session_09_vpn__ipsec__and_tls_101908

Session_09_vpn_ipsec_and_tls_101908

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: ns that are set for the message. • Length (4 Octets) – Length of total message (header and payload) Responder’s SPI (8 Octets) – A value selected by the responder initiator to identify a unique IKE security association. This value is zero in the first message of the IKE_INIT. Major Version (4 bits) – The major version of the IKE protocol used. Minor Version (4 bits) – The minor version of the IKE protocol used. Exchange Type (1 Octet) – The type of exchange being use, IKE_INIT, IKE_AUTH, CREATE_CHILD_SA, or INFORMATIONAL. Message ID (4 Octets) – Message identifier used to control retransmision of lost packets. It is used to prevent message replay attacks. VPN IPsec IKE v2 TLS M. Mogollon – 01/08 - 28 28 VPN, IPSec and TLS Generating Key Material in IKE_SA • In IKEv2, Diffie-Hellman is the only key exchange algorithm used. • Key material for all of the cryptographic algorithms used in both IKE_SA and CHILD_SA is always derived as the output of a prf algorithm. • Diffie-Hellman exchange has the following three components: a generator g, the modulo p, and a secret that in IKEv2 terminology is called i or r. • During IKE_INIT, in KEi and KEr, the Initiator and Responder exchange Diffie-Hellman information, gi and gr, as well as nonces Ni and Nr • The shared key, SKEYSEED, is calculated by both the Initiator and Responder from the nonces exchanged and the Diffie-Hellman shared secret key generated, gi and gr, according to the following formula: SKEYSEED = prf ( Ni | Nr , g ir ) VPN IPsec IKE v2 TLS M. Mogollon – 01/08 - 29 • In IKE_SA, four cryptographic algorithms are negotiated: encryption algorithms, integrity protection algorithms, a Diffie-Hellman group, and a pseudo random function (prf). Key material for all of the cryptographic algorithms used in both IKE_SA and CHILD_SA is always derived as the output of a prf algorithm. In IKEv2, Diffie-Hellman is the only key exchange algorithm used. • The Diffie-Hellman exchange has the following three compo...
View Full Document

This note was uploaded on 05/26/2010 for the course TECH 6350 taught by Professor Mogollon during the Spring '10 term at University of Arkansas for Medical Sciences.

Ask a homework question - tutors are online