Presentation is loading. Please wait.

Presentation is loading. Please wait.

ISAKMP RFC 2408 Internet Security Association & Key Management Protocol Protocol Establish, modify, and delete SAs Negotiate crypto keys Procedures Authentication.

Published byRosanna Cook Modified over 9 years ago

Similar presentations

Presentation on theme: "ISAKMP RFC 2408 Internet Security Association & Key Management Protocol Protocol Establish, modify, and delete SAs Negotiate crypto keys Procedures Authentication."— Presentation transcript:

1 ISAKMP RFC 2408 Internet Security Association & Key Management Protocol Protocol Establish, modify, and delete SAs Negotiate crypto keys Procedures Authentication of peers Threat mitigation

2 ISAKMP Defines procedures and packet formats to deal with SAs and keys
Provides a framework for secure communication on the Internet Does not specify algorithms, formats, or protocols ISAKMP is a framework in which a specific secure communication definition can be implemented

3 ISAKMP Security Associations Authentication Public Key Cryptography
Protection DoS – Anti-Clogging Hijacking a connection Man in the middle attacks

4 ISAKMP Terminology DOI – Domain Of Interpretation: defines payload formats, exchange types, naming conventions

5 IISAKMP – Phases Phase 1: Two entities agree on how to protect further negotiation traffic. They negotiate an ISAKMP SA for an authenticated and secure channel Phase 2:The phase 1 secure channel is used to negotiate security services for IPSec.

6 ISAKMP Header Initiator Cookie Responder Cookie Major Version Minor
Next Payload Exchange Type Flags Message ID Length

7 Header Fields Initiator Cookie (8 octets) – Cookie of entity that initiated SA establishment, notification or deletion. Responder Cookie (8 octets) – Cookie of the responder Next Payload (1 octet) – Type of first payload Major/Minor Version (4 bits each) – Version of ISAKMP in use Exchange Type (1 octet) – Type of exchange being used Flags (1 octet) – More stinking flags, encrypt, commit authentication only Message ID (4 octets) – Unique ID to identify things in Phase 2 Length (4 octets) – Length of total message (headers + payloads)

8 Next Payload Types Next Payload Type Value Next Payload Type Value
NONE 0 SA 1 Proposal 2 Transform 3 Key Exchange 4 Identification 5 Certificate 6 Cert Request 7 Next Payload Type Value Hash 8 Signature 9 Nonce 10 Notification 11 Delete 12 Vendor ID 13 Reserved 14 – 127 Private Use

9 Exchange Types Exchange Type Value Exchange Type Value
NONE 0 Base 1 Id Protection 2 Auth Only 3 Aggressive 4 Informational 5 Exchange Type Value ISAKMP Future Use DOI Specific Use 32 – 127 Private Use

10 Generic Payload Header
Next Payload Reserved Payload Length Payload Data

11 Domain of Interpretation (DOI)
SA Payload Next Payload Reserved Payload Length Domain of Interpretation (DOI) ~ Situation DOI (4 octets) – Identifies the DOI under which this negotiation is taking place. A value of 0 (zero) during Phase 1 specifies a Generic ISAKMP SA which can be used for any protocol during Phase 2. Situation - A DOI-specific field that identifies the situation under which this negotiation is taking place.

12 Proposal Payload Next Payload Reserved Payload Length Proposal No.
Proposal ID SPI Size No. of Transforms SPI (variable)

13 Proposal Payload Payload Length (2 octets) – Length is octets of the entire Proposal payload including the generic payload header, the Proposal payload, and all Transform payloads associated with this proposal. Proposal No. - Identifies the Proposal number for the current payload. Proposal ID – Specifies the protocol identifier such as IPSEC ESP, IPSEC AH, OSPF, TLS, etc. SPI Size – Length in octets of the SPI as defined by the Protocol ID. No. of Transforms – Specifies the number of transforms for the proposal. SPI (variable) – The sending entity's SPI.

14 Transform Payload ~ Next Payload Reserved Payload Length Transform No.
Transform ID Reserved2 ~ SA Attributes

15 Transform Payload Payload Length (2 octets) – Length is octets of the current payload, including the generic payload header, Transform values, and all SA attributes Transform No. - Identifies the Transform number for the current payload. Transform ID – Specifies the Transform identifier fmor the protocol within the current proposal. Reserved 2 (2 octets) – Set to zero. SA Attributes (Variable length) – SA attributes should be represented using the Data Attributes format.

16 Key Exchange Payload ~ Reserved Payload Length Next Payload
Key Exchange Data Key Exchange Data (variable length) – Data required to generate a session key. This data is specified by the DOI and the associated Key Exchange algorithm.

