Openswan系列教程2:第一阶段数据包简析
前一章介绍了Openswan的《安装并尝试》,这章简要分析一下Openswan第一阶段的数据包。IPSec相关知识,这里不做过多介绍。主要目的是对Openswan的第一阶段的密钥协商过程有个直观的认识。
1第一包
1.1内容
No. Time Source Destination Protocol Length Info
3 9.698248 192.168.18.101 192.168.18.102 ISAKMP 534 Identity Protection (Main Mode)
Frame 3: 534 bytes on wire (4272 bits), 534 bytes captured (4272 bits)
Ethernet II, Src: Vmware_9a:aa:8b (00:0c:29:9a:aa:8b), Dst: Vmware_18:43:c9 (00:0c:29:18:43:c9)
Internet Protocol Version 4, Src: 192.168.18.101 (192.168.18.101), Dst: 192.168.18.102 (192.168.18.102)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Internet Security Association and Key Management Protocol
Initiator cookie: 3be760f4e2560ce1
Responder cookie: 0000000000000000
Next payload: Security Association (1)
Version: 1.0
Exchange type: Identity Protection (Main Mode) (2)
Flags: 0x00
Message ID: 0x00000000
Length: 492
Type Payload: Security Association (1)
Next payload: Vendor ID (13)
Payload length: 428
Domain of interpretation: IPSEC (1)
Situation: 00000001
Type Payload: Proposal (2) # 0
Next payload: NONE / No Next Payload (0)
Payload length: 416
Proposal number: 0
Protocol ID: ISAKMP (1)
SPI Size: 0
Proposal transforms: 12
Type Payload: Transform (3) # 0
Next payload: Transform (3)
Payload length: 36
Transform number: 0
Transform ID: KEY_IKE (1)
Transform IKE Attribute Type (t=11,l=2) Life-Type : Seconds
Transform IKE Attribute Type (t=12,l=2) Life-Duration : 3600
Transform IKE Attribute Type (t=1,l=2) Encryption-Algorithm : AES-CBC
Transform IKE Attribute Type (t=2,l=2) Hash-Algorithm : SHA
Transform IKE Attribute Type (t=3,l=2) Authentication-Method : RSA-SIG
Transform IKE Attribute Type (t=4,l=2) Group-Description : 2048 bit MODP group
Transform IKE Attribute Type (t=14,l=2) Key-Length : 128
Type Payload: Transform (3) # 1
Next payload: Transform (3)
Payload length: 36
Transform number: 1
Transform ID: KEY_IKE (1)
Transform IKE Attribute Type (t=11,l=2) Life-Type : Seconds
Transform IKE Attribute Type (t=12,l=2) Life-Duration : 3600
Transform IKE Attribute Type (t=1,l=2) Encryption-Algorithm : AES-CBC
Transform IKE Attribute Type (t=2,l=2) Hash-Algorithm : MD5
Transform IKE Attribute Type (t=3,l=2) Authentication-Method : RSA-SIG
Transform IKE Attribute Type (t=4,l=2) Group-Description : 2048 bit MODP group
Transform IKE Attribute Type (t=14,l=2) Key-Length : 128
Type Payload: Transform (3) # 2
Next payload: Transform (3)
Payload length: 32
Transform number: 2
Transform ID: KEY_IKE (1)
Transform IKE Attribute Type (t=11,l=2) Life-Type : Seconds
Transform IKE Attribute Type (t=12,l=2) Life-Duration : 3600
Transform IKE Attribute Type (t=1,l=2) Encryption-Algorithm : 3DES-CBC
Transform IKE Attribute Type (t=2,l=2) Hash-Algorithm : SHA
Transform IKE Attribute Type (t=3,l=2) Authentication-Method : RSA-SIG
Transform IKE Attribute Type (t=4,l=2) Group-Description : 2048 bit MODP group
Type Payload: Transform (3) # 3
Next payload: Transform (3)
Payload length: 32
Transform number: 3
Transform ID: KEY_IKE (1)
Transform IKE Attribute Type (t=11,l=2) Life-Type : Seconds
