1 / 24

The IKE (Internet Key Exchange) Protocol

The IKE (Internet Key Exchange) Protocol. Sheila Frankel Systems and Network Security Group NIST sheila.frankel@nist.gov. IKE Overview. Negotiate: Communication Parameters Security Features Authenticate Communicating Peer Protect Identity

saber
Download Presentation

The IKE (Internet Key Exchange) Protocol

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The IKE (Internet Key Exchange) Protocol Sheila Frankel Systems and Network Security Group NIST sheila.frankel@nist.gov

  2. IKE Overview • Negotiate: • Communication Parameters • Security Features • Authenticate Communicating Peer • Protect Identity • Generate, Exchange, and Establish Keys in a Secure Manner • Manage and Delete Security Associations

  3. IKE Overview (continued) • Threat Mitigation • Denial of Service • Replay • Man in Middle • Perfect Forward Secrecy (PFS) • Usable by IPsec and other domains

  4. IKE Overview (continued) • Components: • Internet Security Association and Key Management Protocol (ISAKMP) RFC 2408 • Internet Key Exchange (IKE) <draft-ietf-ipsec-ike-01.txt> • Oakley Key Determination Protocol RFC 2412 • IPSec Domain of Interpretation (IPsec DOI) RFC 2407

  5. Constructs Underlying IKE • Security Association (SA) • Security Association Database (SAD) • Security Parameter Index (SPI)

  6. IKE Negotiations - Phase 1 • Purpose: • Establish ISAKMP SA (“Secure Channel”) • Steps (4-6 messages exchanged): • Negotiate Security Parameters • Diffie-Hellman Exchange • Authenticate Identities • Main Mode vs. Aggressive Mode vs. Base Mode

  7. Phase 1 Attributes • Authentication Method • Pre-shared key • Digital signatures (DSS or RSA) • Public key encryption (RSA or El-Gamal) • Group Description (pre-defined) • Group Type (negotiated) • MODP (modular exponentiation group) • ECP (elliptic curve group over GF[P]) • EC2N (elliptic curve group over GF[2^N])

  8. Phase 1 Attributes (continued) • MODP Group Characteristics • Prime • Generator • EC2N Group Characteristics • Field Size • Irreducible Polynomial • Generators (One and Two) • Curves (A and B) • Order

  9. Phase 1 Attributes (continued) • Encryption algorithm • Key Length • Block size • Hash algorithm • Life duration (seconds and/or kilobytes)

  10. IKE’s Pre-Defined Groups • MODP • Prime: 768-bit, 1024-bit, 1536-bit • Generator: 2 • EC2N • GF[2^155], GF[2^185] • GF[2^163] (2 groups), GF[2^283] (2 groups)

  11. 1 HDR | SA 2 HDR | SA 3 HDR | KE | Ni RESPONDER INITIATOR 4 HDR | KE | Nr 5 HDR* | IDi1 | HASH_I 6 HDR* | IDr1 | HASH_R Main Mode:Authentication with Pre-Shared Keys HDR contains CKY-I | CKY-R KE = g^i (Initiator) or g^r (Responder)

  12. 1 HDR | SA 2 HDR | SA 3 RESPONDER HDR | KE | Ni INITIATOR 4 HDR | KE | Nr 5 HDR* | IDi1 | [CERT | ] SIG_I 6 HDR* | IDr1 | [CERT | ] SIG_R Main Mode:Authentication with Digital Signatures HDR contains CKY-I | CKY-R KE = g^i (Initiator) or g^r (Responder) SIG_I/SIG_R = digital sig of HASH_I/HASH_R

  13. 1 HDR | SA 2 RESPONDER HDR | SA INITIATOR 3 HDR | KE | [HASH(1) | ] <IDi1_b>PubKey_r | <Ni_b>PubKey_r 4 HDR | KE | <IDr1_b>PubKey_i | <Nr_b>Pubkey_i 5 HDR* | HASH_I 6 HDR* | HASH_R Main Mode:Authentication with Public Key Encryption HDR contains CKY-I | CKY-R KE = g^I (Initiator) or g^r (Responder)

