14-1©2007 Raj JainCSE571SWashington University in St. LouisInternet Key Internet Key Exchange (IKE)Exchange (IKE)Raj Jain Washington University in Saint LouisSaint Louis, MO [email protected]/Video recordings of this lecture are available at:http://www.cse.wustl.edu/~jain/cse571-07/14-2©2007 Raj JainCSE571SWashington University in St. LouisOverviewOverview IKE Phases Main Mode and Aggressive Mode Authentication Methods Session Keys ISAKMP/IKE Encoding and Payload types IKE Version 214-3©2007 Raj JainCSE571SWashington University in St. LouisInternet Key Exchange (IKE)Internet Key Exchange (IKE) Mutual authentication and establish a shared secret Features: Hiding end point identifiers, crypto algorithm negotiation Many modes and phases14-4©2007 Raj JainCSE571SWashington University in St. LouisIKE HistoryIKE HistoryDiffie-Hellman (1976)Authenticated Key Exchanges(Diffie et al 1992)Photuris (RFC2522/2523, 1994)Oakley (RFC2412, 1998)IKE (RFC2409, 1998)IKEv2 (RFC4306, 2005)ISAKMP (RFC2408, 1998)AuthenticationDoS protectionISAKMP compatibleSimplificationSecurity FrameworkIKEv1IPsec DOI (RFC2407, 1998)Profile14-5©2007 Raj JainCSE571SWashington University in St. LouisIKE PhasesIKE Phases May need to setup multiple connections with different security properties ⇒ Two phases Phase 1: Mutual authentication and session keys = IKE SA Phase 2: Use results of phase 1 to create multiple associations between the same entities = ESP or AH SA IKE SA is bi-directional AH and ESP SAs are unidirectionalPhase 1Phase 2 Phase 2 Phase 214-6©2007 Raj JainCSE571SWashington University in St. LouisIKE Main ModeIKE Main Mode Allows ability to hide end-point identifiers and to select crypto algorithms ⇒ requires 6 messages14-7©2007 Raj JainCSE571SWashington University in St. LouisIKE Aggressive ModeIKE Aggressive Mode End-points ID not hidden ⇒ Requires only three messages14-8©2007 Raj JainCSE571SWashington University in St. LouisIKE Authentication MethodsIKE Authentication Methods1. Original Public Key Encryption (separately encrypt each field with other sides public key)2. Revised Public Key Encryption (Encrypt session key with public key. Use session key to encrypt the rest)3. Public key signature4. Pre-shared secret key4 Methods × 2 Modes = 8 variants of Phase 114-9©2007 Raj JainCSE571SWashington University in St. LouisAuthentication Methods: ComparisonAuthentication Methods: Comparison Public vs. Pre-shared: Public requires sending the certificate first Public key: Need to reveal the identity Encryption vs. Signature keys: Encryption keys may be escrowed. Signature keys are not. With signature key, identity may be revealed to an imposter. With encryption keys, identity is revealed only to intended entity.14-10©2007 Raj JainCSE571SWashington University in St. LouisProof of IdentityProof of Identity Different for each authentication method Hash(key, DH value, nonces, crypto choices) Could have been the same for all authentication methods Integrity check does not cover selected crypto algorithm14-11©2007 Raj JainCSE571SWashington University in St. LouisIKE Phase 1 CookiesIKE Phase 1 Cookies Proof of identity in the last message includes hashes of all previous messages Need to remember the crypto choices offered ⇒ State ISAKMP requires cookies to be unique for each connection from the same IP address ⇒ Cannot use stateless cookies Connection identifier = <Initiator cookie, responder cookie> ⇒ May end up with the same connection identifier for two connectionsA BC1, C2C1, C214-12©2007 Raj JainCSE571SWashington University in St. LouisDH ParametersDH Parameters Modular exponentiation or Elliptic curves gamod p ⇒ Need to select a large prime p and generator g The group identifiers:¾ 0 = No group¾ 1 = A modular exp with a 768 bit modulus¾ 2 = A modular exp with a 1024 bit modulus¾ 3 = A modular exp with a 1536 bit modulus¾ 4 = An elliptic curve group over GF[2155]¾ 5 = An elliptic curve group over GF[2185]14-13©2007 Raj JainCSE571SWashington University in St. LouisWellWell--Known Group 1Known Group 1 A 768 bit prime based on digits of π 2768-2704-1 + 264× { [2638π] + 149686} Decimal value:1552518092300708935130918131258481755631334049434514313202351194902966239949102107258669453876591642442910007680288864229150803718918046342632727613031282983744380820890196288509170691316593175367469551763119843371637221007210577919Representation in OAKLEY Type of group: "MODP" Size of field element (bits): 768 Prime modulus:¾ Length (32 bit words): 2414-14©2007 Raj JainCSE571SWashington University in St. LouisWellWell--Known Group 1 (Cont)Known Group 1 (Cont)¾ Data (hex):FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD129024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DDEF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245E485B576 625E7EC6 F44C42E9 A63A3620 FFFFFFFF FFFFFFFF Generator: 22 (decimal)¾ Length (32 bit words): 1 See RFC2412 for other well-known groups.14-15©2007 Raj JainCSE571SWashington University in St. LouisNegotiating Cryptographic ParametersNegotiating Cryptographic Parameters Allows negotiating encryption (DES, 3DES, IDEA), hash (MD5, SHA), authentication method (Pre-shared keys, DSS), DH parameters Must implement: DES, MD5 and SHA, pre-shared key, modp Need to send allowed combinations ⇒ Large number of choices In the aggressive mode, initiator selects a combination. Responder can only reject Can also specify a lifetime in terms of time or number of bytes14-16©2007 Raj JainCSE571SWashington University in St. LouisIKE Session KeysIKE Session Keys Phase 1 ⇒ Integrity key and Encryption Key The two keys are used in the last phase 1 message and all phase 2 messages Note the same keys are used in both directions ⇒ Reflection attack can cause DoS SKEYID = hash (DH values, nonces, cookies, pre-shared secret if any) ⇒ Key seeds prf = pseudo random function (e.g., DES CBC, or HMAC) with two parameters - key and data14-17©2007 Raj JainCSE571SWashington University in St. LouisIKE Session Keys (Cont)IKE Session Keys (Cont) Public Signature Authentication: SKEYID = prf(nonces, gxymod p) Public Encryption Authentication: SKEYID = prf(hash(nonces), cookies) Pre-share secret key authentication: SKEYID = prf(pre-shared secret key, nonces) SKEYID_d = prf(SKEYID, (gxymod p| cookies | 0)) SKEYID_a =