Sign in Subscribe

IKE (Internet Key Exchange)

Last updated on 

Introduction:

The Internet Key Exchange (IKE) is a protocol used for establishing a secure and authenticated connection between two entities in a network, typically between a client and a server. It is often used in conjunction with the Internet Protocol Security (IPsec) protocol suite for securing IP communications.

IKE is designed to facilitate the exchange of encryption keys and other security-related information between the two entities involved in the communication. The protocol uses a combination of symmetric and asymmetric encryption techniques to provide a secure exchange of information.

IKE Versions:

There are two major versions of the IKE protocol: IKEv1 and IKEv2. IKEv1 is an older version that was first introduced in 1998 and is still widely used. IKEv2 is a more recent version that was introduced in 2005 and is slowly gaining popularity.

IKEv1:

IKEv1 is based on the Internet Security Association and Key Management Protocol (ISAKMP) and is used to negotiate the parameters for the subsequent IPsec encryption session. It provides a flexible framework for the negotiation of encryption algorithms, authentication methods, and other security-related parameters. IKEv1 also supports the use of pre-shared keys or digital certificates for authentication.

IKEv1 has several weaknesses, including a susceptibility to denial-of-service attacks and a lack of support for mobility and rekeying. These limitations led to the development of IKEv2.

IKEv2:

IKEv2 was designed to address the weaknesses of IKEv1 and provide better security, flexibility, and scalability. It is based on the Generic Security Services Application Program Interface (GSSAPI) and supports a wider range of encryption algorithms and authentication methods.

IKEv2 provides several advantages over IKEv1, including improved security, mobility support, and support for rekeying. It also allows for more efficient use of network resources by enabling multiple IPsec tunnels to be established over a single IKEv2 session.

IKEv2 supports several authentication methods, including digital certificates, pre-shared keys, and Extensible Authentication Protocol (EAP). It also supports a wider range of encryption algorithms, including Advanced Encryption Standard (AES), Blowfish, and Triple DES.

IKEv2 is widely used in modern networks, particularly in mobile networks, where it provides better support for mobility and handover. It is also used in virtual private network (VPN) deployments, where it provides a more secure and efficient means of establishing secure connections between remote sites.

IKE Phases:

IKE operates in two phases: Phase 1 and Phase 2. In Phase 1, the two entities involved in the communication negotiate the parameters for the subsequent IPsec encryption session. In Phase 2, the IPsec session is established based on the parameters negotiated in Phase 1.

Phase 1:

In Phase 1, the two entities negotiate the parameters for the subsequent IPsec session. This includes negotiating the encryption algorithm, authentication method, and other security-related parameters. Phase 1 consists of two sub-phases: IKE_SA_INIT and IKE_AUTH.

IKE_SA_INIT:

In the IKE_SA_INIT sub-phase, the two entities exchange security-related information, including their security capabilities and preferences. The following steps are involved in IKE_SA_INIT:

  1. The initiator sends a message to the responder requesting the establishment of an IKE SA.
  2. The responder sends a message to the initiator containing its security capabilities and preferences.
  3. The initiator and responder negotiate the parameters for the IKE SA, including the encryption algorithm, authentication method, and other security-related parameters.
  4. The initiator sends a message to the responder containing its public key and a random number.
  5. The responder sends a message to the initiator containing its public key and a random number.
  6. The initiator and responder use the public keys to generate a shared secret key.
  7. The initiator sends a message to the responder containing a proof of possession of the shared secret key.
  8. The responder verifies the proof of possession and sends a message to the initiator confirming the establishment of the IKE SA.

IKE_AUTH:

In the IKE_AUTH sub-phase, the two entities authenticate each other using the parameters negotiated in the IKE_SA_INIT sub-phase. The following steps are involved in IKE_AUTH:

  1. The initiator sends a message to the responder requesting authentication.
  2. The responder sends a message to the initiator containing its digital certificate or pre-shared key.
  3. The initiator verifies the digital certificate or pre-shared key and sends a message to the responder containing its digital certificate or pre-shared key.
  4. The responder verifies the digital certificate or pre-shared key and sends a message to the initiator confirming authentication.

Phase 2:

In Phase 2, the IPsec session is established based on the parameters negotiated in Phase 1. Phase 2 consists of the following sub-phases: CHILD_SA_INIT and CHILD_SA_AUTH.

CHILD_SA_INIT:

In the CHILD_SA_INIT sub-phase, the two entities negotiate the parameters for the subsequent IPsec session. This includes negotiating the encryption algorithm, authentication method, and other security-related parameters. The following steps are involved in CHILD_SA_INIT:

  1. The initiator sends a message to the responder requesting the establishment of a CHILD SA.
  2. The responder sends a message to the initiator containing its security capabilities and preferences.
  3. The initiator and responder negotiate the parameters for the CHILD SA, including the encryption algorithm, authentication method, and other security-related parameters.
  4. The initiator sends a message to the responder containing a random number and a nonce.
  5. The responder sends a message to the initiator containing a random number and a nonce.
  6. The initiator and responder use the nonces to generate a shared secret key.
  7. The initiator sends a message to the responder containing a proof of possession of the shared secret key.
  8. The responder verifies the proof of possession and sends a message to the initiator confirming the establishment of the CHILD SA.

CHILD_SA_AUTH:

In the CHILD_SA_AUTH sub-phase, the two entities authenticate each other using the parameters negotiated in the CHILD_SA_INIT sub-phase. The following steps are involved in CHILD_SA_AUTH:

  1. The initiator sends a message to the responder requesting authentication.
  2. The responder sends a message to the initiator containing its digital certificate or pre-shared key.
  3. The initiator verifies the digital certificate or pre-shared key and sends a message to the responder containing its digital certificate or pre-shared key.
  4. The responder verifies the digital certificate or pre-shared key and sends a message to the initiator confirming authentication.

Conclusion:

IKE is an important protocol for establishing secure and authenticated connections between entities in a network. It is often used in conjunction with IPsec for securing IP communications. The protocol uses a combination of symmetric and asymmetric encryption techniques to provide a secure exchange of information. IKEv2 is the more recent version of the protocol and provides better security, flexibility, and scalability than IKEv1. IKE operates in two phases: Phase 1 and Phase 2, with each phase involving sub-phases for negotiating parameters and authenticating the entities involved in the communication.