ISAKMP IKE SA 总结

SA

安全关联(英语:Security association,缩写为SA),又译为安全性关联、安全群组、安全参数组合,是指为了提供安全的通讯环境,在两个网络实体之间建立起的共享网络安全属性。一个安全关联中,在网络连线前,要先交换网络资料参数,包含了加密模式与加密算法,安全加密金钥等。网络安全关联与金钥管理协定(Internet Security Association and Key Management Protocol,缩写为ISAKM,或ISAKMP)提供了安全关联的基础框架。互联网金钥交换(IKE 或 IKEv2)提供了金钥交换的机制。

一个单一的安全关联,是一个单工(单方向的管道)与逻辑的连线,它为两个网络装置之间,提供以及确认一个安全的资料连线。当两个实体透过超过一个以上的通道进行通讯时,就达到一个安全关联的基本要求。

SAs contain all the information required for execution of various network security services, such as the IP layer services (such as header authentication and payload encapsulation), transport or application layer services or self-protection of negotiation traffic.

ISAKMP

互联网安全关联钥匙管理协定(英语:Internet Security Association and Key Management Protocol,缩写为 ISAKM或 ISAKMP),互联网协定之一,用于在互联网上建立安全关联与加密金钥。这个协定在 RFC 2408 中定义,它提供了一个架构来进行授权与金钥交换,主要被设计来作为金钥交换之用。互联网金钥交换与Kerberized Internet Negotiation of Key等协定,提供了授权金钥的资料,可以在ISAKMP中使用。

ISAKMP defines procedures and packet formats to establish, negotiate, modify and delete Security Associations. ISAKMP defines payloads for exchanging key generation and authentication data. These formats provide a consistent framework for transferring key and authentication data which is independent of the key generation technique, encryption algorithm and authentication mechanism.

IKE

因特网密钥交换(英语:Internet Key Exchange,简称IKE或IKEv2)是一种网络协议,归属于IPsec协议族之下,用以创建安全联结(Security association,SA)。它创建在奥克利协议(Oakley protocol)与ISAKMP协议的基础之上。使用X.509安全认证。

IKE phase one’s purpose is to establish a secure authenticated communication channel by using the Diffie–Hellman key exchange algorithm to generate a shared secret key to encrypt further IKE communications. This negotiation results in one single bi-directional ISAKMP Security Association (SA).[11] The authentication can be performed using either pre-shared key (shared secret), signatures, or public key encryption.[12] Phase 1 operates in either Main Mode or Aggressive Mode. Main Mode protects the identity of the peers; Aggressive Mode does not.[10]

During IKE phase two, the IKE peers use the secure channel established in Phase 1 to negotiate Security Associations on behalf of other services like IPsec. The negotiation results in a minimum of two unidirectional security associations (one inbound and one outbound).[13] Phase 2 operates only in Quick Mode.[10]

IKE是一种混合型协议,由RFC2409定义,包含了3个不同协议的有关部分:ISAKMP、Oakley和SKEME。IKE和ISAKMP的不同之处在于:IKE真正实现了一个密钥交换的过程,而ISAKMP只是定义了一个通用的可以被任何密钥交换协议使用的框架。

SKEME:提供了IKE交换密钥的算法,方式;即,通过DH进行密钥交换和管理的方式

Oakley:The Oakley Key Determination Protocol is a key-agreement protocol that allows authenticated parties to exchange keying material across an insecure connection using the Diffie–Hellman key exchange algorithm

ISAKMP:它是一个框架,在该框架以内,它定义了每一次交换的包结构,每次需要几个包交换,主模式6个包交换和主动模式3个包交换

发表评论

电子邮件地址不会被公开。