Internet Key Exchange (IKE) in Network Security

Network Security refers to the measures taken by any enterprise or organization to secure its computer network and data using both hardware and software systems. Internet Key Exchange(IKE) is a key management protocol used to secure communication and key exchange between two devices over any network. Key exchange is done in two ways:

Manual Key Exchange

In Manual Key Exchange, the system administrator manually configures each system with their keys. This method is suitable for small and static systems.

Automated Key Exchange

The keys will be created or generated based on the demand or requirement. This method is suitable for large and distributed systems. Automated Key Exchange has two main methods:

• Oakley Key Determination Protocol: Oakley key determination protocol is based on the Diffie-Hellman key exchange protocol with some added security. It is a generic protocol.
• ISAKMP(Internet Security Association and Key Management Protocol): It provides a framework for key exchange and specific support i.e the protocol can be either Authentication Header or Encapsulation Security Protocol.
• SKEME Protocol: It is a key exchange technique that provides anonymity, non-repudiation, and refreshment.

Phases of Internet Key Exchange(IKE)

IKE can be done in two phases:

IKE Phase-1

There will be two devices i.e. sender and receiver. Initially, the sender will exchange the proposals for security services like encryption algorithms. authentication algorithm, hash function, etc. The sender and receiver will form a security association which is a collection of parameters that the two devices use. Here, the ISAKMP session is established and called the ISAKMP tunnel or Internet Key Exchange(IKE) Phase-1 tunnel which is bi-directional. When both ends of the tunnel agree to accept a set of security parameters, Phase-1 is done.

Modes in Phase-1: In Phase-1, we have two modes:

• Main mode: The main mode of phase-1 uses six messages to secure the key exchange and the Main mode is the more secure. It allows hiding the end-point identifiers and the ability to select the crypto algorithms. In the six messages: The first two messages negotiate the policy and the next two messages depict the Diffie-hellman public values necessary for key exchange and the next two messages are used to authenticate the Diffie-hellman exchange.
• Aggressive mode: The Aggressive mode of phase-1 uses three messages and it is less secure than the Main mode. It doesn't allow hiding the endpoints.

IKE Phase-2

There will be two devices i.e. sender and receiver. Once the sender and receiver established the ISAKMP tunnel in phase-1 they move to phase-2. phase-2 always operates in Quick mode. Here the security associations and services between the two devices are negotiated. The devices will choose which protocol(Authentication Header or Encapsulation Security Protocol) and which algorithm to use.