Wednesday, March 14, 2012

Internet Key Exchange

Internet Key Exchange is the automatic key management protocol used for IPSec.  IKE was created from several other key management protocols and is the default for IPSec, but other key management protocols can be used.  In reality, no key management is required for IPSec functions and the keys can be manually managed.  However, manual key management is not desirable for all implementations due to the administrative overhead and the fact that keys never expire.  Having keys that never expire represents a plethora of security vulnerabilities.  The general key material within IKE is primarily for IKE encryption and authentication, and is not directly responsible for the key material for the underlying protocol-IPSec.  During the creation of the keys for the various IKE Phase I authentication types (shared secret, digital signatures, and public key encryption), a pseudorandom function is used to assist in combining the material to create the keys. Because no pseudo-random functions are currently defined for use within IKE, the HMAC portion of the negotiated authentication algorithm is used such as HMAC-MD5.Each HMAC function is a message authentication code based on a keyed hash function. Hence, when the creation of the keys are defined, there is a key identified within the process itself as shown in the following: [7]  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.