# Establishing SA and Cryptographic Keys

ISAKMP - Internet Security Association and Key Management Protocol.

* Used to establish Security Associations (SA) and cryptographic keys.
* Separate the details of security association management (and key management) from the details of key exchange.
* Provides a framework for authentication and key exchange but does not define them.

Oakley Key Determination Protocol.

* Key-agreement protocol.
* Allows authenticated peers to exchange keying material across an insecure connection.
* Uses Diffie-Hellman.

SKEME.

* Key exchange protocol.

IKE - Internet Key Exchange.

* Is a hybrid protocol.
* Uses part of Oakley and part of SKEME in conjunction with ISAKMP.

## IKE/ISAKMP and IPsec

Enhances IPSec by providing additional features and flexibility.

Provides authentication of the IPSec peers, negotiates IPSec keys and negotiates IPSec security associations.

The IKE tunnel protects the SA negotiations. After the SAs are in place, IPSec protects data transference.

Advantages:

* Eliminates the need to manually specify IPSec security parameters at both peers.
* Allows administrators to specify a lifetime for the IPSec security association.
* Allows encryption keys to change during IPSec sessions.
* Allows IPSec to provide anti-replay services.
* Permits certification authority (CA) support for a manageable, scalable IPSec implementation.
* Allows dynamic authentication of peers.

IKE/ISAKMP provides three methods for two-way authentication:

* Pre-shared key (PSK),
* Digital signatures (RSA-SIG),
* Public key encryption (RSA-ENC).

## ISAKMP and IPsec – Phases/Modes

ISAKMP modes control an efficiency versus security tradeoff during initial key exchange.

<figure><img src="/files/bkzttH9oJEh08tMRnrBo" alt=""><figcaption></figcaption></figure>

### Phase 1

Peers agree on a set of parameters to be used to authenticate peers and to encrypt a portion of the phase 1 exchanges and all of phase 2 exchanges, authenticate peers, and generate keys to be used as generating keying material.

Main mode:

* Requires six packets back and forth.
* Provides complete security during the establishment of an IPsec connection.
* Aggressive mode is an alternative to the main mode.
  * Uses half the exchanges, but provides less security because some information is transmitted in cleartext.

<figure><img src="/files/p5kK2lwptqeBGwaFZeoH" alt=""><figcaption><p>First Message</p></figcaption></figure>

<figure><img src="/files/pcXBgyoWLmtUHhaI4AuH" alt=""><figcaption><p>Second Message</p></figcaption></figure>

<figure><img src="/files/ySApKDDGDsMxnDy5Ed98" alt=""><figcaption><p>Third Message</p></figcaption></figure>

<figure><img src="/files/1DcdoR34VMchUxltDZMH" alt=""><figcaption><p>Fourth Messages</p></figcaption></figure>

<figure><img src="/files/LwpchMkNslssVo63gZYh" alt=""><figcaption><p>Fifth Message</p></figcaption></figure>

<figure><img src="/files/siOPGfscDIRMGuo4rxXP" alt=""><figcaption><p>Sixth Messages</p></figcaption></figure>

### Phase 2 - Quick mode

Peers negotiate and agree on the parameters required to establish a fully functional IPsec communication service.

<figure><img src="/files/l2DUzNk0HwuveHSXWbaK" alt=""><figcaption></figcaption></figure>

### Packet Exchange

<figure><img src="/files/7rAYBMQgLKMgNiibjumx" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://davidjosearaujo.gitbook.io/notes-miect/seguranca-em-redes-de-comunicacoes/secure-communications/establishing-sa-and-cryptographic-keys.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.