Internet Key Exchange (IKE)

IKE Protocol - History

• early contenders
  • Photuris - authenticated DH with cookies and identity-hiding
  • SKIP - authenticated DH with long-term exponents
• ISAKMP
  • A protocol specifying only payload formats and exchanges (i.e., an empty protocol)
  • Adopted by the IPsec working group
• Oakley - modified Photuris, can work with ISAKMP
• IKE - a particular Oakley-ISAKMP combination

IKE Protocol - Overview

Phase 1

• does authenticated Diffie-Hellman, establishes session key and “ISAKMP SA”
• 2 possible modes: main and aggressive
• 4 possible authentication types
• 2 keys are derived from the session key:
  • SKEYID_e – to encrypt Phase 2 messages
  • SKEYID_a – to authenticate Phase 2 messages

Phase 2

• IPsec SA and session key established; messages encrypted and authenticated with Phase 1 keys
• additional DH exchange is optional (for perfect forward secrecy (PFS))

IKE Protocol - Phase Details

Phase 1

phase 1 has 2 possible modes to choose from:

• main mode - 6 messages;  provides identity hiding
• aggressive mode - 3 messages

phase 1 has 4 authentication types to choose from:

• Keyed Cryptographic Hash Function
• digital signatures
• public key encryption
  • original - all public key encryption
  • revised - public + secret key encryption

main mode

aggressive mode

Phase 2

• establishes IPsec SA & session key
• runs over the IKE SA established in Phase 1 (messages are encrypted/authenticated with Phase 1 keys)
• key generation - based on Phase 1 key, SPI, nonces
• Diffie-Hellman (DH) Key Exchange exchange - optional (for perfect forward secrecy (PFS))
• IPsec Traffic Selector - established optionally, specifies what traffic is acceptable (e.g. what port numbers are allowed to use this SA)

• X - pair of cookies generated in Phase 1
• Y - session identifier
• CP(A) - crypto proposal (accepted)
• Traffic: IPsec traffic selector (optional)