5IPSec key exchange - ISAKMP/IKE method

Exchange of keys between clients before starting their own secure communications is important from several points of view. However, the question arises: how to deal with a secure key exchange? For the communication purposes, it is necessary to ensure:

  1. Agreement on the type of key and the way it is created, i.e. to establish a shared key - PSK (Pre-Shared Key)
  2. Authentication of participants, i.e. mutual authentication of the participants of the communication
  3. Protection of identity of participants, i.e. the passive attacker should not be able to reveal the identity of participants by simply monitoring the communication
  4. DoS (Denial of Service), i.e. a malicious user should not be able to abuse the protocol to force the counterpart to waste resources (CPU, (Central Processing Unit), memory, storage capacity, ...)

The ISAKMP protocol is defined by RFC 2408. It uses UDP transport protocol on port 500 for operation.

ISAKMP is a general protocol for generating SAs, i.e. it does not address how to replace authenticated keys. This is the task for the IKE protocol. The ISAKMP is used to authenticate communicating parties and exchange data for encryption keys.

This is not a Client-Server communication, but a Call-Response type. The party that wants to create a new SA initiates communication with the ISAKMP protocol.

IKE is a flexible "negotiation" protocol defined by the RFC Recommendation RFC 2409. It allows the negotiation of a specific authentication method, encryption, key lengths and their secure exchange. To do this, it uses the Diffie-Hellman algorithm (D-H algorithm).

The IKE protocol is used to exchange session keys, called Session Keys. IKE messages are encapsulated in ISAKMP packets.

The IKE protocol can be divided into two independent phases. The first phase builds a secure authenticated channel between communicating entities (computers). Within this phase, the identity of the communicating parties is authenticated in a protected way. Both communicating parties agree on the use of SA and make an authenticated PSK shared key exchange. Subsequently, a safe tunnel for the second phase is established. Two modes are available to create the tunnel:

Some advantages of the aggressive mode are the bandwidth savings and time required for message transfer.

One disadvantage of the aggressive mode is the exchange of important information before the encrypted connection is established, which is susceptible to interception, known as Sniffing.

image
Process diagram IKE protocol stage 1 (main mode)

In the first phase, it is possible to use 4 different ways of exchanging the PSK key:

  • asymmetric public key encryption (original version)
  • asymmetric public key encryption (enhanced/improved version)
  • digital signature
  • secret key (symmetric algorithm)

Each key exchange option can be used in the main or aggressive mode, i.e. there are altogether 8 different options for the first stage of the IKE protocol! The main mode must always be implemented, the aggressive mode is optional, i.e. it should be implemented.

The result of the first stage of the IKE protocol is the mutual authentication of the communicating parties, the exchange of the shared symmetric key PSK and establishing the IKE Security Association (SA).

The second phase (so-called Quick Mode) creates an SA for IPSec session, i.e. SA IPsec connection parameters are established, IPSec SA is established for a specific connection (e.g. FTP, telnet, etc.) Optionally, additional D-H exchanges are made and other material is specified for the communication purposes.

This communication is protected from the very beginning by using algorithms and keys obtained during the first phase.

To encrypt conventional-type communication, a Session Key derived from the D-H Master Key obtained from Main Mode SA and from Nonce given by Quick Mode SA.

PFS (Perfect Forward Secrecy) refers to a state, in which the current keys are not used to generate additional keys. If a particular key is accidentally decrypted, that is, revealed, it will not allow the attacker to easily break the other keys. If PFS is used, new Shared Secrets will be generated using D-H in Quick Mode. Using PFS is safer, but a little bit more demanding in terms of performance and time when establishing a connection. The relation key is obtained from the new D-H Secret Key and Nonce, obtained from the Quick Mode SA. By applying PFS, it is ensured that the session key is never generated from the same material.

image
Process Diagram IKE Phase 2 (Quick Mode)

Comparison with SSL/TLS - SSL session can be compared to the first stage of the IKE protocol; SSL connection corresponds to the second phase of the IKE protocol.