session_09_vpn__ipsec__and_tls_101908

Child security association in ikeauth the first ikesa

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: nd TLS Internet Key Exchange (IKE) • First Message Exchange — IKE Security Association – In IKE_SA_INIT, the initiator and responder negotiate the use of encryption algorithms by establishing an IKE_SA. The agreed keys are used to protect the IKE_AUTH exchange. – In IKE_AUTH, the initiator and responder authenticate each other using authentication mechanisms such as digital signatures (exchanging certificates), Extensible Authentication Protocol (EAP), or pre-shared keys. — Child Security Association – In IKE_AUTH, the first IKE_SA and associated IPsec SA, called child SA, are created. • Second Message Exchange — CREATE_CHILD_SA exchange is used to create new CHILD_SAs and to rekey IKE_SAs and CHILD_SAs. — All messages are cryptographically protected using the encryption algorithms and keys negotiated in IKE_SA_INIT and IKE_SA_AUTH. VPN IPsec IKE v2 TLS M. Mogollon – 01/08 - 25 • First Message Exchange o In IKE_SA_INIT, the initiator and responder negotiate the use of encryption algorithms by establishing an IKE_SA and then by exchanging information for key agreement by sending nonces and Diffie-Hellman values. The agreed keys are used to protect the IKE_AUTH exchange. At his point, the initiator and the responder have agreed on cryptographic keys algorithms, but without authenticating each other. o In IKE_AUTH, the initiator and responder authenticate each other using authentication mechanisms such as digital signatures (exchanging certificates), Extensible Authentication Protocol (EAP), or pre-shared keys. In IKE_AUTH, the first IKE_SA and associated IPsec SA, called child SA, are created. • Second Message Exchange o The second message exchange consists of a single request/response, which may be initiated by either end, so, in this section, the term “Initiator,” refers to the end point initiating this exchange. The CREATE_CHILD_SA exchange is used to create new CHILD_SAs and to rekey IKE_SAs and CHILD_SAs. All messages are cryptographically protected using the encryption algorithms and keys negotiated in IKE_SA_INIT and IKE_SA_AUTH. However, to enable stronger guarantees of forward secrecy for the key generated for IKE_SA and for CHILD-SA, the CREATE_CHILD_SA request can use additional DiffieHellman exchanges to create new keys. 25 VPN, IPSec and TLS IKE First Message Exchange I would like to establish an IKE security association and a child security association. Initiator Responder Networking Device with IPsec Networki...
View Full Document

{[ snackBarMessage ]}

Ask a homework question - tutors are online