beautypg.com

Ike overview, Security mechanism of ike, Data authentication – H3C Technologies H3C SecPath F1000-E User Manual

Page 698: Operation of ike

background image

1

IKE

IKE Overview

Built on a framework defined by the Internet Security Association and Key Management Protocol

(ISAKMP), Internet Key Exchange (IKE) provides automatic key negotiation and SA establishment services

for IP Security (IPsec), simplifying the application, management, configuration and maintenance of IPsec

dramatically.
Instead of transmitting keys directly across a network, IKE calculates shared keys after exchanging a

series of data. This disables a third party from decrypting the keys even if the third party captured all

exchanged data that is used to calculate the keys.

Security Mechanism of IKE

IKE has a series of self-protection mechanisms and supports secure identity authentication, key

distribution, and IPsec SA establishment on unsecured networks.

Data authentication

Data authentication involves two concepts:

Identity authentication: Mutual identity authentication between peers. Two authentication methods
are available: pre-shared key authentication and PKI-based digital signature authentication (RSA

signature).

Identity protection: Protecting identity information by using the generated keys to encrypt it for
transmission.

DH

The Diffie-Hellman (DH) algorithm is a public key algorithm. With this algorithm, two peers can
exchange some data and then use the data to calculate the shared keys, rather than transmitting the keys

directly. Due to the decryption complexity, a third party cannot decrypt the keys even after intercepting

all the exchanged data. Thus, the DH exchange technology enables communication peers to obtain the

common information securely.

PFS

The Perfect Forward Secrecy (PFS) feature is a security feature based on the DH algorithm. It guarantees
that decryption of a key makes no impact on the security of other keys because the keys have no

derivative relations. For IPsec, PFS is implemented by adding an additional key exchange at IKE

negotiation phase 2.

Operation of IKE

IKE negotiates keys and establishes SAs for IPsec in two phases:

1.

Phase 1: The two peers establish an ISAKMP SA, a secure, authenticated channel for
communication. In this phase, two modes are available: main mode and aggressive mode.

2.

Phase 2: Using the ISAKMP SA established in phase 1, the two peers negotiate to establish IPsec
SAs.

This manual is related to the following products:
See also other documents in the category H3C Technologies Safety: