Professional Documents
Culture Documents
SA terminology
IKE-SA
used to secure IKE communication.
CHILD-SA
Created by the IKE to be used in ESP or
AH security.
Phase 1
Establishes an IKE-SA that includes
shared secret information that can be
used to efficiently establish Child-SAs.
Performs mutual authentication
Creates the first Child-SA
Consists of two stages
Stage 1 - INIT
Negotiates cryptographic algorithms
Exchanges nonces
Performs a Diffie-Hellman exchange
Note: messages are not protected
INIT request
The initiator sends the following message:
HDR, SAi1, KEi, Ni
HDR header contains SPI, version, flags
SAi1 states the cryptographic algorithms
the initiator supports
KEi initiators DH value.
Ni initiators nonce.
INIT response
The responder sends the following message:
HDR, SAr1, KEr, Nr [CERTREQ]
SAr1 states the cryptographic algorithms
the responder selected.
KEr responders Difie-Hellman value.
Nr responders nonce.
CERTREQ optional certificate request
SKEYSEED generation
Each party generates the SKEYSEED
which is used to derive the keys used in
IKE-SA.
Notice: separate keys are computed for
each direction
Authentication stage
Authenticates the previous messages
Exchanges and proves identities
Establishes the first CHILD-SA
Authentication request
HDR, SK{ IDi, [CERT,] [CERTREQ,] [IDr,] AUTH,
SAi2, TSi, TSr }
IDi initiators identity
CERT, CERTREQ optionally presenting or
requesting certificates
IDr specifiying the responders desired identity
* SK{} indicates encription and integrity protection using SK_e and
SK_a
Authentication request
HDR, SK{ IDi, [CERT,] [CERTREQ,]
[IDr,] AUTH, SAi2, TSi, TSr }
AUTH authenticates the previous
message and the initiators identity.
(a digital signature over the first message)
SAi2, TSi, TSr needed for first CHILD-SA
Authentication response
HDR, SK{ IDr, [CERT,] AUTH, SAr2, TSi,
TSr}
IDr responders identity
CERT presenting certificates
AUTH - authenticates the previous
message and the resonders identity.
SAr2, TSi, TSr - needed for first CHILD-SA
End of phase 1
Signatures are verified
First CHILD-SA is established
Cookies
A Cookie is a field which is sent to the
connection initiator.
The initiator is expected to return the
cookie.
A returned cookie is a proof that the
initiator can receive packets destined to
the IP address he declared.
Cookie demands
No one but the creator can construct a
valid cookie
Cheap to create
No resources needs to be allocated to
handle each cookie
Cookie creation
Cookie = HASH(<secret> | IPi | SPI | TS)
(A possible problem )
Phase 2
Creating a new CHILD-SA:
Relatively cheap operation
Can be initiated by either endpoints
Provides optional perfect-forward-secrecy
All other information flow:
Will be discussed later
CHILD-SA request
A CREATE_CHILD_SA request:
HDR, SK{ SA, Ni, [KEi,] [TSi, TSr] }
CHILD-SA response
A CREATE_CHILD_SA response:
HDR, SK{ SA, Nr, [KEr,] [TSi, TSr] }
SA The responder chosen SA offer
Nr - Responders nonce
KEr A new DH value
(if the request had a Kei)
TSi, TSr selected traffic selectors
PFS in IKE
Reminder:
Perfect forward secrecy means that once a
connection is closed and its keys are
forgotten, even someone who recorded all
the data from the connection, and gets
access to the long term keys used to
protect it, cannot reconstruct the keys of a
CHILD-SA that was created during the
connection.
Prf usage
Usually the amount of keying material
needed is greater then the prf output.
The prf is used iteretively:
Prf+ (K , S) = T1 | T2 | T3 |
where:
T1 = prf (K , S | 0x01)
T2 = prf (K , T1 | S | 0x02)
T3 = prf (K , T2 | S | 0x03)