1 / 31

ISAKMP

ISAKMP. Presented by: Gary Aoki Linan Chang Thu Nguyen Pravesvuth Uparanukraw. Agenda. Introduction Overview IKE, SA, Cookie Architecture Security. Introduction. Internet Security Association and Key Management Protocol (ISAKMP)

harding-raymond
Download Presentation

ISAKMP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ISAKMP Presented by: Gary Aoki Linan Chang Thu Nguyen Pravesvuth Uparanukraw

  2. Agenda • Introduction • Overview • IKE, SA, Cookie • Architecture • Security

  3. Introduction • Internet Security Association and Key Management Protocol (ISAKMP) • A cryptographic protocol which forms the basis of a key exchange protocol. • ISAKMP typically utilizes IKE for key exchange, although other methods can be implemented. • All implementations can be over any transport protocol, including send and receive capability using UDP on port 500. • RFCs: 2408, 2407

  4. ISAKMP characteristics • ISAKMP defines procedures and packet formats to establish, negotiate, modify and delete Security Associations (SAs) • Benefits • Designed for transmission efficiency and flexibility • Reduces the amount of duplicated functionality within each security protocol • Reduces the connection setup time by negotiation the whole stack of services at once.

  5. ISAKMP/IPSec protocol suite • ISAKMP is used as part of IPSec protocol, the connection you establish ahead of the actual IPSec connection. • Used to figure out what kind of encryption to use. In order to do this, it exchanges key generation and authentication data.

  6. ISAKMP terminology • Cookie • Domain of Interpretation (DOI) • Situation • Security Association (SA)

  7. Cookies • What is Cookie? • Cookie generation requirements: • Depend on specific parties • Unique • Generation & verification methods. Heheeeh! Yummy! Yummy!

  8. SA • Security Association • set of security information that defines the relationship between two or more entities and describe how the entities will utilize security services to support secure communication.

  9. IKE • Key establishment • Provides the messages format and protocol required to support Key Exchange • Does not specify a specific key generating, exchange algorithm. Entities indicate which algorithms they wish to use or support • IKE negotiation attributes • Encryption algorithm • Hash algorithm • Authentication mechanism • Computation algorithm • DOI

  10. Security Association negotiation example • ipsec-cisco-gre-and-nat-too-2043367.html

  11. Base Authentication Key Exchange Saturation protection Identity Protection Authentication Key Exchange Protects users identities Authentication Only Aggressive Authentication Key Exchange No saturation protection Informational Information only ISAKMP Exchange Types

  12. Base Exchange

  13. Identity Protection Exchange

  14. Authentication Only Exchange

  15. Aggressive Exchange Informational Only Exchange

  16. Functionality • Separates the functionality into three distinct parts • Authentication • Key exchange • Security Associations • The separation adds complexity • The separation is critical for interoperability between systems

  17. Authentication • ISAKMP provides the messages and protocols required to support authentication • Uses Digital Signatures – but other mechanisms may be specified as additional options • Does not mandate a specific Signature algorithm • Does not mandate a specific Certificate Authority – entities indicate which CAs they support

  18. Key Establishment • ISAKMP provides the messages and protocol required to support key exchange • Does not specify a specific key generating algorithm • Does not specify a specific key exchange algorithm - Entities indicate which algorithms they support and wish to use

  19. Security Associations • ISAKMP provides the messages and protocol to establish and maintain security associations • Indicates the authentication mechanism • Indicates the key exchange mechanism • ISAKMP defines the basic set of SA attributes that must be implemented

  20. ISAKMP Protocol Negotiation • Two Phases: • Establish a key-exchange SA • Negotiate security services • ISAKMP Protocols are constructed by chaining together ISAKMP payloads.

  21. ISAKMP Negotiation Phases • Phase 1: two entities (servers) agree on how to protect further negotiation traffic -> ISAKMP SA is established. • Phase 2: ISAKMP SA is used to protect the negotiations for the protocol SAs.

  22. Message Architecture • Fixed format header • One or more payloads • The payload fields are chained together

  23. Message Header Generic Payload Header

  24. Security Association Payload Proposal Payload Transform Payload Key Exchange Payload Identification Payload Certificate Payload Certificate Request Payload Hash Payload Signature Payload Nonce Payload Notification Payload Notify Payload Delete Payload Vendor ID Payload Message Payloads

  25. Security Issues Common attacks • Man-In-The-Middle • Denial of Service • Connection Hijacking

  26. Man-In-The-Middle Attack • A situation where a malicious user sits between communicating parties and intercepts messages. The attacker can modify, insert or delete messages. • Solutions: • Strong authentication of the parties prevents the risk of establishing an SA with other than intended party. • During the creation of an SA, deleted messages will clear all state so a partial SA won't be created. • Linking ISAKMP payloads in order to prevent insertion of messages.

  27. Denial of Service Attack • Where a malicious user can render a system unusable by overloading the system's resources • Solution: Implement an anti-clogging token (ACT) or a cookie to protect computer resources.

  28. Connection Hijacking Attack • A situation where a third party jumps in in the middle of transaction and steals the connection. • Solution: Link the authentication, key exchange and security association exchanges. The linking of exchanges prevents an attacker from jumping in after authentication.

  29. Conclusion • ISAKMP defines a framework for: • Authentication • Key generation and exchange • Establishing secure communications • It has some Fundamental Flaws • It has been superseded by version 2 of the Internet Key Exchange (IKE) Protocol

  30. References • http://en.wikipedia.org/ • http://www.ietf.org/rfc/rfc2408.txt • http://www.javvin.com/protocolISAKMP.html • http://home1.gte.net/res0psau/ipsec-parameters/default-isakmp-ipsec-params.html • http://monkey.org/openbsd/archive/tech/9912/msg00215.html

  31. Q&A • Thank you!

More Related