Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Methods and Protocols for Secure Key Negotiation Using IKE Author : Michael S. Borella, 3Com Corp.

Similar presentations


Presentation on theme: "1 Methods and Protocols for Secure Key Negotiation Using IKE Author : Michael S. Borella, 3Com Corp."— Presentation transcript:

1 1 Methods and Protocols for Secure Key Negotiation Using IKE Author : Michael S. Borella, 3Com Corp.

2 2 Outline  What is IKE  Introduction of Diffie-Hellman  How IKE do the secure Key negotiation  Conclusion

3 3 What is IKE  Internet Key Exchange  Default IPSec method for secure key negotiation  Based-on Diffie-Hellman  Allow two entities to derive session key with authentication

4 4 Diffie-Hellman introduction A 選擇 X,g,nB 選擇 Y g,n, g X mod n B 計算 (g X ) Y mod nA 計算 (g Y ) X mod n g Y mod n Shared secret key : g XY mod n

5 5 Diffie-Hellman introduction(cont.) A 選擇 X,g,nB 選擇 Y g, n, g X mod n B 計算 (g Z ) Y mod nA 計算 (g Z ) X mod n g Z mod n C 選擇 Z g, n, g Z mod n g Y mod n  Man-in-the-middle-attack

6 6 How IKE do the secure Key negotiation  Diffie-Hellman disadvantages –Man-in-the-middle attack –Denial of Service  IKE can solve these problem!! How??  Solving man-in-the-middle attack –authentication  Solving Denial of Service attack –cookie

7 7 How IKE do the secure Key negotiation(cont.)  Cookie – How to solve DoS attack?? CICI CRCR 產生 C I 產生 C R 選擇 g,p 產生 x C I, C R, g x mod p 產生 y C I, C R, g y mod p

8 8 How IKE do the secure Key negotiation(cont.)  Cookie  If either the initiator or the responder receives a cookie pair from an IP address not associated with that cookie pair, the message will be discarded  Uniquely identifying a particular key exchange among several may take place between two hosts

9 9 How IKE do the secure Key negotiation(cont.)  IKE phase1 –Creates an IKE SA –Establish a secure channel so that that phase2 negotiation can occur privately  IKE phase2 –Establishing IPSec SA(ESP,AH) to protect non-IKE sessions

10 10 How IKE do the secure Key negotiation(cont.)

11 11 IKE phase1 detailed  Phase 1 –Main Mode Identity protection –Aggressive Mode Reduce round trips –Authentication with Pre-shared key Signatures Public Key Encryption Revised Public Key Encryption

12 12 IKE phase1 detailed(cont.)  Negotiation Generate C I (1)C I, ISA I Generate C R (2)C I, C R, ISA R : (1)Proposal:ENC = DES or 3DES, AUTH = MD5 Proposal:ENC = 3DES, AUTH = MD5 (2)Proposal:ENC = 3DES, AUTH = MD5

13 13 IKE phase1 detailed(cont.)  SKEYID_d = prf(SKEYID, g^xy | CKY-I | CKY-R | 0)  SKEYID_a = prf(SKEYID, SKEYID_d | g^xy | CKY-I | CKY-R | 1)  SKEYID_e = prf(SKEYID, SKEYID_a | g^xy | CKY-I | CKY-R | 2)

14 14 IKE phase1 detailed(cont.)  Pre-shared key ; Main mode  Initiator Responder ---------- ----------- C I,ISA I --> <-- *C I,C R, ID R,HASH R

15 15 IKE phase1 detailed(cont.)  Pre-shared key ; Aggressive mode  Initiator Responder ----------- ----------- C I,ISA I,g x, N I, ID I -->  SKEYID = prf(PSKEY, N I | N R )  HASH I = prf(SKEYID,g x | g y | C I | C R | ISA I | ID I )  HASH R = prf(SKEYID, g x | g y | C R | C I | ISA I | ID I )

16 16 IKE phase1 detailed(cont.)  Signatures ; Main mode  Initiator Responder ----------- ----------- C I, ISA I --> <-- *C I,C R,ID R,SIG R

17 17 IKE phase1 detailed(cont.)  Signatures ; Aggressive mode  Initiator Responder ----------- ----------- C I,ISA I,g x,N I,ID I -->  SKEYID = prf(NI | NR,g xy )  SIG I = PRVKEY I (HASH I )  SIG R = PRVKEY R (HASH R )

18 18 IKE phase1 detailed(cont.)  public key ; Main mode  Initiator Responder ----------- ----------- C I,ISA I --> C I,C R,g y,PUBKEY I (ID R ), <-- *C I,C R,HASH R

19 19 IKE phase1 detailed(cont.)  public key ; Aggressive mode  Initiator Responder ----------- ----------- C I,ISA I,g x PUBKEY R (ID I PUBKEY R (N I ) --> C I,C R,ISA R,g y, PUBKEY I (ID R ),  SKEYID = prf(hash(N I | N R ), C I | C R )

20 20 IKE phase2 detailed  Quick Mode  Initiator Responder ----------- ----------- *CI,CR,HASH(1),SA I, N I, [, g x ] [, ID I, ID R ] --> <-- *C I,C R,HASH(2),SA R, N R, [, g y ] [, ID I,ID R ] *C I,C R,HASH(3) -->

21 21 IKE phase2 detailed(cont.)  With PFS  HASH(1) = prf(SKEYID_a, M-ID | SA I | N I )  HASH(2) = prf(SKEYID_a, M-ID | SA R | NI|NR)  HASH(3) = prf(SKEYID_a, 0 | M-ID | N I | N R )  NEWKEY = prf(SKEYID_d, g xy | protocol | SPI | N I | N R )  Without PFS  HASH(1) = prf(SKEYID_a, M-ID | SA I | N I | x | ID I | ID R )  HASH(2) = prf(SKEYID_a, M-ID | SA R | N I | N R | y | ID I | ID R )  HASH(3) = prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b)  NEWKEY = prf(SKEYID_d, protocol | SPI | N I | N R ).

22 22 conclusion  IKE is vary complexity  Hard to evaluate it’s security and performance


Download ppt "1 Methods and Protocols for Secure Key Negotiation Using IKE Author : Michael S. Borella, 3Com Corp."

Similar presentations


Ads by Google