17 Certificate Payload ~ Reserved Payload Length Next Payload
Cert Encoding Key Exchange Data ~ Cert Encoding (1 octet) – Indicates the type of certificate contained in the Certificate field.

18 Certificate Types Certificate Type Value Certificate Type Value NONE 0
PKCS #7 1 PGP Certificate 2 DNS Signed Key 3 X.509 Cert - Signature 4 X.509 Cert – Key Exchange 5 Certificate Type Value Kerberos Token 6 Cert Revoc List 7 Authority Revoc List 8 SPKI Cert. 9 X.509 Cert – Attribute 10 Reserved

19 Other Payloads ~ ~ ~ Reserved Payload Length Next Payload Hash Data
Signature Data Next Payload Reserved Payload Length ~ Nonce Data

20 Notification Payload ~ ~ Next Payload Reserved Payload Length DOI
Protocol ID SPI Size Notify Message Type ~ SPI ~ Notification Data

21 Notify Messages Errors Value INVALID-PAYLOAD-TYPE 1
DOI-NOT-SUPPORTED SITUATION-NOT-SUPPORTED INVALID-COOKIE INVALID-MAJOR-VERSION INVALID-MINOR-VERSION INVALID-EXCHANGE-TYPE INVALID-FLAGS INVALID-MESSAGE-ID INVALID-PROTOCOL-ID INVALID-SPI INVALID-TRANSFORM-ID ATTRIBUTES-NOT-SUPPORTED NO-PROPOSAL-CHOSEN BAD-PROPOSAL-SYNTAX Errors Value PAYLOAD-MALFORMED INVALID-KEY-INFORMATION INVALID-ID-INFORMATION INVALID-CERT-ENCODING INVALID-CERTIFICATE CERT-TYPE-UNSUPPORTED INVALID-CERT-AUTHORITY INVALID-HASH-INFORMATION AUTHENTICATION-FAILED INVALID-SIGNATURE ADDRESS-NOTIFICATION NOTIFY-SA-LIFETIME CERTIFICATE-UNAVAILABLE UNSUPPORTED-EXCHANGE-TYPE UNEQUAL-PAYLOAD-LENGTHS RESERVED (Future Use) Private Use – 16383

22 ISAKMP Message Construction
Initiator Cookie Responder Cookie Major Version Minor Version NP = KE Exchange Type Flags Message ID Total Message Length NP = Nonce Reserved KE Payload Length Key Exchange Data NP = 0 Reserved Nonce Payload Length Nonce Data

23 Proposal Syntax Proposal # Proposals with the same Proposal
Transform # Proposals with the same Proposal number are taken as a logical AND. Proposals with different numbers are taken as a logical OR. Different Transform within a proposal are taken as a logical OR.

24 Proposal Example Proposal 1: AH Transform 1: HMAC-SHA
Transform 2: HMAC-MD5 Proposal 2: ESP Transform 1: 3DES with HMAC-SHA Transform 2: 3DES with HMAC-MD5 Transform 3: AES with HMAC-SHA-256 Proposal 3: ESP Proposal 4: PCP Transform 1: LZS

25 Exchange Types Exchange Type Value Exchange Type Value
NONE 0 Base 1 Id Protection 2 Auth Only 3 Aggressive 4 Informational 5 Exchange Type Value ISAKMP Future Use DOI Specific Use 32 – 127 Private Use

26 Base Exchange Initiator Direction Responder Note
Header, SA, Nonce => Begin ISAKMP-SA negotiation <= HDR, SA, Nonce Basic SA agreed upon Header, KE, Idii, Auth => Key generated by responder Initiator Ident verified <= HDR, KE, Idir, Auth Responder Ident verified Initiator key generated, SA est.

Download ppt "ISAKMP RFC 2408 Internet Security Association & Key Management Protocol Protocol Establish, modify, and delete SAs Negotiate crypto keys Procedures Authentication."

Similar presentations

IKE : Internet Key Exchange

IKE : Internet Key Exchange
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.

IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.
CSC 474 Information Systems Security

CSC 474 Information Systems Security
Header and Payload Formats

Header and Payload Formats
Security at the Network Layer: IPSec

Security at the Network Layer: IPSec
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
Network Layer Security: IPSec

Network Layer Security: IPSec
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
1 IPSec—An Overview Somesh Jha Somesh Jha University of Wisconsin University of Wisconsin.

1 IPSec—An Overview Somesh Jha Somesh Jha University of Wisconsin University of Wisconsin.
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
Internet Security Association & Key Mana gement Protocol CNET 이동재.

Internet Security Association & Key Mana gement Protocol CNET 이동재.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.

1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.

Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
IPsec – IKE CS 470 Introduction to Applied Cryptography

IPsec – IKE CS 470 Introduction to Applied Cryptography

Similar presentations

Ads by Google