An architecture for the Internet Key Exchange Protocol

In this paper we present the design, rationale, and implementation of the Internet Key Exchange (IKE) Protocol. This protocol is used to create and maintain Internet Protocol Security (IPSec) associations and secure tunnels in the IP layer. Secure tunnels are used to construct virtual private networks (VPNs) over the Internet. The implementation is done in the application layer. The design includes four components: (1) an IKE protocol engine to execute the IKE protocol, (2) a tunnel manager to create and manage secure tunnels--it generates requests to the IKE protocol engine to establish security associations, (3) VPN policy administration tools to manage VPN policies that guide the actions of the IKE protocol engine and the tunnel manager, and (4) a certificate proxy server to acquire and verify public key certificates that are used for authentication of messages and identities in the IKE protocol. The implementation was done on the Advanced Interactive Executive® (AIX®) operating system at IBM Research and has been transferred to IBM's AIX, Application System/400®, and System/390® products.

[1]  Moti Yung,et al.  The KryptoKnight family of light-weight protocols for authentication and key distribution , 1995, TNET.

[2]  Hugo Krawczyk,et al.  Design and Implementation of Modular Key Management Protocol and IP Secure Tunnel on AIX , 1995, USENIX Security Symposium.

[3]  John M. Boone,et al.  INTEGRITY-ORIENTED CONTROL OBJECTIVES: PROPOSED REVISIONS TO THE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA (TCSEC), DoD 5200.28-STD , 1991 .

[4]  Moti Yung,et al.  Systematic Design of a Family of Attack-Resistant Authentication Protocols , 1993, IEEE J. Sel. Areas Commun..

[5]  Paul C. van Oorschot,et al.  Authentication and authenticated key exchanges , 1992, Des. Codes Cryptogr..

[6]  Cheryl Madson,et al.  The Use of HMAC-MD5-96 within ESP and AH , 1998, RFC.

[7]  Hugo Krawczyk,et al.  HMAC: Keyed-Hashing for Message Authentication , 1997, RFC.

[8]  Hugo Krawczyk,et al.  Pseudorandom functions revisited: the cascade construction and its concrete security , 1996, Proceedings of 37th Conference on Foundations of Computer Science.

[9]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[10]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and CRL Profile , 1999, RFC.

[11]  Hugo Krawczyk,et al.  SKEME: a versatile secure key exchange mechanism for Internet , 1996, Proceedings of Internet Society Symposium on Network and Distributed Systems Security.

[12]  Bill Manning,et al.  Variable Length Subnet Table For IPv4 , 1995, RFC.

[13]  W. Gropp,et al.  Accepted for publication , 2001 .

[14]  Cheryl Madson,et al.  The Use of HMAC-SHA-1-96 within ESP and AH , 1998, RFC.

[15]  Dan Harkins,et al.  The Internet Key Exchange (IKE) , 1998, RFC.

[16]  염흥렬,et al.  [서평]「Applied Cryptography」 , 1997 .

[17]  Stephen Deering,et al.  Internet Protocol Version 6(IPv6) , 1998 .

[18]  Jon Postel,et al.  Telnet Protocol Specification , 1980, RFC.

[19]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[20]  Hilarie K. Orman,et al.  The OAKLEY Key Determination Protocol , 1997, RFC.

[21]  Roy T. Fielding,et al.  Uniform Resource Identifiers (URI): Generic Syntax , 1998, RFC.

[22]  Paul V. Mockapetris,et al.  Domain names: Concepts and facilities , 1983, RFC.

[23]  Randall J. Atkinson,et al.  Security Architecture for the Internet Protocol , 1995, RFC.

[24]  Jon Postel,et al.  User Datagram Protocol , 1980, RFC.

[25]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[26]  Randall J. Atkinson,et al.  IP Encapsulating Security Payload (ESP) , 1995, RFC.

[27]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[28]  Derrell Piper,et al.  The Internet IP Security Domain of Interpretation for ISAKMP , 1998, RFC.

[29]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[30]  W. Douglas Maughan,et al.  Internet Security Association and Key Management Protocol (ISAKMP) , 1998, RFC.