ISAKMP - PowerPoint PPT Presentation
Title:
ISAKMP
Description:
ISAKMP RFC 2408 Internet Security Association & Key Management Protocol Protocol Establish, modify, and delete SAs Negotiate crypto keys Procedures – PowerPoint PPT presentation
Number of Views:104
Avg rating:3.0/5.0
Title: ISAKMP
1
ISAKMP
- RFC 2408
- Internet Security Association Key Management
Protocol - Protocol
- Establish, modify, and delete SAs
- Negotiate crypto keys
- Procedures
- Authentication of peers
- Threat mitigation
2
ISAKMP
- Defines procedures and packet formats to deal
with SAs and keys - Provides a framework for secure communication on
the Internet - Does not specify algorithms, formats, or
protocols - ISAKMP is a framework in which a specific secure
communication definition can be implemented
3
ISAKMP
- Security Associations
- Authentication
- Public Key Cryptography
- Protection
- DoS Anti-Clogging
- Hijacking a connection
- Man in the middle attacks
4
ISAKMP Terminology
- DOI Domain Of Interpretation defines payload
formats, exchange types, naming conventions
5
IISAKMP Phases
- Phase 1 Two entities agree on how to protect
further negotiation traffic. They negotiate an
ISAKMP SA for an authenticated and secure channel - Phase 2The phase 1 secure channel is used to
negotiate security services for IPSec.
6
ISAKMP Header
Initiator Cookie
Responder Cookie
Major Version
Minor Version
Exchange Type
Flags
Next Payload
Message ID
Length
7
Header Fields
- Initiator Cookie (8 octets) Cookie of entity
that initiated SA establishment, notification or
deletion. - Responder Cookie (8 octets) Cookie of the
responder - Next Payload (1 octet) Type of first payload
- Major/Minor Version (4 bits each) Version of
ISAKMP in use - Exchange Type (1 octet) Type of exchange being
used - Flags (1 octet) More stinking flags, encrypt,
commit authentication only - Message ID (4 octets) Unique ID to identify
things in Phase 2 - Length (4 octets) Length of total message
(headers payloads)
8
Next Payload Types
Next Payload Type Value Hash 8 Signature 9 Nonce 1
0 Notification 11 Delete 12 Vendor
ID 13 Reserved 14 127 Private Use 128 - 255
- Next Payload Type Value
- NONE 0
- SA 1
- Proposal 2
- Transform 3
- Key Exchange 4
- Identification 5
- Certificate 6
- Cert Request 7
9
Exchange Types
Exchange Type Value ISAKMP Future Use 6 - 31 DOI
Specific Use 32 127 Private Use 128 - 255
- Exchange Type Value
- NONE 0
- Base 1
- Id Protection 2
- Auth Only 3
- Aggressive 4
- Informational 5
10
Generic Payload Header
Payload Length
Reserved
Next Payload
Payload Data
11
SA Payload
Payload Length
Reserved
Next Payload
Domain of Interpretation (DOI)
Situation
DOI (4 octets) Identifies the DOI under which
this negotiation is taking place. A value of 0
(zero) during Phase 1 specifies a Generic ISAKMP
SA which can be used for any protocol during
Phase 2. Situation - A DOI-specific field that
identifies the situation under which this
negotiation is taking place.
12
Proposal Payload
Payload Length
Reserved
Next Payload
Proposal No.
Proposal ID
SPI Size
No. of Transforms
SPI (variable)
13
Proposal Payload
- Payload Length (2 octets) Length is octets of
the entire Proposal payload including the generic
payload header, the Proposal payload, and all
Transform payloads associated with this proposal. - Proposal No. - Identifies the Proposal number for
the current payload. - Proposal ID Specifies the protocol identifier
such as IPSEC ESP, IPSEC AH, OSPF, TLS, etc. - SPI Size Length in octets of the SPI as defined
by the Protocol ID. - No. of Transforms Specifies the number of
transforms for the proposal. - SPI (variable) The sending entity's SPI.
14
Transform Payload
Payload Length
Reserved
Next Payload
Transform No.
Transform ID
Reserved2
SA Attributes
15
Transform Payload
- Payload Length (2 octets) Length is octets of
the current payload, including the generic
payload header, Transform values, and all SA
attributes - Transform No. - Identifies the Transform number
for the current payload. - Transform ID Specifies the Transform
identifier fmor the protocol within the current
proposal. - Reserved 2 (2 octets) Set to zero.
