INTERNET KEY EXCHANGE(IKE)

PROTOCOL
Preliminaries

• The main goal of IKE is to establish an SA between two parties

that wish to communicate securely using IPSec.
• IKE borrows heavily from two major sources- the Internet
Security Association and Key Management Protocol(ISAKMP).
It defines formats of various entities such as digital signature
and the digital certificate.
• IKE compromised of two phases. : Phase 1 and Phase 2. In
Phase 1,the longer term keys are derived. In Phase 2,shorter
term keys are derived.
Basic IPSec Operation
• Step 1: Interesting traffic initiates
IPSec
• Step 2: IKE Phase 1-Set up IKE SA
• Step 3: IKE Phase 2-Set up IPSec SA
• Step 4: Data Transfer
• Step 5: IPSec terminates
IKE Phase 1

The following are accomplished in IKE Phase 1:

• The aunthentication method,encryption and hash algorithms
together with the Diffie-Hellman group to be used are
negotiated.
• Both parties authenticates themselves to each other.
• Two different keys are generated respectively in both Phase 1
and Phase 2 that is further used for message integrity
protection and encryption
• Cookies are created at the start of Phase 1 and serve the
purpose of an IKE connection identifier
IKE Phase 1(contd)

• Phase 1 uses one of two modes: Main Mode and Aggressive

Mode
• Main mode involves a total of six messages between initiator
(A) and responder (B). The motivation for introducing Main
Mode is to hide the identities of the sender and the receiver
from the eavesdroppers.
• Aggressive mode uses only three messages.
• To perform mutual authentication,IKE assumes that either
 A and B share a secret
 A and B,each have a public key-private key pair.
Phase 1: Main mode
In main mode, Alice starts by giving all the cryptographic
algorithms she supports,in order of preference, and Bob
responds by making a choice. In aggressive mode,Alice can
also propose cryptographic algorithms,but since she has to
send a Diffie-Hellman number she has to specify a unique
flavour of Diffie-Hellman(e.g. p and g) and hope Bob supports
it. Message 5 and 6,authenticate,hiding endpoint’s identities
Phase 1:Aggressive Mode
IKE Phase 2
• Under cover of an existing IKE SA, two parties participates in
an IKE Phase 2 exchange in order to establish a new IPSec SA.
• The IPSec SA set up in Phase 2 includes the mutually agreed
upon cryptographic suite and secret keys for authentication
and/or encryption.
• Negotiates IPSec security parameters, known as IPSec
transform sets.
• Optionally performs an additional DH exchange
• Periodically renegotiates IPSec SAs to ensure security
THANK YOU