Download presentation

Presentation is loading. Please wait.

Published byJohn Ramsey Modified over 4 years ago

1
ISA 662 IKE Key management for IPSEC Prof. Ravi Sandhu

2
2 © Ravi Sandhu 2000-2004 INTERNET KEY EXCHANGE (IKE) Hybrid protocol ISAKMP SKEME PHOTURIS SKIP MKMP OAKLEY IKE

3
3 © Ravi Sandhu 2000-2004 ISAKMP Internet security association and key management protocol separates key management from key exchanges complex general protocol used in a specific way in IKE can apply to protocols other than IPSEC for IPSEC uses UDP over IP

4
4 © Ravi Sandhu 2000-2004 IKE ISAKMP phase 1: establishes ISAKMP SA Main mode (DH with identity protection) Aggressive mode (DH without identity protection) Between phases New group mode ISAKMP phase 2: establishes SA for target protocol Quick mode

5
5 © Ravi Sandhu 2000-2004 DIFFIE-HELLMAN KEY ESTABLISHMENT A A B B y A =a x A mod p public key private key x A private key x B y B =a x B mod p public key k = y B x A mod p = y A x B mod p = a x A * x B mod p system constants: p: prime number, a: integer

6
6 © Ravi Sandhu 2000-2004 PERFECT FORWARD SECRECY Use a different DH key-pair on each exchange DH public keys need to be authenticated authentication can be done by many techniques Loss of long-term (authentication) keys does not disclose session keys

7
7 © Ravi Sandhu 2000-2004 PHASE 1 AUTHENTICATION ALTERNATIVES public-key signature preshared-key public-key encryption revised public-key encryption

8
8 © Ravi Sandhu 2000-2004 COOKIE EXCHANGE Phase 1 employs cookie exchange to thwart (not prevent) denial of service attacks A -> B: Cookie_Request As cookie, 64 bit random number B -> A: Cookie_Response includes A and Bs cookies all further Phase 1 and Phase 2 messages include both cookies ISAKMP SA is identified by both cookies IPSEC protocol SA is identified by SPI

9
9 © Ravi Sandhu 2000-2004 COOKIE GENERATION hash over IP Source and Destination Address UDP Source and Destination Ports a locally generated random secret timestamp

10
10 © Ravi Sandhu 2000-2004 IKE DEFAULT OAKLEY DH GROUPS Group 1 MODP, 768 bit prime p, g=2 Group 2 MODP, 1024 bit prime p, g=2 Group 3 EC2N, 155 bit field size Group 4 EC2N, 185 bit field size private groups can be used

11
11 © Ravi Sandhu 2000-2004 IKE NOTATION

12
12 © Ravi Sandhu 2000-2004 IKE NOTATION

13
13 © Ravi Sandhu 2000-2004 SKEYS, HASH AND SIG

14
14 © Ravi Sandhu 2000-2004 MAIN MODE WITH DIGITAL SIGNATURES

15
15 © Ravi Sandhu 2000-2004 AGGRESSIVE MODE WITH DIGITAL SIGNATURES

16
16 © Ravi Sandhu 2000-2004 MAIN AND AGGRESSIVE MODE WITH PRE-SHARED KEY

17
17 © Ravi Sandhu 2000-2004 MAIN MODE WITH PUBLIC KEY ENCRYPTION

18
18 © Ravi Sandhu 2000-2004 AGGRESSIVE MODE WITH PUBLIC KEY ENCRYPTION

19
19 © Ravi Sandhu 2000-2004 AUTHENTICATION WITH PUBLIC-KEY ENCRYPTION does not provide non-repudiation provides additional security since attacked must break both DH key exchange public-key encryption provides identity protection in aggressive mode revised protocol reduces public-key operations

20
20 © Ravi Sandhu 2000-2004 MAIN MODE WITH REVISED PUBLIC KEY ENCRYPTION

21
21 © Ravi Sandhu 2000-2004 MAIN MODE WITH REVISED PUBLIC KEY ENCRYPTION

22
22 © Ravi Sandhu 2000-2004 AGGRESSIVE MODE WITH REVISED PUBLIC KEY ENCRYPTION

23
23 © Ravi Sandhu 2000-2004 PHASE 2 QUICK MODE

24
24 © Ravi Sandhu 2000-2004 PHASE 2 QUICK MODE

25
25 © Ravi Sandhu 2000-2004 PHASE 2 QUICK MODE

26
26 © Ravi Sandhu 2000-2004 PHASE 2 QUICK MODE

27
27 © Ravi Sandhu 2000-2004 NEW GROUP MODE sandwiched between phase 1 and 2 group can be negotiated in phase 1 new group mode allows nature of group to be hidden in phase 1 only group id is communicated in clear

28
28 © Ravi Sandhu 2000-2004 NEW GROUP MODE

Similar presentations

OK

By D. Fisher Geometric Transformations. Reflection, Rotation, or Translation 1.

By D. Fisher Geometric Transformations. Reflection, Rotation, or Translation 1.

© 2018 SlidePlayer.com Inc.

All rights reserved.

To make this website work, we log user data and share it with processors. To use this website, you must agree to our Privacy Policy, including cookie policy.

Ads by Google