Internet Key Exchange IKE Raj Jain Washington University in Saint Louis Saint Louis MO 63130 Jain cse wustl edu Audio Video recordings of this lecture are available at http www cse wustl edu jain cse571 07 Washington University in St Louis CSE571S 14 1 2007 Raj Jain Overview IKE Phases Main Mode and Aggressive Mode Authentication Methods Session Keys ISAKMP IKE Encoding and Payload types IKE Version 2 Washington University in St Louis CSE571S 14 2 2007 Raj Jain Internet Key Exchange IKE Mutual authentication and establish a shared secret Features Hiding end point identifiers crypto algorithm negotiation Many modes and phases Washington University in St Louis CSE571S 14 3 2007 Raj Jain IKE History Diffie Hellman 1976 Authentication Authenticated Key Exchanges Diffie et al 1992 DoS protection Photuris RFC2522 2523 1994 ISAKMP compatible Oakley RFC2412 1998 IKEv1 ISAKMP RFC2408 1998 Security Framework Profile IPsec DOI RFC2407 1998 IKE RFC2409 1998 Simplification IKEv2 RFC4306 2005 Washington University in St Louis CSE571S 14 4 2007 Raj Jain IKE Phases May need to setup multiple connections with different security properties Two phases Phase 1 Mutual authentication and session keys IKE SA Phase 2 Use results of phase 1 to create multiple associations between the same entities ESP or AH SA IKE SA is bi directional AH and ESP SAs are unidirectional Phase 2 Washington University in St Louis Phase 1 Phase 2 CSE571S 14 5 Phase 2 2007 Raj Jain IKE Main Mode Allows ability to hide end point identifiers and to select crypto algorithms requires 6 messages Washington University in St Louis CSE571S 14 6 2007 Raj Jain IKE Aggressive Mode End points ID not hidden Requires only three messages Washington University in St Louis CSE571S 14 7 2007 Raj Jain IKE Authentication Methods 1 Original Public Key Encryption separately encrypt each field with other sides public key 2 Revised Public Key Encryption Encrypt session key with public key Use session key to encrypt the rest 3 Public key signature 4 Pre shared secret key 4 Methods 2 Modes 8 variants of Phase 1 Washington University in St Louis CSE571S 14 8 2007 Raj Jain Authentication Methods Comparison Public vs Pre shared Public requires sending the certificate first Public key Need to reveal the identity Encryption vs Signature keys Encryption keys may be escrowed Signature keys are not With signature key identity may be revealed to an imposter With encryption keys identity is revealed only to intended entity Washington University in St Louis CSE571S 14 9 2007 Raj Jain Proof of Identity Different for each authentication method Hash key DH value nonces crypto choices Could have been the same for all authentication methods Integrity check does not cover selected crypto algorithm Washington University in St Louis CSE571S 14 10 2007 Raj Jain IKE Phase 1 Cookies Proof of identity in the last message includes hashes of all previous messages Need to remember the crypto choices offered State ISAKMP requires cookies to be unique for each connection from the same IP address Cannot use stateless cookies Connection identifier Initiator cookie responder cookie May end up with the same connection identifier for two connections C1 C2 A Washington University in St Louis C1 C2 CSE571S 14 11 B 2007 Raj Jain DH Parameters Modular exponentiation or Elliptic curves ga mod p Need to select a large prime p and generator g The group identifiers 0 No group 1 A modular exp with a 768 bit modulus 2 A modular exp with a 1024 bit modulus 3 A modular exp with a 1536 bit modulus 4 An elliptic curve group over GF 2155 5 An elliptic curve group over GF 2185 Washington University in St Louis CSE571S 14 12 2007 Raj Jain Well Known Group 1 A 768 bit prime based on digits of 2768 2704 1 264 2638 149686 Decimal value 155251809230070893513091813125848175563133404943451431320235 119490296623994910210725866945387659164244291000768028886422 915080371891804634263272761303128298374438082089019628850917 0691316593175367469551763119843371637221007210577919 Representation in OAKLEY Type of group MODP Size of field element bits 768 Prime modulus Length 32 bit words 24 Washington University in St Louis CSE571S 14 13 2007 Raj Jain Well Known Group 1 Cont Data hex FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 E485B576 625E7EC6 F44C42E9 A63A3620 FFFFFFFF FFFFFFFF Generator 22 decimal Length 32 bit words 1 See RFC2412 for other well known groups Washington University in St Louis CSE571S 14 14 2007 Raj Jain Negotiating Cryptographic Parameters Allows negotiating encryption DES 3DES IDEA hash MD5 SHA authentication method Pre shared keys DSS DH parameters Must implement DES MD5 and SHA pre shared key modp Need to send allowed combinations Large number of choices In the aggressive mode initiator selects a combination Responder can only reject Can also specify a lifetime in terms of time or number of bytes Washington University in St Louis CSE571S 14 15 2007 Raj Jain IKE Session Keys Phase 1 Integrity key and Encryption Key The two keys are used in the last phase 1 message and all phase 2 messages Note the same keys are used in both directions Reflection attack can cause DoS SKEYID hash DH values nonces cookies preshared secret if any Key seeds prf pseudo random function e g DES CBC or HMAC with two parameters key and data Washington University in St Louis CSE571S 14 16 2007 Raj Jain IKE Session Keys Cont Public Signature Authentication SKEYID prf nonces gxy mod p Public Encryption Authentication SKEYID prf hash nonces cookies Pre share secret key authentication SKEYID prf pre shared secret key nonces SKEYID d prf SKEYID gxy mod p cookies 0 SKEYID a prf SKEYID SKEYID d gxy mod p cookies 1 Integrity Authentication Protection Key SKEYID e prf SKEYID SKEYID a gxy mod p cookies 2 Encryption Key Washington University in St Louis CSE571S 14 17 2007 Raj Jain IKE Session Keys Cont Proof of identity for initiator prf SKEYID gx mod p gy mod p cookies Initial crypto parameter proposal Initiator s Identity Proof of identity for responder prf SKEYID gx mod p gy mod p cookies Initial crypto parameter proposal Responder s Identity Washington University in St Louis CSE571S 14 18 2007 Raj Jain IKE Message IDs IKE messages contain a 32 bit message ID to avoid replay ISAKMP requires these IDs to be randomly chosen Difficult to check for replay Sequence numbers would have been better Washington University in