Internet Key Exchange (IKE):
IKE is a key management protocol standard used in conjunction with the Internet Protocol Security (IPSec) standard protocol. It provides security for virtual private networks' (VPNs) negotiations and network access to random hosts. It can also be described as a method for exchanging keys for encryption and authentication over an unsecured medium, such as the Internet.
IKE is a hybrid protocol based on:
- ISAKMP (RFC2408): Internet Security Association and Key Management Protocols are used for negotiation and establishment of security associations. This protocol establishes a secure connection between two IPSec peers.
- Oakley (RFC2412): This protocol is used for key agreement or key exchange. Oakley defines the mechanism that is used for key exchange over an IKE session. The default algorithm for key exchange used by this protocol is the Diffie-Hellman algorithm.
- SKEME: This protocol is another version for key exchange.
IKE enhances IPsec by providing additional features along with flexibility. IPsec, however, can be configured without IKE.
IKE has many benefits:
- It eliminates the need to manually specify all the IPSec security parameters at both peers.
- It allows the user to specify a particular lifetime for the IPsec security association.
- It permits certification authority.
- It allows dynamic authentication of peers.
- Encryption can be changed during IPsec sessions.
The IKE works in two steps:
1. Establishes an authenticated communication channel between the peers, by using algorithms like the Diffie-Hellman key exchange, which generates a shared key to further encrypt IKE communications. The communication channel formed as a result of the algorithm is a bi-directional channel. The authentication of the channel is achieved by using a shared key, signatures, or public key encryption.
There are two modes of operation for the first step:
- Main mode: which is utilized to protect the identity of the peers
- Aggressive mode: which is used when the security of the identity of the peers is not an important issue.
2. The peers use the secure communication channel to set up security negotiations on behalf of other services like IPSec. These negotiation procedures give rise to two unidirectional channels of which one is inbound and the other outbound. The mode of operation for the second step is the Quick mode.
IKE provides three different methods for peer authentication:
- Authentication using a pre-shared secret
- Authentication using RSA encrypted nonces
- Authentication using RSA signatures.
IKE uses the HMAC functions to guarantee the integrity of an IKE session. When an IKE session lifetime expires, a new Diffie-Hellman exchange is performed and the IKE SA is re-established.