1 Attributes
  • Authentication Method
    • Pre-shared key
    • Digital signatures (DSS or RSA)
    • Public key encryption (RSA or El-Gamal)
  • Group Description (pre-defined)
  • Group Type (negotiated)
    • MODP (modular exponentiation group)
    • ECP (elliptic curve group over GF[P])
    • EC2N (elliptic curve group over GF[2^N])
phase 1 attributes continued
Phase 1 Attributes (continued)
  • MODP Group Characteristics
    • Prime
    • Generator
  • EC2N Group Characteristics
    • Field Size
    • Irreducible Polynomial
    • Generators (One and Two)
    • Curves (A and B)
    • Order
phase 1 attributes continued9
Phase 1 Attributes (continued)
  • Encryption algorithm
    • Key Length
    • Block size
  • Hash algorithm
  • Life duration (seconds and/or kilobytes)
ike s pre defined groups
IKE’s Pre-Defined Groups
  • MODP
    • Prime: 768-bit, 1024-bit, 1536-bit
    • Generator: 2
  • EC2N
    • GF[2^155], GF[2^185]
    • GF[2^163] (2 groups), GF[2^283] (2 groups)
main mode authentication with pre shared keys

1

HDR | SA

2

HDR | SA

3

HDR | KE | Ni

RESPONDER

INITIATOR

4

HDR | KE | Nr

5

HDR* | IDi1 | HASH_I

6

HDR* | IDr1 | HASH_R

Main Mode:Authentication with Pre-Shared Keys

HDR contains CKY-I | CKY-R

KE = g^i (Initiator) or g^r (Responder)

main mode authentication with digital signatures

1

HDR | SA

2

HDR | SA

3

RESPONDER

HDR | KE | Ni

INITIATOR

4

HDR | KE | Nr

5

HDR* | IDi1 | [CERT | ] SIG_I

6

HDR* | IDr1 | [CERT | ] SIG_R

Main Mode:Authentication with Digital Signatures

HDR contains CKY-I | CKY-R

KE = g^i (Initiator) or g^r (Responder)

SIG_I/SIG_R = digital sig of HASH_I/HASH_R

main mode authentication with public key encryption

1

HDR | SA

2

RESPONDER

HDR | SA

INITIATOR

3

HDR | KE | [HASH(1) | ] <IDi1_b>PubKey_r | <Ni_b>PubKey_r

4

HDR | KE | <IDr1_b>PubKey_i | <Nr_b>Pubkey_i

5

HDR* | HASH_I

6

HDR* | HASH_R

Main Mode:Authentication with Public Key Encryption

HDR contains CKY-I | CKY-R

KE = g^I (Initiator) or g^r (Responder)

main mode authentication with revised public key encryption

1

HDR | SA

2

HDR | SA

RESPONDER

HDR | [HASH(1) | ] <Ni_b>PubKey_r | <KE_b>Ke_i | <IDi1_b>Ke_i [ | <CERT-I_b>Ke_i]

3

INITIATOR

4

HDR | <Nr_b>PubKey_i | <KE_b>Ke_r | <IDr1_b>Ke_r

5

HDR* | HASH_I

6

HDR* | HASH_R

Main Mode: Authentication with Revised Public Key Encryption

HDR contains CKY-I | CKY-R

KE = g^I (Initiator) or g^r (Responder)

Ke_i/r = symmetric key from Ni/r_b and CKY_I/R

key derivation
Key Derivation
  • SKEYID
    • Pre-shared keys:

HMAC_H(pre-shared-key, Ni_b | Nr_b

    • Digital signatures:

HMAC_H(H(Ni_b | Nr_b), g^ir)

    • Public key encryption:

HMAC_H(H(Ni_b | Nr_b), CKY-I | CKY-R)

key derivation continued
Key Derivation(continued)
  • SKEYID_d (used to derive keying material for IPsec SA):

HMAC_H(SKEYID, g^ir | CKY-I | CKY-R | 0)

  • SKEYID_a (auth key for ISAKMP SA):

HMAC_H(SKEYID, SKEYID_a|g^ir|CKY-I|CKY-R|1)

  • SKEYID_e (enc key for ISAKMP SA):

HMAC_H(SKEYID, SKEYID_a|g^ir|CKY-I|CKY-R|2)

hash calculations
Hash Calculations
  • HASH_I:

HMAC_H(SKEYID, g^i | g^r | CKY-I | CKY-R | Sai_b | ID_i1_b)

  • HASH_R:

HMAC_H(SKEYID, g^r | g^i | CKY-R | CKY-I | Sai_b | ID_r1_b)

ike negotiations phase 2
IKE Negotiations - Phase 2
  • Purpose:
    • Establish IPsec SA
  • Steps (3-4 messages exchanged):
    • Negotiate Security Parameters
    • Optional Diffie-Hellman Exchange (for PFS)
    • Optional Exchange of Identities
    • Final Verification
  • Quick Mode
  • New Groups Mode
phase 2 attributes
Phase 2 Attributes
  • Group description (for PFS)
  • Encryption algorithm (if any)
    • Key length
    • Key rounds
  • Authentication algorithm (if any)
  • Life duration (seconds and/or kilobytes)
  • Encapsulation mode (transport or tunnel)
quick mode

1

HDR* | HASH(1) | SA | Ni [ | KE] [ | IDi2 | IDr2]

2

HDR* | HASH(2) | SA | Nr [ | KE] [ | IDi2 | IDr2]

3

RESPONDER

HDR* | HASH(3)

INITIATOR

Quick Mode

HDR contains CKY-I | CKY-R

KE (for PFS) = g^I (Initiator) or g^r (Responder)

key derivation21
Key Derivation
  • KEYMAT (no PFS):

HMAC_H(SKEYID_d, protocol | SPI | Ni_b | Nr_b)

  • KEYMAT (with PFS):

HMAC_H(SKEYID_d, g^ir (QM) | protocol | SPI | Ni_b | Nr_b)

  • Expanded KEYMAT (if needed):

K2 = HMAC_H(SKEYID_d, KEYMAT | [g^ir (QM) | ] protocol | SPI | Ni_b | Nr_b)

K3 = HMAC_H(SKEYID_d, K2 | [g^ir (QM) | ] protocol | SPI | Ni_b | Nr_b) etc.

hash calculations22
Hash Calculations
  • HASH(1) :

HMAC_H (SKEYID_a | Message_ID | contents of Message #1)

  • HASH(2) :

HMAC_H (SKEYID_a | Message_ID | Ni_b | contents of Message #2)

  • HASH(3) :

HMAC_H (SKEYID_a | 0 | Message_ID | Ni_b | Nr_b)

new groups mode

1

HDR* | HASH | SA

2

HDR* | HASH | SA

RESPONDER

INITIATOR

New Groups Mode
contact information
Contact Information
  • For further information, contact:
    • Sheila Frankel: sheila.frankel@nist.gov