IPSec - Internet Key Exchange (IKE)
Internet Key Exchange (IKE)
- is a key management protocol standard used in conjunction with the Internet Protocol Security (IPSec) standard protocol
- it provides security for virtual private networks' (VPNs) negotiations and network access to random hosts
IKE Protocol - History
- early contenders
- Photuris - authenticated DH with cookies and identity-hiding
- SKIP - authenticated DH with long-term exponents
- ISAKMP
- A protocol specifying only payload formats and exchanges (i.e., an empty protocol)
- Adopted by the IPsec working group
- Oakley - modified Photuris, can work with ISAKMP
- IKE - a particular Oakley-ISAKMP combination
IKE Protocol - Overview
Phase 1
does authenticated Diffie-Hellman, establishes session key and “ISAKMP SA”
2 possible modes: main and aggressive
4 possible authentication types
2 keys are derived from the session key:
SKEYID_e – to encrypt Phase 2 messages
SKEYID_a – to authenticate Phase 2 messages
Phase 2
IPsec SA and session key established; messages encrypted and authenticated with Phase 1 keys
additional DH exchange is optional (for perfect forward secrecy (PFS))
IKE Protocol - Phase Details
, multiple selections available,