Kang & Balitanas (2009) define IKE as a spontaneous key management protocol created by the combination of several other different key management protocols, and serves as the default key generator for IPsec, a shortened form for Internet Protocol Security. It creates, encrypts and authenticates all secret keys generated between two computers on a network.
It further helps to determine and configure security associations (SAs) necessary for a secure communication, and specifies the protocol format, cryptographic and hashing algorithms, used between the two computers. Kyburz (2010) notes that “the two peers on either side of the SA usually store the cryptographic keys, encryption algorithms, authentication schemes, and all integrity protection mechanisms supported by that connection in the SA”.
All this information is exchanged between the two computers using digital signatures and message authentication codes (MACs). Easttom (2006) defines a digital signature as any accessional data included in a message, containing an e-mail addendum, used to corroborate the authenticity of the sender of the message. They are anchored on private and public encryption keys and use digital certificates (DCs), provided by Certificate Authorities (CAs).
CAs use information supplied to them to generate the digital certificate, with an encrypted private key for the requester. Kyburz (2010) asserts that, the receiver of a signature will apply the signer’s public key in the decryption and verification of the signature. Where the public key is unknown, it can be requested through a certificate request (CR).
According to Mason (2002), there are two distinct phases in an IKE protocol. Phase one includes the fabrication of an authenticated and secure channel, amid the two computers, that is called the IKE Security Association, by the Diffie-Hellman key correspondence being performed.
In the second phase, IKE negotiates the IPsec security associations and yields the preferred keying material. Kyburz (2010) notes that, “the generated key material is transferred to the IPsec, which tracks and supervises the security of all the subsequent communication channels”.
The mechanisms that IKE uses to encrypt and authenticate all forms of communications between the initiator and responder are either symmetric or asymmetric. In an asymmetric key encryption system, one key referred to as the public key, is availed to everybody, and is used to encrypt a message, but only the recipient has got the private key to decrypt the message/data.
On the other hand, a symmetric data encryption, also referred to as conventional data encryption, uses a common key to encrypt and decrypt data. The types of conventional encryption methods fall under the Extensible Authentication Protocols (EAPs) and include; Data Encryption Standard (DES), Advanced Encryption Standard (AES), International Data Encryption Standard (IDEA) among others. These are discussed below.
DES uses short keys and relies on sophisticated procedures to encrypt a large amount of data quickly and efficiently, resulting in scrambled data which is difficult to decrypt without the decryption code. Initially, the data is divided into 64-bit blocks which undergo permutation. The permuted data is then manipulated by sixteen separate steps of encryption involving bit-shifting, substitutions and logical operations using a 56-bit key.
It is then scrambled using a swapping algorithm, after which the scrambled data is transposed again. It is a fast method that uses sophisticated algorithms to encrypt data. An improved version of the method- referred to as triple DES or simply DES-3 is available. It repeats the encryption procedure three times, coming up with a more complex encryption of the data, thus increasing data security. AES uses the rijndael algorithm to encrypt the data.
It specifies 128-bit, 192-bit and 256-bit keys for its encryptions. It utilizes a block cipher and is considered a very secure encryption method. IDEA works with 64-bit blocks of data, two at a time and produces 128-bit keys. It uses sub-keys generated from the main key to perform modular arithmetic and XOR operations to encrypt the data.
Kyburz (2010) identifies some weaknesses inherent in IKE. They include; Penultimate authentication flaws- where an active adversary intercepts data exchange between two computers trying to set up SAs. This results in attacks against session key secrecy, leading to impersonation in a communique.
There is also random reveal weakness, whereby an active adversary is able to derive keys from both peers. It is also vulnerable to Key Compromise Impersonation attacks, in instances where an attacker is able to access long-term secret keys of a particular computer. Kyburz (2010) also includes identity protection and resource exhaustion as other limitations of IKE.
Mason (2002) highlights the following advantages of Internet Key Exchange that make it a secure method for key exchange; IKE protocol allows for perfect forward secrecy, which ensures superior endurance to cryptographic attacks.
Kyburz (2010) on the other hand notes that IKE is able to protect the two computers against man-in-the-middle attack, inherent in the standard Diffie-Hellman protocol, since even the Diffie-Hellman key exchanges are encapsulated in IKE protocol. In addition, IKE also integrates traffic selectors which permit a superior IPsec policy negotiation based on IP address and port.
References
Easttom, C. (2006). Network defense and countermeasures: Principles and practices. Upper Saddle River, N.J: Pearson.
Balitanas, M., & Kang, B. (2009). Vulnerabilities of VPN using IPSec and Defensive Measures. International Journal of Advanced Science and Technology,volume 8, 306-791. Web.
Kyburz, A. (2010). An automated formal analysis of the security of the Internet Key Exchange (IKE)-Protocol in the presence of compromising adversaries. (Master’s Thesis). Swiss Federal Institute of Technology, Zurich. Retrieved from https://www.research-collection.ethz.ch/bitstream/handle/20.500.11850/152399/eth-2226-01.pdf
Mason, A. (2002). VPNS and VPN Technologies. Retrieved from Ciscopress.com: http://www.ciscopress.com/