Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 14 ISAKMP / IKE Internet Security Association and Key Management Protocol / Internet Key Exchange CIS 4362 - CIS 5357 Network Security.

Published byCameron Chambers Modified over 8 years ago

Similar presentations

Presentation on theme: "Lecture 14 ISAKMP / IKE Internet Security Association and Key Management Protocol / Internet Key Exchange CIS 4362 - CIS 5357 Network Security."— Presentation transcript:

1 Lecture 14 ISAKMP / IKE Internet Security Association and Key Management Protocol / Internet Key Exchange CIS CIS 5357 Network Security

2 ISAKMP Policy Negotiation
ISAKMP Protocols are constructed by chaining together ISAKMP payloads to an ISAKMP header Two Phases Establish a key-exchange SA Negotiate security services

3 ISAKMP Exchange Types Basic = 1
Authentication Key Exchange Saturation protection Identity Protection = 2 (Main mode IKE) Protects users identities Authentication Only = 3 Authentication Aggressive = 4 (Aggressive Mode IKE) Key exchange No saturation protection Informational = 5 Information only

4 ISAKMP Data Exchange Phases
Establish a secure channel Use the secure channel to exchange information for a protocol (such as IPSEC)

5 ISAKMP Payload Types Certificate request Initiate SA Hash
Signature Nonce Notification Delete SA Initiate SA Protocol [cipher] Proposal Transform <SA attribute> Key Exchange Identification Certificate

6 ISAKMP Fixed Header Format
Initiator Cookie (64 bits) Responder Cookie (64 bits) (null in message from the originator Next Payload (8 bits) Major ISAKMP Version (4 bits) Minor ISAKMP Version (4 bits) Exchange Type (8 bits) Flags (8 bits) Message ID (32 bits) Message length (32 bits)

7 Example ISAKMP Header & Payload
Key Exchange Payload Nonce Payload

8 IKE Phases In a design similar to Kerberos, IKE performs a phase 1 mutual authentication based on public keys and phase 2 re-authentication based on shared secrets (from phase 1). This allows multiple SAs to re-use the same handshake. Phase 1 has two modes: Aggressive mode (3 messages) Main mode (6 messages)

9 IKE Phase 1: Aggressive Mode
ga mod p, “Alice”, supported crypto Alice Bob gb mod p, choice crypto, proof(“I’m Bob”) proof(“I’m Alice”) In aggressive mode, Alice chooses some Elgamal context (p, g). Bob may not support it, and reject the connection. If that happens, Alice should try and connect to Bob using main mode. Aggressive mode provides mutual authentication, and a shared secret gab mod p, which can be used to derive keys for the symmetric crypto protocols.

10 IKE Phase 1: Main Mode supported crypto suites chosen crypto suite
Alice supported crypto suites Bob chosen crypto suite ga mod p gb mod p K= gab mod p K{“Alice”, proof I’m Alice} K{“Bob”, proof I’m Bob}

11 Reasoning about IKE The SIGn-and-MAc (SIGMA) family of key exchange protocols. Introduced by Krawczyk to the IPsec working group (1995), replaced Photuris. Several interesting properties, tried to plug certain holes in existing Key Exchange Protocols.

12 Security Goals of SIGMA
Mutual Authentication Key-binding Consistency: If honest A establishes a key K, believing that B is the other session peer, and B establishes the same key K, it should believe that A is the peer in this exchange Secrecy (of the computed key) Optional: Identity Protection, providing anonymity against eavesdroppers for the two parties in a communication

13 Example of a “BADH” protocol (Basic Authenticated DH)
gx mod p Alice Bob gy mod p, B, signB(gx, gy) A, signA(gy, gx) K derived from gxy The inclusion of both exponentials in each signature prevents replay attacks, but does not provide for key binding consistency.

14 Key Binding Inconsistency
gx mod p Alice Bob gy mod p, B, signB(gx, gy) E, signE(gy, gx) E Outcome: Alice thinks she shares key K with Bob, while Bob thinks that he shares the same K with Eve. Eve does not know the key, so this does not violate authentication and/or secrecy.

15 STS Protocol K derived from gxy
gx mod p Alice Bob K derived from gxy gy mod p, B, K{signB(gx, gy)} A, K{signA(gy, gx)} Intuitively this solves the consistency problem, but no proof exists. What if Eve registers Alice’s public key on her name? Even if Eve does not know Alice’s secret key, she may be able to perform replay attacks to violate consistency of key binding

16 ISO Key Exchange Does not provide identity protection.
A, gx mod p Alice Bob gy mod p, B, signB(gx, gy, A) signA(gy, gx), B Does not provide identity protection. Could be “fixed” by having Alice send an “alias” A’ = h(A, r), which is revealed later, and have the other messages be encrypted under the DH key.

17 Sigma Protocol (Basic)
gx mod p Alice Bob gy mod p, B, signB(gx, gy), MACKm(B) A, signA(gy, gx), MACKm(A) Output from DH-value gxy : encryption key Ke, mac key Km

18 SIGMA-I Identity of the sender is protected against
gx mod p Alice Bob gy mod p, Ke{B, signB(gx, gy), MACKm(B)} Ke{A, signA(gy, gx), MACKm(A)} Identity of the sender is protected against both passive and active attacks. The identity of the receiver is protected against passive attacks.

19 Phase 1: Main mode, (shared secret authentication)
Alice supported crypto suites Bob Pre-shared secret J chosen crypto suite ga mod p, nonce nA gb mod p, nonce nB K= f(J, gab mod p, nA, nB, cA, cB) K{“Alice”, proof I’m Alice} K{“Bob”, proof I’m Bob}

20 IKE Phase 2 quick mode X, Y are session-identifiers for this flow:
X, Y, {CP, SPIA, nonceA, [ga mod p]} Alice Bob X, Y, {CPA, SPIB, nonceB, [gb mod p] B} X, Y, ack X, Y are session-identifiers for this flow: X contains the cookies of the corresponding phase 1, Y is 32-bit to identify this particular connection. Optionally some tags may be included to identify the type of traffic to be sent.

Download ppt "Lecture 14 ISAKMP / IKE Internet Security Association and Key Management Protocol / Internet Key Exchange CIS 4362 - CIS 5357 Network Security."

Similar presentations

ISA 662 IKE Key management for IPSEC Prof. Ravi Sandhu.

ISA 662 IKE Key management for IPSEC Prof. Ravi Sandhu.
Keiji Maekawa Graduate School of Informatics, Kyoto University Yasuo Okabe Academic Center for Computing and Media Studies, Kyoto University.

Keiji Maekawa Graduate School of Informatics, Kyoto University Yasuo Okabe Academic Center for Computing and Media Studies, Kyoto University.
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
L8. Reviews Rocky K. C. Chang, May 2011. Foci of this course 2 Rocky K. C. Chang  Understand the 3 fundamental cryptographic functions and how they are.

L8. Reviews Rocky K. C. Chang, May Foci of this course 2 Rocky K. C. Chang  Understand the 3 fundamental cryptographic functions and how they are.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.

IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
ISAKMP RFC 2408 Internet Security Association & Key Management Protocol Protocol Establish, modify, and delete SAs Negotiate crypto keys Procedures Authentication.

ISAKMP RFC 2408 Internet Security Association & Key Management Protocol Protocol Establish, modify, and delete SAs Negotiate crypto keys Procedures Authentication.
Header and Payload Formats

Header and Payload Formats
Security at the Network Layer: IPSec

Security at the Network Layer: IPSec
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.

Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.

Similar presentations

Ads by Google