IKEv2 authentication data generation process

In the third and fourth messages of IKEv2, both parties will send an auth payload to each other to prove their identity. This process is implemented by signing the first message sent by each other. For example, if a responder wants to prove its identity, it needs to cache the entire message when it sends an ike_sa_init message. Then, before sending ike_sa_auth, connect the cached ike_sa_init message with nonce_ I and the MAC value of its own ID, and use the PRF algorithm to calculate a result, that is, the auth value.

As follows:

1. Calculate your own ID Mac

Macedidforr = PRF (sk_pr, idtype | reserved | respiddata)

2. Calculate the auth Value

Auth_data = PRF (sk_pr, realmessage2 | nonceidata | macedidforr)

Realmessage2 indicates the ike_sa_init message sent by responder. It is called realmessage2 because it is the second message in all message sequences. Nonceidata is the nonce value sent by initiator.

 

Similarly, the process for initiator to calculate auth data is as follows:

3. Calculate your own ID Mac

Macedidfori = PRF (sk_pi, idtype | reserved | initiddata)

4. Calculate the auth Value

Auth_data = PRF (sk_pi, realmessage1 | noncerdata | macedidfori)

Realmessage1 indicates the ike_sa_init message sent by the initiator. noncerdata is the nonce value sent by the responder.

 

However, if the authentication method selected by both parties is shared key, there will be a difference in auth Data calculation:

For the initiator:

Auth = PRF (shared secret, "key pad forikev2 "),

<Initiatorsignedoctets>)

For the responder:

Auth = PRF (shared secret, "key pad forikev2 "),

<Respondersignedoctets>)

 

When calculating the final auth data, if the authentication method is pre-shared key, the first parameter of the PRF algorithm will not use sk_pi/sk_pr, but PRF (shared secret, "key pad for IKEv2") as the PRF key.

 

The last point is about EAP. If both parties negotiate to use EAP authentication, the two parties will send AUTH Messages after the EAP process ends. If the EAP method is key-generation, you must replace the shared key with the key of the master shared key when calculating auth data. If it is a non-key-generating method, use sk_pi and sk_pr to replace the shared key.