1

Methods and Protocols for Secure Key Negotiation Using IKE

Author : Michael S. Borella , 3Com Corp.

2

Outline

What is IKE Introduction of Diffie-Hellman How IKE do the secure Key negotiation Conclusion

3

What is IKE

Internet Key Exchange Default IPSec method for secure key

negotiation Based-on Diffie-Hellman Allow two entities to derive session key

with authentication

4

Diffie-Hellman introduction

A 選擇 X,g,n B 選擇 Y

g ,n , gX mod n

B 計算 (gX)Y mod nA 計算 (gY)X mod n

gY mod n

Shared secret key : gXY mod n

5

Diffie-Hellman introduction(cont.)

A 選擇 X,g,n B 選擇 Y

g , n , gX mod n

B 計算 (gZ)Y mod n

A 計算 (gZ)X mod n

gZ mod n

C 選擇 Z

g , n , gZ mod n

gY mod n

Man-in-the-middle-attack

6

How IKE do the secure Key negotiation

Diffie-Hellman disadvantages– Man-in-the-middle attack– Denial of Service

IKE can solve these problem!! How?? Solving man-in-the-middle attack

– authentication

Solving Denial of Service attack– cookie

7

How IKE do the secure Key negotiation(cont.) Cookie – How to solve DoS attack??

CI

CR

產生 CI

產生 CR

選擇 g,p產生 x

CI , CR , gx mod p

產生 yCI , CR , gy mod p

8

How IKE do the secure Key negotiation(cont.) Cookie If either the initiator or the responder

receives a cookie pair from an IP address not associated with that cookie pair , the message will be discarded

Uniquely identifying a particular key exchange among several may take place between two hosts

9

How IKE do the secure Key negotiation(cont.) IKE phase1

– Creates an IKE SA– Establish a secure channel so that that phase2

negotiation can occur privately

IKE phase2– Establishing IPSec SA(ESP,AH) to protect

non-IKE sessions

10

How IKE do the secure Key negotiation(cont.)

11

IKE phase1 detailed

Phase 1– Main Mode

• Identity protection

– Aggressive Mode• Reduce round trips

– Authentication with• Pre-shared key

• Signatures

• Public Key Encryption

• Revised Public Key Encryption

12

IKE phase1 detailed(cont.)

Negotiation

Generate CI(1)CI , ISAI

Generate CR(2)CI , CR , ISAR

::

(1)Proposal:ENC = DES or 3DES , AUTH = MD5 Proposal:ENC = 3DES , AUTH = MD5

(2)Proposal:ENC = 3DES , AUTH = MD5

13

IKE phase1 detailed(cont.)

SKEYID_d = prf(SKEYID, g^xy | CKY-I | CKY-R | 0) SKEYID_a = prf(SKEYID, SKEYID_d | g^xy | CKY-I | CKY-R |

1) SKEYID_e = prf(SKEYID, SKEYID_a | g^xy | CKY-I | CKY-R | 2)

14

IKE phase1 detailed(cont.)

Pre-shared key ; Main mode Initiator Responder

---------- -----------CI,ISAI --> <-- CI,CR, ISAR

CI,CR, gx, NI --> <-- CI,CR, gy, NR

*CI,CR, IDI,HASHI --> <-- *CI,CR, IDR,HASHR

15

IKE phase1 detailed(cont.)

Pre-shared key ; Aggressive mode Initiator Responder

----------- -----------CI,ISAI,gx, NI, IDI --> <-- CI,CR,ISAI,gy,NR, IDR,HASHR

CI,CR,HASHI -->

SKEYID = prf(PSKEY , NI | NR)

HASHI = prf(SKEYID,gx | gy | CI | CR | ISAI | IDI)

HASHR = prf(SKEYID, gx | gy | CR | CI | ISAI | IDI )

16

IKE phase1 detailed(cont.)

Signatures ; Main mode Initiator Responder

----------- -----------CI, ISAI --> <-- CI,CR,ISAR

CI,CR,gx,NI --> <-- CI,CR,gy,NR

*CI,CR,IDI,SIGI --> <-- *CI,CR,IDR,SIGR

17

IKE phase1 detailed(cont.)

Signatures ; Aggressive mode Initiator Responder

----------- -----------CI,ISAI,gx,NI,IDI --> <-- CI,CR,ISAR,gy,NR,IDR,SIGR CI,CR,SIGI -->

SKEYID = prf(NI | NR,gxy) SIGI = PRVKEYI(HASHI)

SIGR = PRVKEYR(HASHR)

18

IKE phase1 detailed(cont.)

public key ; Main mode Initiator Responder

----------- -----------CI,ISAI --> <-- CI,CR,ISAR

CI,CR,gx,[ HASH(1),]PUBKEYR(IDI),PUBKEYR(NI) --> CI,CR,gy,PUBKEYI(IDR), <-- PUBKEYI(NR)*CI,CR,HASHI --> <-- *CI,CR,HASHR

19

IKE phase1 detailed(cont.)

public key ; Aggressive mode Initiator Responder

----------- -----------CI,ISAI,gx

PUBKEYR(IDI

PUBKEYR(NI) --> CI,CR,ISAR,gy, PUBKEYI(IDR), <-- PUBKEYR(NR), HASHR

CI,CR,HASHI -->

SKEYID = prf(hash(NI | NR), CI | CR)

20

IKE phase2 detailed

Quick Mode Initiator Responder

----------- ----------- *CI,CR,HASH(1),SAI, NI, [, gx ] [, IDI, IDR ] --> <-- *CI,CR,HASH(2),SAR, NR, [, gy ] [, IDI,IDR ]

*CI,CR,HASH(3) -->

21

IKE phase2 detailed(cont.)

With PFS HASH(1) = prf(SKEYID_a, M-ID | SAI | NI )

HASH(2) = prf(SKEYID_a, M-ID | SAR | NI|NR)

HASH(3) = prf(SKEYID_a, 0 | M-ID | NI | NR)

NEWKEY = prf(SKEYID_d, gxy | protocol | SPI | NI | NR)

Without PFS HASH(1) = prf(SKEYID_a, M-ID | SAI | NI | x | IDI | IDR )

HASH(2) = prf(SKEYID_a, M-ID | SAR | NI | NR | y | IDI | IDR )

HASH(3) = prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b) NEWKEY = prf(SKEYID_d, protocol | SPI | NI | NR).

22

conclusion

IKE is vary complexity Hard to evaluate it’s security and

performance