• The main goal of IKE is to establish an SA between two parties
that wish to communicate securely using IPSec. • IKE borrows heavily from two major sources- the Internet Security Association and Key Management Protocol(ISAKMP). It defines formats of various entities such as digital signature and the digital certificate. • IKE compromised of two phases. : Phase 1 and Phase 2. In Phase 1,the longer term keys are derived. In Phase 2,shorter term keys are derived. Basic IPSec Operation • Step 1: Interesting traffic initiates IPSec • Step 2: IKE Phase 1-Set up IKE SA • Step 3: IKE Phase 2-Set up IPSec SA • Step 4: Data Transfer • Step 5: IPSec terminates IKE Phase 1
The following are accomplished in IKE Phase 1:
• The aunthentication method,encryption and hash algorithms together with the Diffie-Hellman group to be used are negotiated. • Both parties authenticates themselves to each other. • Two different keys are generated respectively in both Phase 1 and Phase 2 that is further used for message integrity protection and encryption • Cookies are created at the start of Phase 1 and serve the purpose of an IKE connection identifier IKE Phase 1(contd)
• Phase 1 uses one of two modes: Main Mode and Aggressive
Mode • Main mode involves a total of six messages between initiator (A) and responder (B). The motivation for introducing Main Mode is to hide the identities of the sender and the receiver from the eavesdroppers. • Aggressive mode uses only three messages. • To perform mutual authentication,IKE assumes that either A and B share a secret A and B,each have a public key-private key pair. Phase 1: Main mode In main mode, Alice starts by giving all the cryptographic algorithms she supports,in order of preference, and Bob responds by making a choice. In aggressive mode,Alice can also propose cryptographic algorithms,but since she has to send a Diffie-Hellman number she has to specify a unique flavour of Diffie-Hellman(e.g. p and g) and hope Bob supports it. Message 5 and 6,authenticate,hiding endpoint’s identities Phase 1:Aggressive Mode IKE Phase 2 • Under cover of an existing IKE SA, two parties participates in an IKE Phase 2 exchange in order to establish a new IPSec SA. • The IPSec SA set up in Phase 2 includes the mutually agreed upon cryptographic suite and secret keys for authentication and/or encryption. • Negotiates IPSec security parameters, known as IPSec transform sets. • Optionally performs an additional DH exchange • Periodically renegotiates IPSec SAs to ensure security THANK YOU