  14. 1 HDR | SA 2 HDR | SA RESPONDER HDR | [HASH(1) | ] <Ni_b>PubKey_r | <KE_b>Ke_i | <IDi1_b>Ke_i [ | <CERT-I_b>Ke_i] 3 INITIATOR 4 HDR | <Nr_b>PubKey_i | <KE_b>Ke_r | <IDr1_b>Ke_r 5 HDR* | HASH_I 6 HDR* | HASH_R Main Mode: Authentication with Revised Public Key Encryption HDR contains CKY-I | CKY-R KE = g^I (Initiator) or g^r (Responder) Ke_i/r = symmetric key from Ni/r_b and CKY_I/R

  15. Key Derivation • SKEYID • Pre-shared keys: HMAC_H(pre-shared-key, Ni_b | Nr_b • Digital signatures: HMAC_H(H(Ni_b | Nr_b), g^ir) • Public key encryption: HMAC_H(H(Ni_b | Nr_b), CKY-I | CKY-R)

  16. Key Derivation(continued) • SKEYID_d (used to derive keying material for IPsec SA): HMAC_H(SKEYID, g^ir | CKY-I | CKY-R | 0) • SKEYID_a (auth key for ISAKMP SA): HMAC_H(SKEYID, SKEYID_a|g^ir|CKY-I|CKY-R|1) • SKEYID_e (enc key for ISAKMP SA): HMAC_H(SKEYID, SKEYID_a|g^ir|CKY-I|CKY-R|2)

  17. Hash Calculations • HASH_I: HMAC_H(SKEYID, g^i | g^r | CKY-I | CKY-R | Sai_b | ID_i1_b) • HASH_R: HMAC_H(SKEYID, g^r | g^i | CKY-R | CKY-I | Sai_b | ID_r1_b)

  18. IKE Negotiations - Phase 2 • Purpose: • Establish IPsec SA • Steps (3-4 messages exchanged): • Negotiate Security Parameters • Optional Diffie-Hellman Exchange (for PFS) • Optional Exchange of Identities • Final Verification • Quick Mode • New Groups Mode

  19. Phase 2 Attributes • Group description (for PFS) • Encryption algorithm (if any) • Key length • Key rounds • Authentication algorithm (if any) • Life duration (seconds and/or kilobytes) • Encapsulation mode (transport or tunnel)

  20. 1 HDR* | HASH(1) | SA | Ni [ | KE] [ | IDi2 | IDr2] 2 HDR* | HASH(2) | SA | Nr [ | KE] [ | IDi2 | IDr2] 3 RESPONDER HDR* | HASH(3) INITIATOR Quick Mode HDR contains CKY-I | CKY-R KE (for PFS) = g^I (Initiator) or g^r (Responder)

  21. Key Derivation • KEYMAT (no PFS): HMAC_H(SKEYID_d, protocol | SPI | Ni_b | Nr_b) • KEYMAT (with PFS): HMAC_H(SKEYID_d, g^ir (QM) | protocol | SPI | Ni_b | Nr_b) • Expanded KEYMAT (if needed): K2 = HMAC_H(SKEYID_d, KEYMAT | [g^ir (QM) | ] protocol | SPI | Ni_b | Nr_b) K3 = HMAC_H(SKEYID_d, K2 | [g^ir (QM) | ] protocol | SPI | Ni_b | Nr_b) etc.

  22. Hash Calculations • HASH(1) : HMAC_H (SKEYID_a | Message_ID | contents of Message #1) • HASH(2) : HMAC_H (SKEYID_a | Message_ID | Ni_b | contents of Message #2) • HASH(3) : HMAC_H (SKEYID_a | 0 | Message_ID | Ni_b | Nr_b)

  23. 1 HDR* | HASH | SA 2 HDR* | HASH | SA RESPONDER INITIATOR New Groups Mode

  24. Contact Information • For further information, contact: • Sheila Frankel: sheila.frankel@nist.gov

More Related