ISAKMP-interpretation domain (DOI) and initial vector (IV)

Source: Internet
Author: User

Domain of interpretation-Explanation domain

Doi defines the load format, exchange type, and naming conventions for security-related information, such as naming security policies or encryption algorithms and modes. The Doi identifier is used to describe which DOI is used by payload. There are two commonly used Doi, 0 and 1. 0 indicates ISAKMP Doi, 1 identifies IPSec Doi. If a load is not as good as the Doi of notification payload is 0, it indicates that this is an isakmpdoi, so it must be resolved using the ISAKMP protocol; if it is 1, it indicates that this is an IPsec Doi, then it must be resolved using the IPSec protocol. For some payloads, such
Id payload and certificate payload are common payload. Therefore, they do not have the Doi domain and use consistent interpretations for all protocols. For identification payload, there is a 'doi specificid data' in it. If IPSec DOI is used, refer to rfc2407. The format of this domain should be in the form of protocol ID + port.

Another example:

When creating a Security Association for upper-layer applications (AH/ESP), Ike needs to negotiate twice. Establish a simple security association during the first negotiation, and then use this security association to negotiate security parameters for AH/ESP. During SA negotiation, there is a load named transform, which contains several loads named Sa attributes (each load represents a type of algorithm, such as hash/encryption ). Its interpretation requires the help of Doi. During Ike phase1 negotiation, the explanation of this load is based on iana's 'Internet Key Exchange (IKE) bubutes 'document. For the phase2 stage, this load is interpreted according to 'ipsec
Doi for ISAKMP. Although both stages have the same DOI and both are IPSec Doi, the IPsec Doi clearly states that the interpretation of this load is limited to Phase 2 negotiation, therefore, the explanation for the first-stage negotiation must be returned to the IANA document.



The group password is encrypted in multiple modes, the simplest of which is the ECB mode. If the length of the plain text is very long, the plain text is generally divided into small blocks. Then, encrypt each plaintext block with the same key. However, there is a problem. If the plaintext block is duplicated, the encryption results are identical. For a long message, this model may be insecure.


To overcome these weaknesses of ECB, the researchers proposed a CBC model. The input of the encryption algorithm in this mode is to convert the current plaintext group to the previous ciphertext group, and then encrypt the results with the key. In this way, even if the two plaintext groups are identical, the encryption results are different because they are different or operate on objects. So who is the first plaintext group doing the same or? The answer is initialization vector. IV is actually a fixed-length random number or pseudo-random number. In this way, using IV is different from the first plaintext block, or the encryption results are random, effectively preventing attackers from guessing and changing the rules.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.