session_09_vpn__ipsec__and_tls_101908

Association tsi tsr traffic selector sai1 sar1 used to

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: ng Device with IPsec End -system or Gateway environment End -system or Gateway environment 1 Ni KEi SAi1 HDR 2 SK{IDi, [CERT], [CERTREQ], [IDr], AUTH, SAi2, TSi, TSr} HDR HDR SAr1 KEr Nr [CERTREQ] 3 4 HDR SK{IDr, [CERT], AUTH, SAr2, TSi, TSr} AUTH – Authentication CERT – Certificate CERTREQ – Certificate Request HDR – IKE Header i, r – Initiator, Responder IDi - Initiator Identification KEr – Responder DH gi IDr – Responder Identification KEi – Initiator DH gi Ni, Nr – Nonce SA - Security Association TSi, TSr – Traffic Selector SAi1 , SAr1 – Used to create IKE_SA SAi2, SAr2 – Used to create the first CHILD_SA SK{….} – Payload is encrypted and integrity protected using SK_e and SK_a. VPN IPsec IKE v2 TLS M. Mogollon – 01/08 - 26 • In step 1, the Initiator sends an HDR that contains the Security Parameter Index (SPI), the IKE version number, and some message identifiers. These message identifiers include SAi1, which indicates the cryptographic algorithms the initiator supports for the IKE_SA and the proposed Diffie-Hellman Group. The other message identifiers are the KEi payload, which includes the initiator’s Diffie-Hellman value, gi and modulo p. The initiator’s nonce (Ni) is used to protect against replay attacks. The header (HDR) identifies the initiator’s Security Parameter Index (i.e., the initiator’s reference for the IKE_SA to be established), the IKE version number, flags specific to the message, and a message identifier that is used for retransmissions and matching responses to requests. The SAi1 payload includes the supported cryptographic algorithms for the IKE_SA. The SAi1 payload identifies at least one proposal that contains algorithms for encryption, the pseudorandom function, and integrity, and the proposed Diffie-Hellman group. • In step 2, the Responder sends an HDR, which contains the initiators’ Security Parameter Index, the IKE version number, and the same message identifiers used by the initiator. The Responder chooses a...
View Full Document

This note was uploaded on 05/26/2010 for the course TECH 6350 taught by Professor Mogollon during the Spring '10 term at University of Arkansas for Medical Sciences.

Ask a homework question - tutors are online