We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byJohn Ramsey
Modified over 3 years ago
ISA 662 IKE Key management for IPSEC Prof. Ravi Sandhu
2 © Ravi Sandhu 2000-2004 INTERNET KEY EXCHANGE (IKE) Hybrid protocol ISAKMP SKEME PHOTURIS SKIP MKMP OAKLEY IKE
3 © Ravi Sandhu 2000-2004 ISAKMP Internet security association and key management protocol separates key management from key exchanges complex general protocol used in a specific way in IKE can apply to protocols other than IPSEC for IPSEC uses UDP over IP
4 © Ravi Sandhu 2000-2004 IKE ISAKMP phase 1: establishes ISAKMP SA Main mode (DH with identity protection) Aggressive mode (DH without identity protection) Between phases New group mode ISAKMP phase 2: establishes SA for target protocol Quick mode
5 © Ravi Sandhu 2000-2004 DIFFIE-HELLMAN KEY ESTABLISHMENT A A B B y A =a x A mod p public key private key x A private key x B y B =a x B mod p public key k = y B x A mod p = y A x B mod p = a x A * x B mod p system constants: p: prime number, a: integer
6 © Ravi Sandhu 2000-2004 PERFECT FORWARD SECRECY Use a different DH key-pair on each exchange DH public keys need to be authenticated authentication can be done by many techniques Loss of long-term (authentication) keys does not disclose session keys
7 © Ravi Sandhu 2000-2004 PHASE 1 AUTHENTICATION ALTERNATIVES public-key signature preshared-key public-key encryption revised public-key encryption
8 © Ravi Sandhu 2000-2004 COOKIE EXCHANGE Phase 1 employs cookie exchange to thwart (not prevent) denial of service attacks A -> B: Cookie_Request As cookie, 64 bit random number B -> A: Cookie_Response includes A and Bs cookies all further Phase 1 and Phase 2 messages include both cookies ISAKMP SA is identified by both cookies IPSEC protocol SA is identified by SPI
9 © Ravi Sandhu 2000-2004 COOKIE GENERATION hash over IP Source and Destination Address UDP Source and Destination Ports a locally generated random secret timestamp
10 © Ravi Sandhu 2000-2004 IKE DEFAULT OAKLEY DH GROUPS Group 1 MODP, 768 bit prime p, g=2 Group 2 MODP, 1024 bit prime p, g=2 Group 3 EC2N, 155 bit field size Group 4 EC2N, 185 bit field size private groups can be used
11 © Ravi Sandhu 2000-2004 IKE NOTATION
12 © Ravi Sandhu 2000-2004 IKE NOTATION
13 © Ravi Sandhu 2000-2004 SKEYS, HASH AND SIG
14 © Ravi Sandhu 2000-2004 MAIN MODE WITH DIGITAL SIGNATURES
15 © Ravi Sandhu 2000-2004 AGGRESSIVE MODE WITH DIGITAL SIGNATURES
16 © Ravi Sandhu 2000-2004 MAIN AND AGGRESSIVE MODE WITH PRE-SHARED KEY
17 © Ravi Sandhu 2000-2004 MAIN MODE WITH PUBLIC KEY ENCRYPTION
18 © Ravi Sandhu 2000-2004 AGGRESSIVE MODE WITH PUBLIC KEY ENCRYPTION
19 © Ravi Sandhu 2000-2004 AUTHENTICATION WITH PUBLIC-KEY ENCRYPTION does not provide non-repudiation provides additional security since attacked must break both DH key exchange public-key encryption provides identity protection in aggressive mode revised protocol reduces public-key operations
20 © Ravi Sandhu 2000-2004 MAIN MODE WITH REVISED PUBLIC KEY ENCRYPTION
21 © Ravi Sandhu 2000-2004 MAIN MODE WITH REVISED PUBLIC KEY ENCRYPTION
22 © Ravi Sandhu 2000-2004 AGGRESSIVE MODE WITH REVISED PUBLIC KEY ENCRYPTION
23 © Ravi Sandhu 2000-2004 PHASE 2 QUICK MODE
24 © Ravi Sandhu 2000-2004 PHASE 2 QUICK MODE
25 © Ravi Sandhu 2000-2004 PHASE 2 QUICK MODE
26 © Ravi Sandhu 2000-2004 PHASE 2 QUICK MODE
27 © Ravi Sandhu 2000-2004 NEW GROUP MODE sandwiched between phase 1 and 2 group can be negotiated in phase 1 new group mode allows nature of group to be hidden in phase 1 only group id is communicated in clear
28 © Ravi Sandhu 2000-2004 NEW GROUP MODE
VPN AND REMOTE ACCESS Mohammad S. Hasan 1 VPN and Remote Access.