Transform IKE Attribute Type (t=12,l=2) Life-Duration : 3600
Transform IKE Attribute Type (t=1,l=2) Encryption-Algorithm : 3DES-CBC
Transform IKE Attribute Type (t=2,l=2) Hash-Algorithm : MD5
Transform IKE Attribute Type (t=3,l=2) Authentication-Method : RSA-SIG
Transform IKE Attribute Type (t=4,l=2) Group-Description : 2048 bit MODP group
Type Payload: Transform (3) # 4
Next payload: Transform (3)
Payload length: 36
Transform number: 4
Transform ID: KEY_IKE (1)
Transform IKE Attribute Type (t=11,l=2) Life-Type : Seconds
Transform IKE Attribute Type (t=12,l=2) Life-Duration : 3600
Transform IKE Attribute Type (t=1,l=2) Encryption-Algorithm : AES-CBC
Transform IKE Attribute Type (t=2,l=2) Hash-Algorithm : SHA
Transform IKE Attribute Type (t=3,l=2) Authentication-Method : RSA-SIG
Transform IKE Attribute Type (t=4,l=2) Group-Description : 1536 bit MODP group
Transform IKE Attribute Type (t=14,l=2) Key-Length : 128
Type Payload: Transform (3) # 5
Next payload: Transform (3)
Payload length: 36
Transform number: 5
Transform ID: KEY_IKE (1)
Transform IKE Attribute Type (t=11,l=2) Life-Type : Seconds
Transform IKE Attribute Type (t=12,l=2) Life-Duration : 3600
Transform IKE Attribute Type (t=1,l=2) Encryption-Algorithm : AES-CBC
Transform IKE Attribute Type (t=2,l=2) Hash-Algorithm : MD5
Transform IKE Attribute Type (t=3,l=2) Authentication-Method : RSA-SIG
Transform IKE Attribute Type (t=4,l=2) Group-Description : 1536 bit MODP group
Transform IKE Attribute Type (t=14,l=2) Key-Length : 128
Type Payload: Transform (3) # 6
Next payload: Transform (3)
Payload length: 32
Transform number: 6
Transform ID: KEY_IKE (1)
Transform IKE Attribute Type (t=11,l=2) Life-Type : Seconds
Transform IKE Attribute Type (t=12,l=2) Life-Duration : 3600
Transform IKE Attribute Type (t=1,l=2) Encryption-Algorithm : 3DES-CBC
Transform IKE Attribute Type (t=2,l=2) Hash-Algorithm : SHA
Transform IKE Attribute Type (t=3,l=2) Authentication-Method : RSA-SIG
Transform IKE Attribute Type (t=4,l=2) Group-Description : 1536 bit MODP group
Type Payload: Transform (3) # 7
Next payload: Transform (3)
Payload length: 32
Transform number: 7
Transform ID: KEY_IKE (1)
Transform IKE Attribute Type (t=11,l=2) Life-Type : Seconds
Transform IKE Attribute Type (t=12,l=2) Life-Duration : 3600
Transform IKE Attribute Type (t=1,l=2) Encryption-Algorithm : 3DES-CBC
Transform IKE Attribute Type (t=2,l=2) Hash-Algorithm : MD5
Transform IKE Attribute Type (t=3,l=2) Authentication-Method : RSA-SIG
Transform IKE Attribute Type (t=4,l=2) Group-Description : 1536 bit MODP group
Type Payload: Transform (3) # 8
Next payload: Transform (3)
Payload length: 32
Transform number: 8
Transform ID: KEY_IKE (1)
Transform IKE Attribute Type (t=11,l=2) Life-Type : Seconds
Transform IKE Attribute Type (t=12,l=2) Life-Duration : 3600
Transform IKE Attribute Type (t=1,l=2) Encryption-Algorithm : 3DES-CBC
Transform IKE Attribute Type (t=2,l=2) Hash-Algorithm : SHA
Transform IKE Attribute Type (t=3,l=2) Authentication-Method : RSA-SIG
Transform IKE Attribute Type (t=4,l=2) Group-Description : Alternate 1024-bit MODP group
Type Payload: Transform (3) # 9
