Upload
beverly-douglas
View
228
Download
0
Embed Size (px)
Citation preview
1
Methods and Protocols for Secure Key Negotiation Using IKE
Author : Michael S. Borella , 3Com Corp.
2
Outline
What is IKE Introduction of Diffie-Hellman How IKE do the secure Key negotiation Conclusion
3
What is IKE
Internet Key Exchange Default IPSec method for secure key
negotiation Based-on Diffie-Hellman Allow two entities to derive session key
with authentication
4
Diffie-Hellman introduction
A 選擇 X,g,n B 選擇 Y
g ,n , gX mod n
B 計算 (gX)Y mod nA 計算 (gY)X mod n
gY mod n
Shared secret key : gXY mod n
5
Diffie-Hellman introduction(cont.)
A 選擇 X,g,n B 選擇 Y
g , n , gX mod n
B 計算 (gZ)Y mod n
A 計算 (gZ)X mod n
gZ mod n
C 選擇 Z
g , n , gZ mod n
gY mod n
Man-in-the-middle-attack
6
How IKE do the secure Key negotiation
Diffie-Hellman disadvantages– Man-in-the-middle attack– Denial of Service
IKE can solve these problem!! How?? Solving man-in-the-middle attack
– authentication
Solving Denial of Service attack– cookie
7
How IKE do the secure Key negotiation(cont.) Cookie – How to solve DoS attack??
CI
CR
產生 CI
產生 CR
選擇 g,p產生 x
CI , CR , gx mod p
產生 yCI , CR , gy mod p
8
How IKE do the secure Key negotiation(cont.) Cookie If either the initiator or the responder
receives a cookie pair from an IP address not associated with that cookie pair , the message will be discarded
Uniquely identifying a particular key exchange among several may take place between two hosts
9
How IKE do the secure Key negotiation(cont.) IKE phase1
– Creates an IKE SA– Establish a secure channel so that that phase2
negotiation can occur privately
IKE phase2– Establishing IPSec SA(ESP,AH) to protect
non-IKE sessions
10
How IKE do the secure Key negotiation(cont.)
11
IKE phase1 detailed
Phase 1– Main Mode
• Identity protection
– Aggressive Mode• Reduce round trips
– Authentication with• Pre-shared key
• Signatures
• Public Key Encryption
• Revised Public Key Encryption
12
IKE phase1 detailed(cont.)
Negotiation
Generate CI(1)CI , ISAI
Generate CR(2)CI , CR , ISAR
::
(1)Proposal:ENC = DES or 3DES , AUTH = MD5 Proposal:ENC = 3DES , AUTH = MD5
(2)Proposal:ENC = 3DES , AUTH = MD5
13
IKE phase1 detailed(cont.)
SKEYID_d = prf(SKEYID, g^xy | CKY-I | CKY-R | 0) SKEYID_a = prf(SKEYID, SKEYID_d | g^xy | CKY-I | CKY-R |
1) SKEYID_e = prf(SKEYID, SKEYID_a | g^xy | CKY-I | CKY-R | 2)
14
IKE phase1 detailed(cont.)
Pre-shared key ; Main mode Initiator Responder
---------- -----------CI,ISAI --> <-- CI,CR, ISAR
CI,CR, gx, NI --> <-- CI,CR, gy, NR
*CI,CR, IDI,HASHI --> <-- *CI,CR, IDR,HASHR
15
IKE phase1 detailed(cont.)
Pre-shared key ; Aggressive mode Initiator Responder
----------- -----------CI,ISAI,gx, NI, IDI --> <-- CI,CR,ISAI,gy,NR, IDR,HASHR
CI,CR,HASHI -->
SKEYID = prf(PSKEY , NI | NR)
HASHI = prf(SKEYID,gx | gy | CI | CR | ISAI | IDI)
HASHR = prf(SKEYID, gx | gy | CR | CI | ISAI | IDI )
16
IKE phase1 detailed(cont.)
Signatures ; Main mode Initiator Responder
----------- -----------CI, ISAI --> <-- CI,CR,ISAR
CI,CR,gx,NI --> <-- CI,CR,gy,NR
*CI,CR,IDI,SIGI --> <-- *CI,CR,IDR,SIGR
17
IKE phase1 detailed(cont.)
Signatures ; Aggressive mode Initiator Responder
----------- -----------CI,ISAI,gx,NI,IDI --> <-- CI,CR,ISAR,gy,NR,IDR,SIGR CI,CR,SIGI -->
SKEYID = prf(NI | NR,gxy) SIGI = PRVKEYI(HASHI)
SIGR = PRVKEYR(HASHR)
18
IKE phase1 detailed(cont.)
public key ; Main mode Initiator Responder
----------- -----------CI,ISAI --> <-- CI,CR,ISAR
CI,CR,gx,[ HASH(1),]PUBKEYR(IDI),PUBKEYR(NI) --> CI,CR,gy,PUBKEYI(IDR), <-- PUBKEYI(NR)*CI,CR,HASHI --> <-- *CI,CR,HASHR
19
IKE phase1 detailed(cont.)
public key ; Aggressive mode Initiator Responder
----------- -----------CI,ISAI,gx
PUBKEYR(IDI
PUBKEYR(NI) --> CI,CR,ISAR,gy, PUBKEYI(IDR), <-- PUBKEYR(NR), HASHR
CI,CR,HASHI -->
SKEYID = prf(hash(NI | NR), CI | CR)
20
IKE phase2 detailed
Quick Mode Initiator Responder
----------- ----------- *CI,CR,HASH(1),SAI, NI, [, gx ] [, IDI, IDR ] --> <-- *CI,CR,HASH(2),SAR, NR, [, gy ] [, IDI,IDR ]
*CI,CR,HASH(3) -->
21
IKE phase2 detailed(cont.)
With PFS HASH(1) = prf(SKEYID_a, M-ID | SAI | NI )
HASH(2) = prf(SKEYID_a, M-ID | SAR | NI|NR)
HASH(3) = prf(SKEYID_a, 0 | M-ID | NI | NR)
NEWKEY = prf(SKEYID_d, gxy | protocol | SPI | NI | NR)
Without PFS HASH(1) = prf(SKEYID_a, M-ID | SAI | NI | x | IDI | IDR )
HASH(2) = prf(SKEYID_a, M-ID | SAR | NI | NR | y | IDI | IDR )
HASH(3) = prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b) NEWKEY = prf(SKEYID_d, protocol | SPI | NI | NR).
22
conclusion
IKE is vary complexity Hard to evaluate it’s security and
performance