Introduction to IKE (Internet Key Exchange)
  

Jami Ullah Lv2Posted 22 Jul 2023 00:40

Introduction to IKE (Internet Key Exchange)

- Is a UDP-based application-layer protocol built on the framework by ISAKMP.
- Implements automatic key negotiation and IPSec SA establishment
- Governs that packets exchanged between the IKE peers

SA (SecurityAssociation)
- An SA defines a set of parameters for data transmission between two IPSec peers. The parameters include the security protocol, characteristics of data flows to be protected, data encapsulation mode, encryption algorithm, authentication algorithm, key, and SA lifetime.
- An SA is uniquely identified by a triplet, including;
    #   SPI (Security Protocol Index)
    #   Destination IP address
    #   Security protocol ID
- SAs are required in both the incoming & outgoing directions.
- Can be established in both manual or IKE auto-negotiation mode (auto is recommended)
- IKE Security Mechanism includes securing the following parameters before it hands over to IPSec;
    #   Identity authentication (IP addresses or name) using the following authentication modes;
            * PSK (the same password is used at both ends)
            * RSASignature authentication (CA certificates are used for authentication)
            * Digitalenvelop authentication (random symmetric key is generated for authentication)\
    #   Identity protection (data encryption can be achieved by using one of the following algorithms);
            * DES
            * 3DES
            * AES (128bits, 192 bits, 256 bits), most secure, mostly used, more overhead
            * SIM1 andSIM4
    #   DH key exchange algorithm
            * peers exchange the keys materials, not the real shared key
            * If hackers intercept the DH values and temp number, they can not calculate the shared key
    #   Perfect forward secrecy (PFS)
            * If the absence of PFS, if the original key is compromised, all other keys derived from the original key will also get compromised
            * The key generated initially, should not be used for generating subsequent keys.
            * In the presence of PSF, if the original key is compromised, not all other subsequent keys can be compromised b/c the original key was not used for generating all other subsequent keys.

Principals of IKEv1 & IKEv2
IKEv1
- Goes through two phases to negotiate the key and establish SAs for IPSec.
- In phase-1, the two IKE peers negotiate and establish a secure channel (an IKE SA)
- In phase-2, the two IKE peers establish a pair of IPSec SAs by using the secure and authenticated channel established in phase-1.

IKEv2
- IKEv2 simplifies the negotiation process
- The key is generated and SAs are established for IPSecin in just one negotiation process.
file:///C:/Users/THINKPAD/AppData/Local/Temp/msohtmlclip1/01/clip_image002.jpg
file:///C:/Users/THINKPAD/AppData/Local/Temp/msohtmlclip1/01/clip_image004.jpg

328964bab4ce54e6f.png

8963364bab4ddd9f7b.png


Difference between Main& Aggressive modes
- Six messages are used in the main mode and three messages are used in the aggressive mode.
- The main mode provides identity protection since the last two messages are encrypted. The aggressive mode does not provide identity protection because of its high message integration.
- The main mode can use only an IP address to identify a peer, whereas the aggressive mode can use an IP address or name to identify a peer.


Like this topic? Like it or reward the author.

Creating a topic earns you 5 coins. A featured or excellent topic earns you more coins. What is Coin?

Enter your mobile phone number and company name for better service. Go

Faisal P Lv8Posted 22 Jul 2023 16:28
  
Thank you very much for the information ...
Kazuma Lv1Posted 23 Jul 2023 13:16
  
Thank you for that diagram and useful information about IKE
Newbie517762 Lv5Posted 24 Jul 2023 09:36
  
Thanks for your useful information.
Farina Ahmed Lv5Posted 24 Jul 2023 13:52
  
Very well explained. Thanks for sharing