14-1©2007 Raj JainCSE571SWashington University in St. LouisInternet Key Internet Key Exchange (IKE)Exchange (IKE)Raj Jain Washington University in Saint LouisSaint Louis, MO [email protected]/Video recordings of this lecture are available at:http://www.cse.wustl.edu/~jain/cse571-07/14-2©2007 Raj JainCSE571SWashington University in St. LouisOverviewOverview IKE Phases Main Mode and Aggressive Mode Authentication Methods Session Keys ISAKMP/IKE Encoding and Payload types IKE Version 214-3©2007 Raj JainCSE571SWashington University in St. LouisInternet Key Exchange (IKE)Internet Key Exchange (IKE) Mutual authentication and establish a shared secret Features: Hiding end point identifiers, crypto algorithm negotiation Many modes and phases14-4©2007 Raj JainCSE571SWashington University in St. LouisIKE HistoryIKE HistoryDiffie-Hellman (1976)Authenticated Key Exchanges(Diffie et al 1992)Photuris (RFC2522/2523, 1994)Oakley (RFC2412, 1998)IKE (RFC2409, 1998)IKEv2 (RFC4306, 2005)ISAKMP (RFC2408, 1998)AuthenticationDoS protectionISAKMP compatibleSimplificationSecurity FrameworkIKEv1IPsec DOI (RFC2407, 1998)Profile14-5©2007 Raj JainCSE571SWashington University in St. LouisIKE PhasesIKE Phases May need to setup multiple connections with different security properties ⇒ Two phases Phase 1: Mutual authentication and session keys = IKE SA Phase 2: Use results of phase 1 to create multiple associations between the same entities = ESP or AH SA IKE SA is bi-directional AH and ESP SAs are unidirectionalPhase 1Phase 2 Phase 2 Phase 214-6©2007 Raj JainCSE571SWashington University in St. LouisIKE Main ModeIKE Main Mode Allows ability to hide end-point identifiers and to select crypto algorithms ⇒ requires 6 messages14-7©2007 Raj JainCSE571SWashington University in St. LouisIKE Aggressive ModeIKE Aggressive Mode End-points ID not hidden ⇒ Requires only three messages14-8©2007 Raj JainCSE571SWashington University in St. LouisIKE Authentication MethodsIKE Authentication Methods1. Original Public Key Encryption (separately encrypt each field with other sides public key)2. Revised Public Key Encryption (Encrypt session key with public key. Use session key to encrypt the rest)3. Public key signature4. Pre-shared secret key4 Methods × 2 Modes = 8 variants of Phase 114-9©2007 Raj JainCSE571SWashington University in St. LouisAuthentication Methods: ComparisonAuthentication Methods: Comparison Public vs. Pre-shared: Public requires sending the certificate first Public key: Need to reveal the identity Encryption vs. Signature keys: Encryption keys may be escrowed. Signature keys are not. With signature key, identity may be revealed to an imposter. With encryption keys, identity is revealed only to intended entity.14-10©2007 Raj JainCSE571SWashington University in St. LouisProof of IdentityProof of Identity Different for each authentication method Hash(key, DH value, nonces, crypto choices) Could have been the same for all authentication methods Integrity check does not cover selected crypto algorithm14-11©2007 Raj JainCSE571SWashington University in St. LouisIKE Phase 1 CookiesIKE Phase 1 Cookies Proof of identity in the last message includes hashes of all previous messages Need to remember the crypto choices offered ⇒ State ISAKMP requires cookies to be unique for each connection from the same IP address ⇒ Cannot use stateless cookies Connection identifier = <Initiator cookie, responder cookie> ⇒ May end up with the same connection identifier for two connectionsA BC1, C2C1, C214-12©2007 Raj JainCSE571SWashington University in St. LouisDH ParametersDH Parameters Modular exponentiation or Elliptic curves gamod p ⇒ Need to select a large prime p and generator g The group identifiers:¾ 0 = No group¾ 1 = A modular exp with a 768 bit modulus¾ 2 = A modular exp with a 1024 bit modulus¾ 3 = A modular exp with a 1536 bit modulus¾ 4 = An elliptic curve group over GF[2155]¾ 5 = An elliptic curve group over GF[2185]14-13©2007 Raj JainCSE571SWashington University in St. LouisWellWell--Known Group 1Known Group 1 A 768 bit prime based on digits of π 2768-2704-1 + 264× { [2638π] + 149686} Decimal value:1552518092300708935130918131258481755631334049434514313202351194902966239949102107258669453876591642442910007680288864229150803718918046342632727613031282983744380820890196288509170691316593175367469551763119843371637221007210577919Representation in OAKLEY Type of group: "MODP" Size of field element (bits): 768 Prime modulus:¾ Length (32 bit words): 2414-14©2007 Raj JainCSE571SWashington University in St. LouisWellWell--Known Group 1 (Cont)Known Group 1 (Cont)¾ Data (hex):FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD129024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DDEF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245E485B576 625E7EC6 F44C42E9 A63A3620 FFFFFFFF FFFFFFFF Generator: 22 (decimal)¾ Length (32 bit words): 1 See RFC2412 for other well-known groups.14-15©2007 Raj JainCSE571SWashington University in St. LouisNegotiating Cryptographic ParametersNegotiating Cryptographic Parameters Allows negotiating encryption (DES, 3DES, IDEA), hash (MD5, SHA), authentication method (Pre-shared keys, DSS), DH parameters Must implement: DES, MD5 and SHA, pre-shared key, modp Need to send allowed combinations ⇒ Large number of choices In the aggressive mode, initiator selects a combination. Responder can only reject Can also specify a lifetime in terms of time or number of bytes14-16©2007 Raj JainCSE571SWashington University in St. LouisIKE Session KeysIKE Session Keys Phase 1 ⇒ Integrity key and Encryption Key The two keys are used in the last phase 1 message and all phase 2 messages Note the same keys are used in both directions ⇒ Reflection attack can cause DoS SKEYID = hash (DH values, nonces, cookies, pre-shared secret if any) ⇒ Key seeds prf = pseudo random function (e.g., DES CBC, or HMAC) with two parameters - key and data14-17©2007 Raj JainCSE571SWashington University in St. LouisIKE Session Keys (Cont)IKE Session Keys (Cont) Public Signature Authentication: SKEYID = prf(nonces, gxymod p) Public Encryption Authentication: SKEYID = prf(hash(nonces), cookies) Pre-share secret key authentication: SKEYID = prf(pre-shared secret key, nonces) SKEYID_d = prf(SKEYID, (gxymod p| cookies | 0)) SKEYID_a =
View Full Document