We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byJohn Ramsey
Modified over 3 years ago
ISA 662 IKE Key management for IPSEC Prof. Ravi Sandhu
2 © Ravi Sandhu INTERNET KEY EXCHANGE (IKE) Hybrid protocol ISAKMP SKEME PHOTURIS SKIP MKMP OAKLEY IKE
3 © Ravi Sandhu ISAKMP Internet security association and key management protocol separates key management from key exchanges complex general protocol used in a specific way in IKE can apply to protocols other than IPSEC for IPSEC uses UDP over IP
4 © Ravi Sandhu IKE ISAKMP phase 1: establishes ISAKMP SA Main mode (DH with identity protection) Aggressive mode (DH without identity protection) Between phases New group mode ISAKMP phase 2: establishes SA for target protocol Quick mode
5 © Ravi Sandhu DIFFIE-HELLMAN KEY ESTABLISHMENT A A B B y A =a x A mod p public key private key x A private key x B y B =a x B mod p public key k = y B x A mod p = y A x B mod p = a x A * x B mod p system constants: p: prime number, a: integer
6 © Ravi Sandhu PERFECT FORWARD SECRECY Use a different DH key-pair on each exchange DH public keys need to be authenticated authentication can be done by many techniques Loss of long-term (authentication) keys does not disclose session keys
7 © Ravi Sandhu PHASE 1 AUTHENTICATION ALTERNATIVES public-key signature preshared-key public-key encryption revised public-key encryption
8 © Ravi Sandhu COOKIE EXCHANGE Phase 1 employs cookie exchange to thwart (not prevent) denial of service attacks A -> B: Cookie_Request As cookie, 64 bit random number B -> A: Cookie_Response includes A and Bs cookies all further Phase 1 and Phase 2 messages include both cookies ISAKMP SA is identified by both cookies IPSEC protocol SA is identified by SPI
9 © Ravi Sandhu COOKIE GENERATION hash over IP Source and Destination Address UDP Source and Destination Ports a locally generated random secret timestamp
10 © Ravi Sandhu IKE DEFAULT OAKLEY DH GROUPS Group 1 MODP, 768 bit prime p, g=2 Group 2 MODP, 1024 bit prime p, g=2 Group 3 EC2N, 155 bit field size Group 4 EC2N, 185 bit field size private groups can be used
11 © Ravi Sandhu IKE NOTATION
12 © Ravi Sandhu IKE NOTATION
13 © Ravi Sandhu SKEYS, HASH AND SIG
14 © Ravi Sandhu MAIN MODE WITH DIGITAL SIGNATURES
15 © Ravi Sandhu AGGRESSIVE MODE WITH DIGITAL SIGNATURES
16 © Ravi Sandhu MAIN AND AGGRESSIVE MODE WITH PRE-SHARED KEY
17 © Ravi Sandhu MAIN MODE WITH PUBLIC KEY ENCRYPTION
18 © Ravi Sandhu AGGRESSIVE MODE WITH PUBLIC KEY ENCRYPTION
19 © Ravi Sandhu AUTHENTICATION WITH PUBLIC-KEY ENCRYPTION does not provide non-repudiation provides additional security since attacked must break both DH key exchange public-key encryption provides identity protection in aggressive mode revised protocol reduces public-key operations
20 © Ravi Sandhu MAIN MODE WITH REVISED PUBLIC KEY ENCRYPTION
21 © Ravi Sandhu MAIN MODE WITH REVISED PUBLIC KEY ENCRYPTION
22 © Ravi Sandhu AGGRESSIVE MODE WITH REVISED PUBLIC KEY ENCRYPTION
23 © Ravi Sandhu PHASE 2 QUICK MODE
24 © Ravi Sandhu PHASE 2 QUICK MODE
25 © Ravi Sandhu PHASE 2 QUICK MODE
26 © Ravi Sandhu PHASE 2 QUICK MODE
27 © Ravi Sandhu NEW GROUP MODE sandwiched between phase 1 and 2 group can be negotiated in phase 1 new group mode allows nature of group to be hidden in phase 1 only group id is communicated in clear
28 © Ravi Sandhu NEW GROUP MODE
1 Internet Key Exchange Rocky K. C. Chang 20 March 2007.
L8. Reviews Rocky K. C. Chang, May Foci of this course 2 Rocky K. C. Chang Understand the 3 fundamental cryptographic functions and how they are.
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
1 Secure Key Exchange: Diffie-Hellman Exchange Dr. Rocky K. C. Chang 19 February, 2002.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
Chapter 13 IPsec. IPsec (IP Security) A collection of protocols used to create VPNs A network layer security protocol providing cryptographic security.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.3: Internet Key Management.
Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
Internet Key Exchange. IPSec – Reminder SPI SA1 2 3 …… SAD.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
Internet Security CSCE 813 IPsec. CSCE Farkas2 Reading Today: – Oppliger: IPSec: Chapter 14 – Stalllings: Network Security Essentials, 3 rd edition,
IP security architecture Courtesy of Albert Levi with Sabanci Univ. Gunter Schafer with TU Berlin.
IP Security (IPSec protocol) Introduction to IP IPSec Key Management in IPSEC.
1 Lecture 16: IPsec IKE history of IKE Photurus IKE phases –phase 1 aggressive mode main mode –phase 2.
11 Chapter 6 IP Security. 22 Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication.
IPSEC : KEY MANAGEMENT PRESENTATION BY: SNEHA A MITTAL(121427) NISHU RASTOGI (121418) BHOOMIKA PARMAR (121406) MONIKA MITTAL (121414) ROHIT JAIN (121424)
ISA 662 SSL Prof. Ravi Sandhu. 2 © Ravi Sandhu SECURE SOCKETS LAYER (SSL) layered on top of TCP SSL versions 1.0, 2.0, 3.0, 3.1 Netscape protocol later.
Doc.: IEEE /178 Submission July 2000 A. Prasad, A. Raji Lucent TechnologiesSlide 1 A Proposal for IEEE e Security IEEE Task Group.
CS470, A.SelcukIPsec – IKE1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
PUBLIC KEY CRYPTOSYSTEMS Symmetric Cryptosystems 6/05/2014 | pag. 2.
IP Security Lawrence Taub IPSEC IP security — security built into the IP layer Provides host-to-host (or router-to-router) encryption and.
ISA 662 Internet Security Protocols Kerberos Prof. Ravi Sandhu.
1 Authentication Applications Ola Flygt Växjö University, Sweden
Virtual Private Networks (VPN’s). 2 VPN overview Virtual Private Network (VPN) is defined as network connectivity deployed on a shared infrastructure.
1 Security for Ad Hoc Network Routing. 2 Ad Hoc Networks Properties Mobile Wireless communication Medium to high bandwidth High variability of connection.
Internet Protocol Security (IP Sec). Securing Intranets and Extranets at all levels.
© 2017 SlidePlayer.com Inc. All rights reserved.