欢迎来到麦多课文档分享! | 帮助中心 海量文档,免费浏览,给你所需,享你所想!
麦多课文档分享
全部分类
  • 标准规范>
  • 教学课件>
  • 考试资料>
  • 办公文档>
  • 学术论文>
  • 行业资料>
  • 易语言源码>
  • ImageVerifierCode 换一换
    首页 麦多课文档分享 > 资源分类 > PPT文档下载
    分享到微信 分享到微博 分享到QQ空间

    IPsec- IKE, Internet Key Exchange.ppt

    • 资源ID:376768       资源大小:54KB        全文页数:15页
    • 资源格式: PPT        下载积分:2000积分
    快捷下载 游客一键下载
    账号登录下载
    微信登录下载
    二维码
    微信扫一扫登录
    下载资源需要2000积分(如需开发票,请勿充值!)
    邮箱/手机:
    温馨提示:
    如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
    如需开发票,请勿充值!如填写123,账号就是123,密码也是123。
    支付方式: 支付宝扫码支付    微信扫码支付   
    验证码:   换一换

    加入VIP,交流精品资源
     
    账号:
    密码:
    验证码:   换一换
      忘记密码?
        
    友情提示
    2、PDF文件下载后,可能会被浏览器默认打开,此种情况可以点击浏览器菜单,保存网页到桌面,就可以正常下载了。
    3、本站不支持迅雷下载,请使用电脑自带的IE浏览器,或者360浏览器、谷歌浏览器下载即可。
    4、本站资源下载后的文档和图纸-无水印,预览文档经过压缩,下载后原文更清晰。
    5、试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。

    IPsec- IKE, Internet Key Exchange.ppt

    1、IPsec: IKE, Internet Key Exchange,IPsec does not use Public Key Infrastructure and exchanging keys before an IPsec connection is established is a problem. IKE solves generation of a symmetric key for a session of IPsec but without PKI man-in-the-middle attack is possible. IKE (Internet Key Exchange)

    2、 creates Security Associations (SA). That is, parties in IKE negotiate keys for the SA. SA was a data structure containing keys and other relevant information for the connection. IKE is a general purpose key exchange protocol. It is used by IPsec, but it can be used by other protocols who need SAs a

    3、s well. Thus IPsec SA is not directly IKE SA, but IKE SA can be converted to IPsec SA (or to SA of some other protocol). IKE is a formally checked cryptoprotocol. IKE is rather complicated, usually a secure cryptoprotocol is complicated. The following description of IKE may feel rather technical.,IP

    4、sec: IKE, Internet Key Exchange,General IKE creates SA, refreshes them and deletes them. IKE has the following exchanges: Phase one (creation of IKE SA): There are two modes for phase one: main mode or aggressive mode Phase two (creation of IPSec SA): there is only one mode: quick mode Maintenance o

    5、f IKE SA Negotiation of private Diffie-Hellman groups What the last exchange means is that in the phase one there are predefined several ways to use Diffie-Hellman, but one can define own ways also using the last exchange. IKE protocol initial message exchanges are not encrypted. IKE uses (normally)

    6、 the UDP port 500.,IPsec: IKE,The predefined Diffie-Hellman groups in IKE: (group here means only an agreement of the algorithm) 1. MODP group with a 768-bit modulus 2. MODP group with a 1024-bit modulus 3. ECP group with a 155-bit modulus 4. EC2N group with a 185-bit modulus 5. MODP group with a 16

    7、80-bit modulus What this means is that you can use discrete logarithm problem (see Diffie-Hellman algorithm from a previous lecture) noted as MODP and the number p for A=ga mod p must have the defined length. The algorithm family EC2N is a family of elliptic curve cryptoalgorithms. They give good se

    8、curity level with shorter keys and less processing. ECP 155 is about as secure MODP 768, respectively EC2N 185 about as good as MODP 1024.,IPsec: IKE,In the first part of the IKE exchange, an authentication method is agreed. There are five authentication methods 1) preshared keys 2) digital signatur

    9、e with DSA 3) digital signature with RSA 4) authentication via exchange of encrypted nonces 5) revised method 4) This method is agreed via exchange of IKE SA. Exchange of IKE SA contains also some secret information. The peers generate four secrets: SKEYID, SKEYID_d, SKEYID_a and SKEYID_e. Both side

    10、s take part in creating the secrets.,IPsec: IKE,Generation of the secrets: Each side contributes a cookie (CKY-x) and a nonce (Nx) to SKEYID generation (x=i (initiator) or r (responder). A nonce is simply a pseudo-random number, a cookie is generated by taking a hash from some data. For preshared ke

    11、y authentication SKEYID=PRF(preshared key, Ni|Nr) For signature authentication Diffie-Hellman type gxy is used: SKEYID=PRF(Ni|Nr, gxy) For encrypted nonce authentication: SKEYID=PRF(hash(Ni|Nr), CKY-i|CKY-r) Here | denotes concatenating the data, so Ni|Nr = nonce from initiator + nonce from responde

    12、r. PRF is a result of a hash function, usually HMAC.,IPsec: IKE,All other secrets are derived from SKEYID: SKEYID_d=PRF(SKEYID, gxy|CKY-i|CKY-r|0) SKEYID_a=PRF(SKEYID, SKEYID_d|gxy|CKY-i|CKY-r|1) SKEYID_e=PRF(SKEYID, SKEYID_a|gxy|CKY-i|CKY-r|2) Why all these secrets? SKEYID_d is used for deriving ke

