PKI basic theory-7

 

Current Cisco VPN technologies, such as point-to-point IPsec, IPsec/GRE, DMVPN, GETVPN, and EzVPN, use IKE as underlying protocol for authenticated key exchange. all the vpn technologies of cisco currently use the IKE protocol.

The IKE protocol is a hybrid of the Oakley and SKEME protocols and operates inside a framework defined by Internet Security Association and Key Management Protocol
(ISAKMP) the IKE protocol itself is a hybrid protocol, which is composed of Oakley and SKEME and ISAKMP.

Oakley and SKEME define the steps two peers must take to establish a shared, authenticated key. IKE uses the ISAKMP language to express these and other exchanges. The steps defined by Oakley and SKEME are that a shared authentication key must be created between two peers. IKE uses the ISAKMP language for exchange.

The primary purpose of IKE is to establish an authenticated key exchange between two peers, using the ike sa process to derive the keys. while doing the IKE authentication, the two peers need to authenticate each other, which can be done by either using preshared keys or PKI. IKE primarily aims to establish a key exchange between two peers, and mutual verification between the two peers, which can be achieved through the use of a pre-shared key or PKI.

----------------------------

IKE Using Digital Certificates

IKE needs a mechanic to authenticate two VPN peers. IKE requires a mechanism to authenticate the entities of both parties. One is preshared key and the other is digital certificate.

 

The key difference between IKE using the preshared and the public key lies in Steps 5 and 6. IKE using preshared authentication uses hash as the method to authenticate both the peers. when using PKI, the peers encrypt the hash with their respective private keys. the hash is then decrypted using the respective public key of the peers. each peer wowould need to know the public key of the other peer by looking into the certificate, which is exchanged in Step 5 and Step 6.

Using the preshare key and digital certificate for authentication is different in step 5 and Step 6. When PKI is used, the entity uses their respective private keys to encrypt the hash value. The hash value is decrypted by the other party using the public key. Each entity needs to know the other party's public key. The Public Key is obtained from the certificate.