Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »




Internet Key Exchange
IKE Version 1 


Phase 1 
  • Main Mode:  ( site-2-site )
  1. Propose : Encryption and Authentication Algorithms
  2. Initiator and responder: Diffie-Hellman key exchange process  (send Public key + Random number )

            Pre-shared key

            Private Keys ( exchange using PKI ) 

  3. Use the encrypted communication channel

  4. Send IKE identification to authenticate itself


  • Aggressive Mode:  
  1. Initiator Propose : Encryption and Authentication Algorithms  + IKE identity to authenticate itself
  2. Responder Propose
  3. Secure channel for negotiating the IPsec VPN phase 2
Phase 2
IKE Version 2 



IKE-SA-INIT

IKE-AUTH

CREATE_CHILD_SA

INFORMATIONAL

Tunnel Mode ( most used )
  • encapsulation of the layer 3 / original packet
  • With ESP(+AH) or just AH



Transport Mode 

encapsulation of layer 4 of the original packet


PKI or  Public Key Infrastructure


Large Network

Stronger Auth Security

Exchange of Asymmetrical Keys ( Private and Public )

Private key use to decrypt

  

Issuer, 


Digital certificate: 

Based on X.509

Information:

Issuer / ID

Serial Number

Expiration dates / Validity

Digital signature ( from the Certificate Authority)





Finger Print

File ( or Transaction)  → hashed


hashing

MD5 , SHA1, SHA2

At the source:

                file / text / ....  → hashing Algo  → hashed value / string

On the other side:

            password ( or text ) → same hashing Algo → produce the same hashed value/ string

            compare the two hash

Hash lose information, and can not restore the original information




Encryption that use Asymmetrical Key
Encryption that use symmetrical Key






  • No labels