IKE

1
IKE

• The Internet Key Exchange

Artur Hecker, ENST ParisParis, 01/16/2002
2
IKE description

• Protocol for obtaining authenticated keying
  material for security associations (SAs).
• Definition for the ISAKMP framework
• Is conform to all ISAKMP definitions, such as
• Payload formats
• Timeouts
• Message Encodings
• Retransmits
• Uses parts of Oakley and SKEME protocols

3
IKE phases and modes
Phase 1
Main Mode
establishes an authenticated secure channel
ISAKMP SA
Aggressive Mode
New Group Mode
Phase 2
Quick Mode
negotiates SAs of used services and their
parameters
Informational Mode
4
IKE Phase 1

• Negotiated attributes
• Encryption algorithm
• Hash algorithm
• Authentication method
• Information about a DH group
• Defined attributes
• HMAC version of the negotiated hash algorithm as
  pseudo-random function

5
IKE Phase 1 Requirements

• Attribute MUST-values to be supported SHOULD
• DES in CBC mode , 3DES with weak and semi-weak
  key check
• MD5 and SHA , Tiger
• Authentication via pre-shared keys , Digital
  signatures standard, RSA signatures, RSA auth.
• MODP over group N one and group N two

6
IKE Phase 2

• Main mode identity protect exchange
• Policy negotiation (2)
• DH public values and ancillary date exchange (2)
• Authentication of the exchanged DH values (2)
• Aggressive Mode aggressive exchange
• Policy negotiation, DH public values and
  ancillary data exchange, authentication of
  responder included in the 2nd message (2)
• Authentication of initiator (1)