2. Content
Introduction
Internet key exchange
protocol
ISAKMP
1. ISAKMP header format
2. Initiator cookie(64-bits)
3. Responder cookie(64-bit)
4. Next payload(8bit)
5. Major version (4-bit)/Mj
ver
6. Minor version (4-bit)/Mn
ver
7. Exchange type(8-bit)
8. Flags(8-bits)
9. Message ID(32-bit)
10.Length(32-bits)
3. Key management of IPsec
Key management is related to determination and distribution of
secret keys, Four keys for communication between two application
:Transmitter and receive pair for bot AH and ESP
Two modes
1.manual
2.Automated
It uses two protocals
a) Oakley key determination protocol
b) Internet security association and key management
protocol(ISAKMP)
4. Oakley key determination protocol
Oakley is a refinement of the differ-hellman key exchange
algorithm. Two users A and B agree on two global parameters :q , a
large prime number and a primitive root of q.
Secret keys created only when need .exchange requires no
preexising infrastructure
Disadvantage of this method: subject to MITM attack.
5. Features of Oakley
A. Employs cookies to thwart clogging attacks.
B. Two parties can negotiate a group
C. Users nonce to ensure against replay attacks
D. Enables the exchange of Diffie-Hellman public key values
E. Authenticates the Diffie –Hellman exchange to thwart MITM
attacks
6. Internet key exchange protocol
Internet key exchange (IKE)protocol supported key management procedures
of IPsec
IKE negotiates the cryptographic algorithms for AH and ESP in actual
cryptographic operations
IKE is initial phase of IPsec ,in phase the algorithm and keys are decided
after this phase actual AH and ESP operations takes place
8. ISAKMP
ISAKMP provides a framework for internet key
management and provide protocol support and format for
negotiation of security attributes
ISAKMP defines payloads for exchanging key generation
and authentication data .the payload format provide a
consistent frame work indented of exchange protocol
,encryption algorithm, authentication mechanism.
10. ISAKMP
Initiator cookie(64-bits)
Cookie of entity that initiated SA establishment ,SA notification or SA
delectation
Responder cookie(64-bits)
Cookies of responding entity
Next payload (8-bits)
Indicates the type of first payload in the message
Major version (4-bits)/Mj ver
Indicates major version of ISAKMP in use
11. Continues
Minor version (4-bits)/Mn Ver
Indicates minor version of ISAKPM in use
Exchange type(8-bits)
Indicates the type of exchange
Flags(8-bits)
Indicates specific options set for ISAKMP exchange
Message ID(32-bits)
Unique ID for the message
Length (32-bits)
Length of total message in octets.