(IKE)
- Phases:
- 1: Establishment of a security association, mutual authentication and generation of a master key
- 2: generation of a session ket
Security association:
- an SA between two tunnel peers defines:
→ encryption algotrithm and key lenght
→ authentication algo and key length
→ lifetime of keys
→ lifetime of SA itself
- SA proposals are negotiated between the peers in phase 1.
- The two peers create proposals that have different algorithms, and they figure out which proposals the other is capable of. Once agreed on a set of proposals, these get added to their respective databases. Throughout the communication, they can change their encyption or authentication algorithms at any point to another one stored in their shared databases.
Phase 1:
- SA messages are sent and negotiated, master key generated.
Phase 2:
- Keys are changed every few minutes.
→ Where is the weak link in this procedure?
⇒ Proposals. You have to start somewhere. You can't encrypt the first message.
⇒ Hackers could send weak proposals, with bad encryption algorithms and trick clients into accepting them.
⇒ Solution: weak proposals are now rejected.
Index