- SA Attributes (Variable length) SA attributes
should be represented using the Data Attributes
format.
16
Key Exchange Payload
Payload Length
Reserved
Next Payload
Key Exchange Data
Key Exchange Data (variable length) Data
required to generate a session key. This data is
specified by the DOI and the associated Key
Exchange algorithm.
17
Certificate Payload
Payload Length
Reserved
Next Payload
Cert Encoding
Key Exchange Data
Cert Encoding (1 octet) Indicates the type of
certificate contained in the Certificate field.
18
Certificate Types
Certificate Type Value Kerberos Token 6 Cert
Revoc List 7 Authority Revoc List 8 SPKI
Cert. 9 X.509 Cert Attribute 10 Reserved 11 -
255
- Certificate Type Value
- NONE 0
- PKCS 7 1
- PGP Certificate 2
- DNS Signed Key 3
- X.509 Cert - Signature 4
- X.509 Cert Key Exchange 5
19
Other Payloads
Payload Length
Reserved
Next Payload
Hash Data
Payload Length
Reserved
Next Payload
Signature Data
Payload Length
Reserved
Next Payload
Nonce Data
20
Notification Payload
Payload Length
Reserved
Next Payload
DOI
Protocol ID
SPI Size
Notify Message Type
SPI
Notification Data
21
Notify Messages
Errors
Value INVALID-PAYLOAD-TYPE
1 DOI-NOT-SUPPORTED
2
SITUATION-NOT-SUPPORTED 3
INVALID-COOKIE 4
INVALID-MAJOR-VERSION 5
INVALID-MINOR-VERSION 6
INVALID-EXCHANGE-TYPE 7
INVALID-FLAGS 8
INVALID-MESSAGE-ID 9
INVALID-PROTOCOL-ID 10
INVALID-SPI
11 INVALID-TRANSFORM-ID
12 ATTRIBUTES-NOT-SUPPORTED
13 NO-PROPOSAL-CHOSEN
14 BAD-PROPOSAL-SYNTAX
15
Errors
Value PAYLOAD-MALFORMED
16 INVALID-KEY-INFORMATION
17 INVALID-ID-INFORMATION
18 INVALID-CERT-ENCODIN
G 19
INVALID-CERTIFICATE 20
CERT-TYPE-UNSUPPORTED 21
INVALID-CERT-AUTHORITY 22
INVALID-HASH-INFORMATION 23
AUTHENTICATION-FAILED 24
INVALID-SIGNATURE 25
ADDRESS-NOTIFICATION 26
NOTIFY-SA-LIFETIME 27
CERTIFICATE-UNAVAILABLE
28 UNSUPPORTED-EXCHANGE-TYPE
29 UNEQUAL-PAYLOAD-LENGTHS
30 RESERVED (Future Use)
31 - 8191 Private Use
8192 16383
22
ISAKMP Message Construction
Initiator Cookie
Responder Cookie
Major Version
Minor Version
Exchange Type
Flags
NP KE
Message ID
Total Message Length
KE Payload Length
Reserved
NP Nonce
Key Exchange Data
Nonce Payload Length
Reserved
NP 0
Nonce Data
23
Proposal Syntax
Proposal Transform Transform Proposal
Transform
Proposals with the same Proposal number are
taken as a logical AND. Proposals with different
numbers are taken as a logical OR. Different
Transform within a proposal are taken as a
logical OR.
24
Proposal Example
Proposal 1 AH Transform 1 HMAC-SHA Transform
2 HMAC-MD5 Proposal 2 ESP Transform 1 3DES
with HMAC-SHA Transform 2 3DES with
HMAC-MD5 Transform 3 AES with
HMAC-SHA-256 Proposal 3 ESP Transform 1 3DES
with HMAC-SHA Proposal 4 PCP Transform 1 LZS
25
Exchange Types
Exchange Type Value ISAKMP Future Use 6 - 31 DOI
Specific Use 32 127 Private Use 128 - 255
- Exchange Type Value
- NONE 0
- Base 1
- Id Protection 2
- Auth Only 3
- Aggressive 4
- Informational 5
26
Base Exchange
- Initiator Direction Responder Note
- Header, SA, Nonce gt Begin ISAKMP-SA
negotiation - lt HDR, SA, Nonce Basic SA agreed upon
- Header, KE, Idii, Auth gt Key generated by
responder - Initiator Ident verified
- lt HDR, KE, Idir, Auth Responder Ident
verified - Initiator key generated, SA est.
Recommended
CrystalGraphics Presentations
