Shulou(Shulou.com)05/31 Report--

How to carry out IPSec principle analysis, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

Basic Conceptual function of IKE-- Internet key Exchange Protocol (Internet Key Exchange)

IKE protocol is often used to ensure the security of virtual private network VPN (virtual private network) when communicating with remote networks or hosts (including exchanging and managing keys used in VPN)

IKE provides services for IPSec to negotiate keys and establish IPSec security alliances (first, an IKE SA is established between peers, and under the protection of IKE SA, IPSec SA is negotiated according to the encryption algorithm and pre-shared key of AS/ESP protocol configured between peers), which simplifies the use and management of IPSec.

Composition

IKE is a hybrid protocol that consists of three protocols (components):

1:Internet Security Association and key Management Protocol-- ISAKMP (Framework)

2: key exchange protocol-OAKLEY (based on the encryption key exchange mechanism between two peers)

3: key exchange protocol-SKEME (mechanism for implementing public key encryption authentication)

IKE is created on the framework defined by ISAKMP (UDP 500). It follows OAKLEY's exchange mode, SKEME's sharing and key update technology, and defines its own two key exchange modes.

IKE negotiates the SA type

Stage 1: IKE (ISAKMP) SA

Stage 2: IPSec SA

Security Mechanism of IKE identity Authentication method ()

Confirm the identity of both sides of the communication

Pre-shared key (pre-shared key) authentication

Digital signature (digital signature) authentication

Digital Envelope Authentication

Pre-shared key authentication

The initiator and responder must negotiate a shared key in advance, the information is encrypted with the shared key before transmission, and the receiver uses the same key to decrypt. If the receiver can decrypt it, it is considered to be able to pass authentication (in manual mode, the pre-shared key is manually configured at both ends; in IKE automatic negotiation mode, the pre-shared key is dynamically generated through the DH algorithm)

Advantages and disadvantages

The configuration is simple, but the pre-shared key is used. When there is an one-to-many situation, the pre-shared key needs to be configured for each peer, which is suitable for small networks and is less secure for large networks.

Digital certificate authentication (usually using RSA)

In the digital certificate authentication, both sides of the communication use the digital certificate issued by CA to verify the legitimacy, and each side has its own public key (network transmission) and private key (held by itself).

The sender carries on the Hash calculation to the original message, and encrypts the message calculation result with its own private key to generate the digital certificate. The receiver uses the sender's public key to decrypt the digital signature and performs Hash calculation on the message (Hash calculation on the sent message) to determine whether the calculated result is the same as the decrypted result. If it is the same, the authentication passes; otherwise, it fails.

Advantages and disadvantages

Digital certificates are highly secure, but CA is needed to issue digital certificates, and there is a poor timeliness of valid CRL: that is, after a certificate is stolen and revoked from CA, attacks such as hijacking due to failure to update CRL are caused.

Digital Envelope Authentication

A symmetric key encrypted by a public key is called a digital envelope

The sender first generates a symmetric key and encrypts the symmetric key using the receiver's public key. The sender encrypts the message with a symmetric key and generates a digital signature with its own private key.

The receiver decrypts the digital envelope with its own private key to get a symmetric key, and then uses the symmetric key to decrypt the message. At the same time, the digital signature is decrypted according to the sender's public key to verify whether the sender's digital signature is correct. If it is correct, it will be verified.

Advantages and disadvantages

Digital envelope authentication is used when the equipment needs to meet the requirements of the State password Administration, but this authentication method can only be used in the main mode negotiation process of IKEv1.

Identity protection

The identity data is encrypted and transmitted after the generation of the key, which realizes the protection of the identity data.

DH

DH, full name: Diffie-Hellman key Exchange.

Action

Using this algorithm, both sides of the communication can generate a shared secret number only by exchanging some information that can be made public, and this secret number can be used as the key of a symmetric cipher.

Specific exchange process (this process borrows examples from graphical Cryptography)

The communication parties are Alice and Bob.

1:Alice sends two prime numbers P and G to Bob

P must be a very large prime number, and if G is a number related to P, it is called generator.

2:Alice generates a random number A

An is an integer between 1~P-2

3:Bob generates a random number B

B is also an integer between 1~P-2

4:Alice sends the number GA mod P to Bob.

5:Bob sends the number GB mod P to Bob.

6:Alice uses the number sent by Bob to calculate the A power and mod P

(GB mod P) Amod P = GB x Amod P

7:Alice uses the number sent by Bob to calculate the B power and mod P

(GA mod P) B mod P = GA x B mod P

At this point, both ends of Alice and Bob can generate two identical shared keys.

PFS

PFS, full name: Perfect Forward Secrecy perfect forward secrecy

Perfect forward security is a security feature, which means that the cracking of one key will not affect the security of other keys (that is, there is no derivative relationship between a series of keys, even if one is cracked, it will not cause other keys to be cracked).

Concrete process

The key of IPSec SA is derived from the key of IKE SA. Because an IKE SA negotiation generates one or more pairs of IPSec SA, when the key of IKE is stolen, the attacker will probably collect enough information to derive the key of IPSec SA. PFS ensures the security of IPSec SA key by performing an additional DH exchange.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.