The Improving of IKE with PSK for Using in Mobile Computing Environments

The rapid increase in using mobile communication networks for transmitting confidential data and conducting commercial transactions such as mobile e-commerce is creating large demands in designing secure mobile business systems. However, the mobile devices and mobile communication network have some weakness. It can cause some problems using traditional VPN technologies in mobile computing environments immediately. Currently, mobile users’ authentication in IKE is being done using certificates or PSK with aggressive mode commonly. They have serious security related issues (for PSK with aggressive mode) and need high deployment and maintain cost (for certificates). In this paper, we propose a new approach that is based on PSK where the IKE negotiation phase is modified for using in mobile computing environments. The modified IKE consists of four messages, and the responder doesn’t need to store any state while receiving message 1. It uses strong cookies and pre-calculated DHpp stack, etc technologies to counter IP flooding attacks and Man-in-the-Middle DoS attacks, because it does not require the responder to perform heavy computations before the initiator has authenticated itself. Otherwise, for one mobile user, it has a group of PSKs to be random selected, and the initiator and responder exchange identity info and agree on PSK with Hash (PSK-ID|IDi) or Hash (PSK-ID|IDr) info. Therefore, it provides the initiator and responder’s identity protection and prevention of passive dictionary based attacks on pre-shared keys.

[1]  Hilarie K. Orman,et al.  The OAKLEY Key Determination Protocol , 1997, RFC.

[2]  Ming-Yang Su,et al.  An Efficient and Secured Internet Key Exchange Protocol Design , 2007, Fifth Annual Conference on Communication Networks and Services Research (CNSR '07).

[3]  Dan Harkins,et al.  The Internet Key Exchange (IKE) , 1998, RFC.

[4]  H. Haddad,et al.  Comparative evaluation of successor protocols to Internet key exchange (IKE) , 2005, INDIN '05. 2005 3rd IEEE International Conference on Industrial Informatics, 2005..

[5]  Radia J. Perlman,et al.  Analysis of the IPSec key exchange standard , 2001, Proceedings Tenth IEEE International Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises. WET ICE 2001.

[6]  Charlie Kaufman,et al.  Internet Key Exchange (IKEv2) Protocol , 2005, RFC.

[7]  Randall J. Atkinson,et al.  IP Encapsulating Security Payload (ESP) , 1995, RFC.

[8]  Hugo Krawczyk,et al.  SKEME: a versatile secure key exchange mechanism for Internet , 1996, Proceedings of Internet Society Symposium on Network and Distributed Systems Security.

[9]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[10]  Stephen T. Kent,et al.  Security Architecture for the Internet Protocol , 1998, RFC.

[11]  Tai-Yun Kim,et al.  Key recovery in IPSec for improving robustness , 2001, 2001 International Conferences on Info-Tech and Info-Net. Proceedings (Cat. No.01EX479).

[12]  Ajmal S. Mian,et al.  Arcanum: a secure and efficient key exchange protocol for the Internet , 2004, International Conference on Information Technology: Coding and Computing, 2004. Proceedings. ITCC 2004..

[13]  W. Douglas Maughan,et al.  Internet Security Association and Key Management Protocol (ISAKMP) , 1998, RFC.

[14]  Radia J. Perlman,et al.  Key Exchange in IPSec: Analysis of IKE , 2000, IEEE Internet Comput..

[15]  Angelos D. Keromytis,et al.  Implementing Internet Key Exchange (IKE) , 2000, USENIX Annual Technical Conference, FREENIX Track.

[16]  Angelos D. Keromytis,et al.  Just fast keying: Key agreement in a hostile internet , 2004, TSEC.

[17]  M. S. Borella Methods and protocols for secure key negotiation using IKE , 2000 .