ISAKMP

1
ISAKMP

• Presented by
• Gary Aoki
• Linan Chang
• Thu Nguyen
• Pravesvuth Uparanukraw

2
Agenda

• Introduction
• Overview
• IKE, SA, Cookie
• Architecture
• Security

3
Introduction

• Internet Security Association and Key Management
  Protocol (ISAKMP)
• A cryptographic protocol which forms the basis of
  a key exchange protocol.
• ISAKMP typically utilizes IKE for key exchange,
  although other methods can be implemented.
• All implementations can be over any transport
  protocol, including send and receive capability
  using UDP on port 500.
• RFCs 2408, 2407

4
ISAKMP characteristics

• ISAKMP defines procedures and packet formats to
  establish, negotiate, modify and delete Security
  Associations (SAs)
• Benefits
• Designed for transmission efficiency and
  flexibility
• Reduces the amount of duplicated functionality
  within each security protocol
• Reduces the connection setup time by negotiation
  the whole stack of services at once.

5
ISAKMP/IPSec protocol suite

• ISAKMP is used as part of IPSec protocol, the
  connection you establish ahead of the actual
  IPSec connection.
• Used to figure out what kind of encryption to
  use. In order to do this, it exchanges key
  generation and authentication data.

6
ISAKMP terminology

• Cookie
• Domain of Interpretation (DOI)
• Situation
• Security Association (SA)

7
Cookies

• What is Cookie?
• Cookie generation requirements
• Depend on specific parties
• Unique
• Generation verification methods.

Heheeeh! Yummy! Yummy!
8
SA

• Security Association
• set of security information that defines the
  relationship between two or more entities and
  describe how the entities will utilize security
  services to support secure communication.

9
IKE

• Key establishment
• Provides the messages format and protocol
  required to support Key Exchange
• Does not specify a specific key generating,
  exchange algorithm. Entities indicate which
  algorithms they wish to use or support
• IKE negotiation attributes
• Encryption algorithm
• Hash algorithm
• Authentication mechanism
• Computation algorithm
• DOI

10

• Security Association negotiation example
• ipsec-cisco-gre-and-nat-too-2043367.html

11
ISAKMP Exchange Types

• Base
• Authentication
• Key Exchange
• Saturation protection
• Identity Protection
• Authentication
• Key Exchange
• Protects users identities
• Authentication Only

• Aggressive
• Authentication
• Key Exchange
• No saturation protection
• Informational
• Information only

12
Base Exchange
13
Identity Protection Exchange
14
Authentication Only Exchange
15
Aggressive Exchange
Informational Only Exchange
16
Functionality

• Separates the functionality into three distinct
  parts
• Authentication
• Key exchange
• Security Associations
• The separation adds complexity
• The separation is critical for interoperability
  between systems

17
Authentication

• ISAKMP provides the messages and protocols
  required to support authentication
• Uses Digital Signatures but other mechanisms
  may be specified as additional options
• Does not mandate a specific Signature algorithm
• Does not mandate a specific Certificate Authority
  entities indicate which CAs they support

18
Key Establishment

• ISAKMP provides the messages and protocol
  required to support key exchange
• Does not specify a specific key generating
  algorithm
• Does not specify a specific key exchange
  algorithm - Entities indicate which algorithms
  they support and wish to use

19
Security Associations

• ISAKMP provides the messages and protocol to
  establish and maintain security associations
• Indicates the authentication mechanism
• Indicates the key exchange mechanism
• ISAKMP defines the basic set of SA attributes
  that must be implemented

20
ISAKMP Protocol Negotiation

• Two Phases
• Establish a key-exchange SA
• Negotiate security services
• ISAKMP Protocols are constructed by chaining
  together ISAKMP payloads.

21
ISAKMP Negotiation Phases

• Phase 1 two entities (servers) agree on how to
  protect further negotiation traffic -gt ISAKMP SA
  is established.
• Phase 2 ISAKMP SA is used to protect the
  negotiations for the protocol SAs.

22
Message Architecture

• Fixed format header
• One or more payloads
• The payload fields are chained together

23
Message Header
Generic Payload Header
24
Message Payloads

• Security Association Payload
• Proposal Payload
• Transform Payload
• Key Exchange Payload
• Identification Payload
• Certificate Payload
• Certificate Request Payload

• Hash Payload
• Signature Payload
• Nonce Payload
• Notification Payload
• Notify Payload
• Delete Payload
• Vendor ID Payload

25
Security Issues

• Common attacks
• Man-In-The-Middle
• Denial of Service
• Connection Hijacking

26
Man-In-The-Middle Attack

• A situation where a malicious user sits between
  communicating parties and intercepts messages.
  The attacker can modify, insert or delete
  messages.
• Solutions
• Strong authentication of the parties prevents the
  risk of establishing an SA with other than
  intended party.
• During the creation of an SA, deleted messages
  will clear all state so a partial SA won't be
  created.
• Linking ISAKMP payloads in order to prevent
  insertion of messages.

27
Denial of Service Attack

• Where a malicious user can render a system
  unusable by overloading the system's resources
• Solution Implement an anti-clogging token (ACT)
  or a cookie to protect computer resources.

28
Connection Hijacking Attack

• A situation where a third party jumps in in the
  middle of transaction and steals the connection.
• Solution Link the authentication, key exchange
  and security association exchanges. The linking
  of exchanges prevents an attacker from jumping in
  after authentication.

29
Conclusion

• ISAKMP defines a framework for
• Authentication
• Key generation and exchange
• Establishing secure communications
• It has some Fundamental Flaws
• It has been superseded by version 2 of the
  Internet Key Exchange (IKE) Protocol

30
References

• http//en.wikipedia.org/
• http//www.ietf.org/rfc/rfc2408.txt
• http//www.javvin.com/protocolISAKMP.html
• http//home1.gte.net/res0psau/ipsec-parameters/def
  ault-isakmp-ipsec-params.html
• http//monkey.org/openbsd/archive/tech/9912/msg002
  15.html

31
QA

• Thank you!