Next payload: Transform (3)
Payload length: 32
Transform number: 9
Transform ID: KEY_IKE (1)
Transform IKE Attribute Type (t=11,l=2) Life-Type : Seconds
Transform IKE Attribute Type (t=12,l=2) Life-Duration : 3600
Transform IKE Attribute Type (t=1,l=2) Encryption-Algorithm : 3DES-CBC
Transform IKE Attribute Type (t=2,l=2) Hash-Algorithm : MD5
Transform IKE Attribute Type (t=3,l=2) Authentication-Method : RSA-SIG
Transform IKE Attribute Type (t=4,l=2) Group-Description : Alternate 1024-bit MODP group
Type Payload: Transform (3) # 10
Next payload: Transform (3)
Payload length: 36
Transform number: 10
Transform ID: KEY_IKE (1)
Transform IKE Attribute Type (t=11,l=2) Life-Type : Seconds
Transform IKE Attribute Type (t=12,l=2) Life-Duration : 3600
Transform IKE Attribute Type (t=1,l=2) Encryption-Algorithm : AES-CBC
Transform IKE Attribute Type (t=2,l=2) Hash-Algorithm : SHA
Transform IKE Attribute Type (t=3,l=2) Authentication-Method : RSA-SIG
Transform IKE Attribute Type (t=4,l=2) Group-Description : Alternate 1024-bit MODP group
Transform IKE Attribute Type (t=14,l=2) Key-Length : 128
Type Payload: Transform (3) # 11
Next payload: NONE / No Next Payload (0)
Payload length: 36
Transform number: 11
Transform ID: KEY_IKE (1)
Transform IKE Attribute Type (t=11,l=2) Life-Type : Seconds
Transform IKE Attribute Type (t=12,l=2) Life-Duration : 3600
Transform IKE Attribute Type (t=1,l=2) Encryption-Algorithm : AES-CBC
Transform IKE Attribute Type (t=2,l=2) Hash-Algorithm : MD5
Transform IKE Attribute Type (t=3,l=2) Authentication-Method : RSA-SIG
Transform IKE Attribute Type (t=4,l=2) Group-Description : Alternate 1024-bit MODP group
Transform IKE Attribute Type (t=14,l=2) Key-Length : 128
Type Payload: Vendor ID (13) : Unknown Vendor ID
Next payload: Vendor ID (13)
Payload length: 16
Vendor ID: 4f4576795c6b677a57715c73
Vendor ID: Unknown Vendor ID
Type Payload: Vendor ID (13) : RFC 3706 DPD (Dead Peer Detection)
Next payload: NONE / No Next Payload (0)
Payload length: 20
Vendor ID: afcad71368a1f1c96b8696fc77570100
Vendor ID: RFC 3706 DPD (Dead Peer Detection)
0000 00 0c 29 18 43 c9 00 0c 29 9a aa 8b 08 00 45 00 ..).C...).....E.
0010 02 08 00 00 40 00 40 11 92 c9 c0 a8 12 65 c0 a8 ....@.@......e..
0020 12 66 01 f4 01 f4 01 f4 a8 21 3b e7 60 f4 e2 56 .f.......!;.`..V
0030 0c e1 00 00 00 00 00 00 00 00 01 10 02 00 00 00 ................
0040 00 00 00 00 01 ec 0d 00 01 ac 00 00 00 01 00 00 ................
0050 00 01 00 00 01 a0 00 01 00 0c 03 00 00 24 00 01 .............$..
0060 00 00 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 ................
0070 00 02 80 03 00 03 80 04 00 0e 80 0e 00 80 03 00 ................
0080 00 24 01 01 00 00 80 0b 00 01 80 0c 0e 10 80 01 .$..............
0090 00 07 80 02 00 01 80 03 00 03 80 04 00 0e 80 0e ................
00a0 00 80 03 00 00 20 02 01 00 00 80 0b 00 01 80 0c ..... ..........
00b0 0e 10 80 01 00 05 80 02 00 02 80 03 00 03 80 04 ................
00c0 00 0e 03 00 00 20 03 01 00 00 80 0b 00 01 80 0c ..... ..........
00d0 0e 10 80 01 00 05 80 02 00 01 80 03 00 03 80 04 ................