L8. Reviews Rocky K. C. Chang, May Foci of this course 2 Rocky K. C. Chang Understand the 3 fundamental cryptographic functions and how they are.
25 seconds left…...
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
PUBLIC KEY CRYPTOSYSTEMS Symmetric Cryptosystems 6/05/2014 | pag. 2.
We will resume in: 25 Minutes.
1 Secure Key Exchange: Diffie-Hellman Exchange Dr. Rocky K. C. Chang 19 February, 2002.
Chapter 5 Test Review Sections 5-1 through 5-4.
1 Internet Key Exchange Rocky K. C. Chang 20 March 2007.
Chapter 13 IPsec. IPsec (IP Security) A collection of protocols used to create VPNs A network layer security protocol providing cryptographic security.
ABC Technology Project
Advanced Piloting Cruise Plot.
1 Methods and Protocols for Secure Key Negotiation Using IKE Author : Michael S. Borella, 3Com Corp.
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
1 Lecture 16: IPsec IKE history of IKE Photurus IKE phases –phase 1 aggressive mode main mode –phase 2.
Internet Security CSCE 813 IPsec. CSCE Farkas2 Reading Today: – Oppliger: IPSec: Chapter 14 – Stalllings: Network Security Essentials, 3 rd edition,
Addition 1’s to 20.
ISA 662 Internet Security Protocols Kerberos Prof. Ravi Sandhu.
Prof. Valter Bezerra Dantas
FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.
Chapter 1 The Study of Body Function Image PowerPoint
Januar 2005 S M T O T F L
© 2012 National Heart Foundation of Australia. Slide 2.
©Brooks/Cole, 2001 Chapter 12 Derived Types-- Enumerated, Structure and Union.
Lets play bingo!!. Calculate: MEAN Calculate: MEDIAN
McDonald’s calendar 2009.
ISA 662 SSL Prof. Ravi Sandhu. 2 © Ravi Sandhu SECURE SOCKETS LAYER (SSL) layered on top of TCP SSL versions 1.0, 2.0, 3.0, 3.1 Netscape protocol later.
My Alphabet Book abcdefghijklm nopqrstuvwxyz.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2001 Chapter 16 Integrated Services Digital Network (ISDN)
IPsec: IKE, Internet Key Exchange IPsec does not use Public Key Infrastructure and exchanging keys before an IPsec connection is established is a problem.
IPsec – IKE CS 470 Introduction to Applied Cryptography
Do you have the Maths Factor?. Maths Can you beat this term’s Maths Challenge?
Understanding Generalist Practice, 5e, Kirst-Ashman/Hull
Richmond House, Liverpool (1) 26 th January 2004.
GG Consulting, LLC I-SUITE. Source: TEA SHARS Frequently asked questions 2.
Doc.: IEEE /178 Submission July 2000 A. Prasad, A. Raji Lucent TechnologiesSlide 1 A Proposal for IEEE e Security IEEE Task Group.
Time for a BREAK! You have 45 Minutes.
Lecture 14 ISAKMP / IKE Internet Security Association and Key Management Protocol / Internet Key Exchange CIS CIS 5357 Network Security.
IPSec VPN Chapter 13 of Malik. 2 Outline Types of IPsec VPNs IKE (or Internet Key Exchange) protocol.
© 2017 SlidePlayer.com Inc. All rights reserved.