Responder cookie diffie-hellman key exchange

Dr. Jinyuan (Stella) Sun
Dept. of Electrical Engineering and Computer Science University of Tennessee
Fall 2010

How is SA established?

◦How do parties negotiate a common set of cryptographic algorithms and keys to use?

Data transmitted needs to be secured ◦IPsec SA, session keys, AH or ESP

Messages for establishing IPsec SA need to be secured
◦IKE SA, negotiated secret

First proposed in Photuris; Cookie

◦A number chosen by responder; When receiving a
request from S, send the cookie to S in clear; start the processing after the cookie comes back from the initiator.

Identity hiding
◦Anonymous Diffie-Hellman
◦Identities are encrypted in message 5 and 6 (for active man-in-the-middle, the initiator’s identity is revealed, but not the responder)

Data encryption

◦Long term common secret should not be used to encrypt data. Instead each message has a SKIP header where the long term secret is used to encrypt a short-term data encryption key, which is used to encrypt the message.

ISAKMP would be used by other protocols to set up SAs, not only to set up IPsec SAs.

Phase 1 exchange is relatively expensive.

Main Mode
◦6 messages
◦Mutual authentication
◦Session key establishment
◦Hiding endpoint identity
◦Negotiating cryptographic algorithms

The parameters in the proposal are used in Phase 1 and Phase 2 (IKE SA), with hash algorithm used for various purposes.

IKE is stateful, starting from the first message. ◦Alice’s crypto proposal is in the identity proof ◦ISAKMP requires randomly chosen cookies