We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byJohn Ramsey
Modified over 4 years ago
ISA 662 IKE Key management for IPSEC Prof. Ravi Sandhu
2 © Ravi Sandhu 2000-2004 INTERNET KEY EXCHANGE (IKE) Hybrid protocol ISAKMP SKEME PHOTURIS SKIP MKMP OAKLEY IKE
3 © Ravi Sandhu 2000-2004 ISAKMP Internet security association and key management protocol separates key management from key exchanges complex general protocol used in a specific way in IKE can apply to protocols other than IPSEC for IPSEC uses UDP over IP
4 © Ravi Sandhu 2000-2004 IKE ISAKMP phase 1: establishes ISAKMP SA Main mode (DH with identity protection) Aggressive mode (DH without identity protection) Between phases New group mode ISAKMP phase 2: establishes SA for target protocol Quick mode
5 © Ravi Sandhu 2000-2004 DIFFIE-HELLMAN KEY ESTABLISHMENT A A B B y A =a x A mod p public key private key x A private key x B y B =a x B mod p public key k = y B x A mod p = y A x B mod p = a x A * x B mod p system constants: p: prime number, a: integer
6 © Ravi Sandhu 2000-2004 PERFECT FORWARD SECRECY Use a different DH key-pair on each exchange DH public keys need to be authenticated authentication can be done by many techniques Loss of long-term (authentication) keys does not disclose session keys
7 © Ravi Sandhu 2000-2004 PHASE 1 AUTHENTICATION ALTERNATIVES public-key signature preshared-key public-key encryption revised public-key encryption
8 © Ravi Sandhu 2000-2004 COOKIE EXCHANGE Phase 1 employs cookie exchange to thwart (not prevent) denial of service attacks A -> B: Cookie_Request As cookie, 64 bit random number B -> A: Cookie_Response includes A and Bs cookies all further Phase 1 and Phase 2 messages include both cookies ISAKMP SA is identified by both cookies IPSEC protocol SA is identified by SPI
9 © Ravi Sandhu 2000-2004 COOKIE GENERATION hash over IP Source and Destination Address UDP Source and Destination Ports a locally generated random secret timestamp
10 © Ravi Sandhu 2000-2004 IKE DEFAULT OAKLEY DH GROUPS Group 1 MODP, 768 bit prime p, g=2 Group 2 MODP, 1024 bit prime p, g=2 Group 3 EC2N, 155 bit field size Group 4 EC2N, 185 bit field size private groups can be used
11 © Ravi Sandhu 2000-2004 IKE NOTATION
12 © Ravi Sandhu 2000-2004 IKE NOTATION
13 © Ravi Sandhu 2000-2004 SKEYS, HASH AND SIG
14 © Ravi Sandhu 2000-2004 MAIN MODE WITH DIGITAL SIGNATURES
15 © Ravi Sandhu 2000-2004 AGGRESSIVE MODE WITH DIGITAL SIGNATURES
16 © Ravi Sandhu 2000-2004 MAIN AND AGGRESSIVE MODE WITH PRE-SHARED KEY
17 © Ravi Sandhu 2000-2004 MAIN MODE WITH PUBLIC KEY ENCRYPTION
18 © Ravi Sandhu 2000-2004 AGGRESSIVE MODE WITH PUBLIC KEY ENCRYPTION
19 © Ravi Sandhu 2000-2004 AUTHENTICATION WITH PUBLIC-KEY ENCRYPTION does not provide non-repudiation provides additional security since attacked must break both DH key exchange public-key encryption provides identity protection in aggressive mode revised protocol reduces public-key operations
20 © Ravi Sandhu 2000-2004 MAIN MODE WITH REVISED PUBLIC KEY ENCRYPTION
21 © Ravi Sandhu 2000-2004 MAIN MODE WITH REVISED PUBLIC KEY ENCRYPTION
22 © Ravi Sandhu 2000-2004 AGGRESSIVE MODE WITH REVISED PUBLIC KEY ENCRYPTION
23 © Ravi Sandhu 2000-2004 PHASE 2 QUICK MODE
24 © Ravi Sandhu 2000-2004 PHASE 2 QUICK MODE
25 © Ravi Sandhu 2000-2004 PHASE 2 QUICK MODE
26 © Ravi Sandhu 2000-2004 PHASE 2 QUICK MODE
27 © Ravi Sandhu 2000-2004 NEW GROUP MODE sandwiched between phase 1 and 2 group can be negotiated in phase 1 new group mode allows nature of group to be hidden in phase 1 only group id is communicated in clear
28 © Ravi Sandhu 2000-2004 NEW GROUP MODE
You have been given a mission and a code. Use the code to complete the mission and you will save the world from obliteration…
Advanced Piloting Cruise Plot.
1 Security for Ad Hoc Network Routing. 2 Ad Hoc Networks Properties Mobile Wireless communication Medium to high bandwidth High variability of connection.
ISA 662 SSL Prof. Ravi Sandhu. 2 © Ravi Sandhu SECURE SOCKETS LAYER (SSL) layered on top of TCP SSL versions 1.0, 2.0, 3.0, 3.1 Netscape protocol later.
ISA 662 Internet Security Protocols Kerberos Prof. Ravi Sandhu.
Symmetric Encryption Prof. Ravi Sandhu.
PKI Introduction Ravi Sandhu 2 © Ravi Sandhu 2002 CRYPTOGRAPHIC TECHNOLOGY PROS AND CONS SECRET KEY SYMMETRIC KEY Faster Not scalable No digital signatures.
Chapter 1 The Study of Body Function Image PowerPoint
By D. Fisher Geometric Transformations. Reflection, Rotation, or Translation 1.
Doc.: IEEE /178 Submission July 2000 A. Prasad, A. Raji Lucent TechnologiesSlide 1 A Proposal for IEEE e Security IEEE Task Group.
Document #07-12G 1 RXQ Customer Enrollment Using a Registration Agent Process Flow Diagram (Switch) Customer Supplier Customer authorizes Enrollment.
Document #07-2I RXQ Customer Enrollment Using a Registration Agent (RA) Process Flow Diagram (Move-In) (mod 7/25 & clean-up 8/20) Customer Supplier.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
My Alphabet Book abcdefghijklm nopqrstuvwxyz.
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
MULT. INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.
© 2018 SlidePlayer.com Inc. All rights reserved.