Segurança Em Redes De Comunicações

Establishing SA and Cryptographic Keys

ISAKMP - Internet Security Association and Key Management Protocol.

  • Used to establish Security Associations (SA) and cryptographic keys.

  • Separate the details of security association management (and key management) from the details of key exchange.

  • Provides a framework for authentication and key exchange but does not define them.

Oakley Key Determination Protocol.

  • Key-agreement protocol.

  • Allows authenticated peers to exchange keying material across an insecure connection.

  • Uses Diffie-Hellman.

SKEME.

  • Key exchange protocol.

IKE - Internet Key Exchange.

  • Is a hybrid protocol.

  • Uses part of Oakley and part of SKEME in conjunction with ISAKMP.

IKE/ISAKMP and IPsec

Enhances IPSec by providing additional features and flexibility.

Provides authentication of the IPSec peers, negotiates IPSec keys and negotiates IPSec security associations.

The IKE tunnel protects the SA negotiations. After the SAs are in place, IPSec protects data transference.

Advantages:

  • Eliminates the need to manually specify IPSec security parameters at both peers.

  • Allows administrators to specify a lifetime for the IPSec security association.

  • Allows encryption keys to change during IPSec sessions.

  • Allows IPSec to provide anti-replay services.

  • Permits certification authority (CA) support for a manageable, scalable IPSec implementation.

  • Allows dynamic authentication of peers.

IKE/ISAKMP provides three methods for two-way authentication:

  • Pre-shared key (PSK),

  • Digital signatures (RSA-SIG),

  • Public key encryption (RSA-ENC).

ISAKMP and IPsec – Phases/Modes

ISAKMP modes control an efficiency versus security tradeoff during initial key exchange.

Phase 1

Peers agree on a set of parameters to be used to authenticate peers and to encrypt a portion of the phase 1 exchanges and all of phase 2 exchanges, authenticate peers, and generate keys to be used as generating keying material.

Main mode:

  • Requires six packets back and forth.

  • Provides complete security during the establishment of an IPsec connection.

  • Aggressive mode is an alternative to the main mode.

    • Uses half the exchanges, but provides less security because some information is transmitted in cleartext.

Phase 2 - Quick mode

Peers negotiate and agree on the parameters required to establish a fully functional IPsec communication service.

Packet Exchange

PreviousIPSecNextVirtual Private Networks (VPN)

Last updated