    13、ying data for IPSec SKEYID_a is used for integrity and data source authentication SKEYID_e is used to encrypt IKE messages. Different keys must be used for security purposes. Because of the hash function PRF, the original secret SKEYID cannot be calculated from the derived secrets. Why so many optio

    14、ns in IKE (remember, many options were one reason OSI failed to gain popularity) ?,IPsec: IKE,cookie exchange IKE uses the following cookie generation method: a cookie is the result of hashing a unique identifier of the peer (peers IP address, port and protocol), a secret known only to the generator

    15、 of the cookie, and a time stamp. The initiator generates a cookie, sets the responder cookie to zero and sends to the responder. The responder generates a responder cookie, copies the initiator cookie to the message and sends it to the initiator. The initiator can easily check that the initiator co

    16、okie is to one it generated and that the peers addresses match. Only if the cookie matches, check of signatures etc. are made. Consider this: if you need to check the signatures (strong method), the cookie method must be weak. How can a weak method protect a strong method? Thus, there must be an att

    17、ack leading the parties to the computationally expensive Diffie-Hellman and DoS. Try the cookie method: initiator=attacker,IPsec: IKE,Phase one, normal mode using preshared key authentication Initiator Responder,Header, KE, Nonce,Header, SA,Header, SA,Header, KE, Nonce,Header, IDi, Hash,Header, IDi,

    18、 Hash,The normal mode has an exchange of six messages, several versions of the phase one normal mode exist. SA=Security Association, KE=Key Exchange, Nonce=random number, IDi= identity of the peer.,IPsec: IKE,Phase one of normal mode using public key exchanges: Initiator Responder,IPsec: IKE,Phase o

    19、ne of normal mode the standard method using public key exchanges: Initiator Responder,Header, SA,Header, SA,Header, KE, IDipub_r, Nipub_r,Header, Hash,In this variant somethingpub_x means something encrypted with the public key of x=i (initiator) or r (responder). Ni is nonce.,Header, Hash,Header, K

    20、E, IDipub_i, Nipub_r,IPsec: IKE,Policy negotiation After IKE SA is agreed, IKE will negotiate of the policy. Policy is something like: authenticate everything and if possible encrypt it, and if possible also compress it. For each operation there may be several algorithms. SA payload can contain seve

    21、ral proposals for protocols and exact algorithms (transforms). Policy negotiation works so that the initiator proposes some algorithms and the responder removes from the list what it does not want to use. Negotiating compression is also included in IKE since it is not good to try to compress encrypt

    22、ed data (it will not compress, it is random), therefore link layer compression like in PPP will not work with IPsec. One (but not efficient) way is to compress each IP packet on IPsec layer before encryptation with PCP.,IPsec: IKE,Example proposal for SA: the offer maker proposes in the given order

    23、the following choices. Proposal 1: AH Transform 1: HMAC-SHA Transform 2: HMAC-MD5 Proposal 2: ESP Transform 1: 3DES with HMAC-SHA Transform 2: 3DES with HMAC-MD5 Transform 3: DES with HMAC-SHA Transform 4: DES with HMAC-MD5 Proposal 3: PCP (compression before encryptation) Transform 1: LZS (one head

    24、er compression algorithm) Transform 2: Deflate (another header compression),IPsec: IKE,Phase one: aggressive mode Aggressive mode is more simple than the normal mode. In the aggressive mode there are only three messages exchanged. The initiator offers a list of protection suites, his Diffie-Hellman

    25、public key value, his nonce and his identity. The responder replies with a selected protection suite, his Diffie-Hellman public value, his nonce, his identity, and authentication payload, like a signature. The initiator responds with authentication payload. There is no chance to negotiate as much in

    26、 this case as in the normal mode. The method suits well for connecting to own site from a remote site as then it is known in advance what kind of authentication the other side supports.,IPsec: IKE,Phase two: quick mode Phase two of IKE creates IPsec SA. Since IKE can be used for other protocols than

    27、 IPsec, like the routing protocols RIPv2 and OSPF, IKE SA is not directly IPsec SA. IKE SA protects the quick mode by encrypting messages and authenticating them. Authentication comes from use of PRF (the HMAC hash function) The quick mode creates keys for IPSec association. Many quick modes can be

    28、made using the same IKE SA, therefore a message ID (M-ID) is used to identify the IPSec SA. Nonces are added to prevent replay of the same messages by an attacker. The quick mode has more details, but the following figure gives the general view of the protocol.,IPsec: IKE,Quick mode exchange Initiator Responder,Header, HASH1, SA, Ni , KE, IDci, IDcr,Header, HASH2, SA, Nr , KE , IDci, IDcr,Header, HASH3,HASH3=PRF(SKEYID_a, 0 | M-ID | Ni | Nr),HASH2=PRF(SKEYID_a, M-ID | Ni | SA | KE | IDci | IDcr),HASH1=PRF(SKEYID_a, M-ID | SA | Ni | KE | IDci | IDcr),


    注意事项

    本文(IPsec- IKE, Internet Key Exchange.ppt)为本站会员(ideacase155)主动上传,麦多课文档分享仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文档分享(点击联系客服),我们立即给予删除!




    关于我们 - 网站声明 - 网站地图 - 资源地图 - 友情链接 - 网站客服 - 联系我们

    copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
    备案/许可证编号:苏ICP备17064731号-1 

    收起
    展开