Internet security association and key management protocol (isakmp)
•Download as PPT, PDF•
3 likes•1,554 views
The document summarizes the Internet Security Association and Key Management Protocol (ISAKMP). ISAKMP allows two parties to negotiate a security association (SA) to protect subsequent communications. It operates in two phases: first, the parties negotiate an ISAKMP SA used to securely exchange keying material, and second, the keying material is used to establish SAs for protocols like IPsec. The document describes the ISAKMP negotiation process, key material derived during negotiation like SKEYID, and the structure of ISAKMP message headers.
Internet security association and key management protocol (isakmp)
- 1. 1 Internet Security Association and Key Management Protocol (ISAKMP) Mr. RAJASEKAR RAMALINGAM Faculty - Department of IT, College of Applied Sciences – Sur, Post Box: 484 Post Code: 411, Sultanate of Oman. vrrsekar@yahoo.com
- 2. 2 Presentation Path 1. ISAKMP: Introduction 2. ISAKMP Negotiations 3. Key Material 4. Main mode with Pre-shared secret 5. Message Exchange description 6. ISAKMP Header
- 3. 3 • Two Parties, Initiator and Responder, call ISAKMP to establish a common SA (Secure channel) 1. ISAKMP: Introduction • The protocol runs in two stages: 1. Two peers negotiate a common ISAKMP SA 2. ISAKMP SA is used to exchange key material for IPSec SA (IPSec_AH SA and IPSec_ESP SA)
- 4. 4 • The negotiated attributes are encryption algorithms, hashing algorithms, authentication methods and DH groups for key agreement 2. ISAKMP Negotiations • Additionally, pseudorandom bit generator is negotiated • An ISAKMP SA is bi-directional and provides confidentiality and authenticity
- 5. 5 3. Key Material • The primary key, SKEYID, is obtained for any one the option 1. SKEYID = PBG(Ni Nr, gxixy ) for signatures 2. SKEYID = PBG(H(Ni Nr, CKYi CKYr)) for public key encryption 3. SKEYID = PBG(key, Ni Nr) for preshared keys Ni , Nr nonces, g xi , g xy public keys, CKYi , CKYr are tokens (also called cookies) SKEYID is the secret key upon which all subsequent keys are based
- 6. 6 Key Material SKEYID is used to obtained specific keys 1. SKEYIDd = PBG(SKEYID, g xixy CKYi CKYr0) 2. SKEYIDa = PBG(SKEYID, SKEYIDd gxixy CKYi CKYr1) 3. SKEYIDe = PBG(SKEYID, SKEYIDa g xixy CKYi CKYr2) • SKEYIDd is used to create keys for SAs of Phase 2 operations (IPSec AH and ESP) • SKEYIDa is used for data authentication and integrity in ISAKMP SA • SKEYIDe is used to encrypt IKE messages in ISAKMP SA
- 7. 7 4. Main mode with Pre-shared secret ISAKMP Header, Accepted SA proposals and one transform set ISAKMP Header, SA proposals and transform sets Initiator Responder Msg # 1 Msg # 2 1 ISAKMP Header, KE and nonce ISAKMP Header, KE and nonce Msg # 3 Msg # 4 2 ISAKMP Header, ID_i and Hash ISAKMP Header, ID_r and Hash Msg # 5 Msg # 6 3
- 8. 8 5. Message Exchange description • First exchange obtains: 1) Initiator Cookie, 2) Responder Cookie and 3) Security suite: ESP-DES and ESP HMAC-MD5 • Second exchange obtains: SKEYID, SKEYIDd, SKEYIDa , SKEYIDe, Nonce and DH key • Third exchange obtains: Hash = PBG(SKEYID, g xixy CKYi CKYr SAi ID_i) After the third exchange, phase 2 operation commences.
- 9. 9 6. ISAKMP HEADER Initiator Cookie: 64 bit Responder Cookie: 64 bit Message ID: 32 bit 32 bit Length: 32 bit Next Pay 8 bit MJ Ver 4 bit Flags 8 bit MN Ver 4 bit Exch Type 8 bit
- 10. 10 Thank You