ISAKMP - PowerPoint PPT Presentation

About This Presentation
Title:

ISAKMP

Description:

Internet Security Association and Key Management Protocol (ISAKMP) ... Solution: Implement an anti-clogging token (ACT) or a cookie to protect computer ... – PowerPoint PPT presentation

Number of Views:291
Avg rating:3.0/5.0
Slides: 32
Provided by: thung5
Category:
Tags: isakmp | clogging

less

Transcript and Presenter's Notes

Title: ISAKMP


1
ISAKMP
  • Presented by
  • Gary Aoki
  • Linan Chang
  • Thu Nguyen
  • Pravesvuth Uparanukraw

2
Agenda
  • Introduction
  • Overview
  • IKE, SA, Cookie
  • Architecture
  • Security

3
Introduction
  • Internet Security Association and Key Management
    Protocol (ISAKMP)
  • A cryptographic protocol which forms the basis of
    a key exchange protocol.
  • ISAKMP typically utilizes IKE for key exchange,
    although other methods can be implemented.
  • All implementations can be over any transport
    protocol, including send and receive capability
    using UDP on port 500.
  • RFCs 2408, 2407

4
ISAKMP characteristics
  • ISAKMP defines procedures and packet formats to
    establish, negotiate, modify and delete Security
    Associations (SAs)
  • Benefits
  • Designed for transmission efficiency and
    flexibility
  • Reduces the amount of duplicated functionality
    within each security protocol
  • Reduces the connection setup time by negotiation
    the whole stack of services at once.

5
ISAKMP/IPSec protocol suite
  • ISAKMP is used as part of IPSec protocol, the
    connection you establish ahead of the actual
    IPSec connection.
  • Used to figure out what kind of encryption to
    use. In order to do this, it exchanges key
    generation and authentication data.

6
ISAKMP terminology
  • Cookie
  • Domain of Interpretation (DOI)
  • Situation
  • Security Association (SA)

7
Cookies
  • What is Cookie?
  • Cookie generation requirements
  • Depend on specific parties
  • Unique
  • Generation verification methods.

Heheeeh! Yummy! Yummy!
8
SA
  • Security Association
  • set of security information that defines the
    relationship between two or more entities and
    describe how the entities will utilize security
    services to support secure communication.

9
IKE
  • Key establishment
  • Provides the messages format and protocol
    required to support Key Exchange
  • Does not specify a specific key generating,
    exchange algorithm. Entities indicate which
    algorithms they wish to use or support
  • IKE negotiation attributes
  • Encryption algorithm
  • Hash algorithm
  • Authentication mechanism
  • Computation algorithm
  • DOI

10
  • Security Association negotiation example
  • ipsec-cisco-gre-and-nat-too-2043367.html

11
ISAKMP Exchange Types
  • Base
  • Authentication
  • Key Exchange
  • Saturation protection
  • Identity Protection
  • Authentication
  • Key Exchange
  • Protects users identities
  • Authentication Only
  • Aggressive
  • Authentication
  • Key Exchange
  • No saturation protection
  • Informational
  • Information only

12
Base Exchange
13
Identity Protection Exchange
14
Authentication Only Exchange
15
Aggressive Exchange
Informational Only Exchange
16
Functionality
  • Separates the functionality into three distinct
    parts
  • Authentication
  • Key exchange
  • Security Associations
  • The separation adds complexity
  • The separation is critical for interoperability
    between systems

17
Authentication
  • ISAKMP provides the messages and protocols
    required to support authentication
  • Uses Digital Signatures but other mechanisms
    may be specified as additional options
  • Does not mandate a specific Signature algorithm
  • Does not mandate a specific Certificate Authority
    entities indicate which CAs they support

18
Key Establishment
  • ISAKMP provides the messages and protocol
    required to support key exchange
  • Does not specify a specific key generating
    algorithm
  • Does not specify a specific key exchange
    algorithm - Entities indicate which algorithms
    they support and wish to use

19
Security Associations
  • ISAKMP provides the messages and protocol to
    establish and maintain security associations
  • Indicates the authentication mechanism
  • Indicates the key exchange mechanism
  • ISAKMP defines the basic set of SA attributes
    that must be implemented

20
ISAKMP Protocol Negotiation
  • Two Phases
  • Establish a key-exchange SA
  • Negotiate security services
  • ISAKMP Protocols are constructed by chaining
    together ISAKMP payloads.

21
ISAKMP Negotiation Phases
  • Phase 1 two entities (servers) agree on how to
    protect further negotiation traffic -gt ISAKMP SA
    is established.
  • Phase 2 ISAKMP SA is used to protect the
    negotiations for the protocol SAs.

22
Message Architecture
  • Fixed format header
  • One or more payloads
  • The payload fields are chained together

23
Message Header
Generic Payload Header
24
Message Payloads
  • Security Association Payload
  • Proposal Payload
  • Transform Payload
  • Key Exchange Payload
  • Identification Payload
  • Certificate Payload
  • Certificate Request Payload
  • Hash Payload
  • Signature Payload
  • Nonce Payload
  • Notification Payload
  • Notify Payload
  • Delete Payload
  • Vendor ID Payload

25
Security Issues
  • Common attacks
  • Man-In-The-Middle
  • Denial of Service
  • Connection Hijacking

26
Man-In-The-Middle Attack
  • A situation where a malicious user sits between
    communicating parties and intercepts messages.
    The attacker can modify, insert or delete
    messages.
  • Solutions
  • Strong authentication of the parties prevents the
    risk of establishing an SA with other than
    intended party.
  • During the creation of an SA, deleted messages
    will clear all state so a partial SA won't be
    created.
  • Linking ISAKMP payloads in order to prevent
    insertion of messages.

27
Denial of Service Attack
  • Where a malicious user can render a system
    unusable by overloading the system's resources
  • Solution Implement an anti-clogging token (ACT)
    or a cookie to protect computer resources.

28
Connection Hijacking Attack
  • A situation where a third party jumps in in the
    middle of transaction and steals the connection.
  • Solution Link the authentication, key exchange
    and security association exchanges. The linking
    of exchanges prevents an attacker from jumping in
    after authentication.

29
Conclusion
  • ISAKMP defines a framework for
  • Authentication
  • Key generation and exchange
  • Establishing secure communications
  • It has some Fundamental Flaws
  • It has been superseded by version 2 of the
    Internet Key Exchange (IKE) Protocol

30
References
  • http//en.wikipedia.org/
  • http//www.ietf.org/rfc/rfc2408.txt
  • http//www.javvin.com/protocolISAKMP.html
  • http//home1.gte.net/res0psau/ipsec-parameters/def
    ault-isakmp-ipsec-params.html
  • http//monkey.org/openbsd/archive/tech/9912/msg002
    15.html

31
QA
  • Thank you!
Write a Comment
User Comments (0)
About PowerShow.com