Phase 1 Using Preshared Keys
IKE's main mode has six packages, and the six packages are divided into three stages:
1: These first two packets define the algorithms and hashes used to secure the IKE communications and are agreed upon in matching IKE SAs in each peer.
The first two packets are used to define the algorithm and hash value. They are mainly used to protect the secure communication between IKE and discuss ike sa. At this time, these two packets are not encrypted and are transmitted in plaintext. In other words, the first exchange defines which IKE security association will be used. In other words, IKE's SA will be used In the first phase of IKE. What does IKE's SA mean? The crypto isakmp policy we define. If the isakmp policies on both sides are the same, the second phase of IKE main mode will be available.
2: The second exchange sets up the secure channel and sets the stage for authentication. this exchange uses a Diffie-Hellman exchange, which is a process that generates a shared secret. this is done by using a method of exchanging nonces, which are random numbers ISAKMP Negotiation Information Diffie-Hellman Exchange, Secure Channel Setup Authentication Exchange IKE Main Mode Exchanges sent to the other party. these nonces are digitally signed and returned as part of authenticating the communication channel.
The second stage is used to create a Security Channel and lay the foundation for the authentication of the third stage. At this time, the information exchange uses the non-symmetric encryption algorithm DH (the asymmetric encryption algorithm mainly includes DH and RSA, while RSA is mainly used for digital signatures and certificates) DH uses a random number to generate a SKE-ID, the first article mentioned that asymmetric encryption is not encrypted data, because there are many drawbacks, one of the practical applications of asymmetric encryption algorithm is to exchange and generate public keys.
3: The third packet exchange proves the identity of the both peers to one another. this is where the authentication is completed. after all three packet exchanges are completed, a secure, authenticated control channel is created.
The third stage is to authenticate the entity of both parties, which is not introduced here, the authentication is actually a hash value, which is composed of three SKE-ID (SKE-ID) do you still remember the role of the key? The key is not an encrypted key, but used for authentication. The actual share secret of data encryption is derived from the SKE-ID. If you use a digital certificate in an entity, you do not need to set a pre-share key in the entity. Because the authentication can be completed by the digital certificate and digital signature. Now, the mission of IKE main mode is complete.
What is the main mode of IKE? 1: generate a share secret for actual data encryption. 2: both parties are authenticated. Using the key instead of the digital certificate and the digital signature achieves the Authenticity-Authenticity, we have determined that this entity is to communicate with that entity for security data. Nonrepudiation.
----------------------------------------
If the minimum number of packages is used, we will describe the six packages: The following sentence and the figure.
The first two packets negotiate the IKE SAs; the next two set up the secure channel; and the last two authenticate the other side.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