00e0 00 0e 03 00 00 24 04 01 00 00 80 0b 00 01 80 0c .....$..........
00f0 0e 10 80 01 00 07 80 02 00 02 80 03 00 03 80 04 ................
0100 00 05 80 0e 00 80 03 00 00 24 05 01 00 00 80 0b .........$......
0110 00 01 80 0c 0e 10 80 01 00 07 80 02 00 01 80 03 ................
0120 00 03 80 04 00 05 80 0e 00 80 03 00 00 20 06 01 ............. ..
0130 00 00 80 0b 00 01 80 0c 0e 10 80 01 00 05 80 02 ................
0140 00 02 80 03 00 03 80 04 00 05 03 00 00 20 07 01 ............. ..
0150 00 00 80 0b 00 01 80 0c 0e 10 80 01 00 05 80 02 ................
0160 00 01 80 03 00 03 80 04 00 05 03 00 00 20 08 01 ............. ..
0170 00 00 80 0b 00 01 80 0c 0e 10 80 01 00 05 80 02 ................
0180 00 02 80 03 00 03 80 04 00 02 03 00 00 20 09 01 ............. ..
0190 00 00 80 0b 00 01 80 0c 0e 10 80 01 00 05 80 02 ................
01a0 00 01 80 03 00 03 80 04 00 02 03 00 00 24 0a 01 .............$..
01b0 00 00 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 ................
01c0 00 02 80 03 00 03 80 04 00 02 80 0e 00 80 00 00 ................
01d0 00 24 0b 01 00 00 80 0b 00 01 80 0c 0e 10 80 01 .$..............
01e0 00 07 80 02 00 01 80 03 00 03 80 04 00 02 80 0e ................
01f0 00 80 0d 00 00 10 4f 45 76 79 5c 6b 67 7a 57 71 ......OEvy\kgzWq
0200 5c 73 00 00 00 14 af ca d7 13 68 a1 f1 c9 6b 86 \s........h...k.
0210 96 fc 77 57 01 00 ..wW..
1.2简析
这一个数据包主要是发起方对响应方的一个关于建立安全联盟的一个提议。提议中包含发起方所支持的全部SA属性的组合,已经一些VendorID,详见上一小节。
需要注意的是第一个VendorID “ Vendor ID:4f4576795c6b677a57715c73”,是Openswan特有的,即OpenSwanVendor ID。它是以可打印字符“OE”(十六进制:4f45)加上另外10个字节组成的。后面的10个字节是OpenSwan版本号和编译时间等信息的MD5值。
用如下Perl脚本可以很方便验证这一点。
#!/usr/bin/perl use warnings; use strict; use Digest::MD5 qw(md5); # my $openssl_version = shift(); die "Usage: openswan-vid <OpenSwan_version_string>\n" unless defined $openssl_version; # my $md5_hash = md5($openssl_version); my @values = unpack("C10", $md5_hash); my $value; # print "4f45"; # Hex representation of "OE" foreach (@values) { $value = $_ & 0x7f | 0x40; # Set bit-7 and clear bit-6 printf("%x", $value); } print "\n";
查看当前Openswan版本信息:
vpn01:~ # /usr/local/libexec/ipsec/pluto --version
Openswan 2.6.38
Copyright (C) 1999 - 2010
Henry Spencer, Richard Guy Briggs, Sam Sgro,
D. Hugh Redelmeier, Sandy Harris, Claudia Schmeing,
Michael C. Richardson, Angelos D. Keromytis, John Ioannidis,
Ken Bantoft, Andreas Steffen, Mathieu Lafon, Tuomo Soini,
Paul Wouters, JuanJo Ciarlante, Bart Trojanowski, Herbert Xu,
Antony Antony, David McCullough, Avesh Agarwal
This program is free software; you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by the
Free Software Foundation; either version 2 of the License, or (at your
option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
Public License (file COPYING in the distribution) for more details.
取第一行版本信息,使用上述Perl脚本验证。
./openswan_vid "Openswan 2.6.38"
4f4576795c6b677a57715c73
2第二包
2.1内容
No. Time Source Destination Protocol Length Info
4 9.699428 192.168.18.102 192.168.18.101 ISAKMP 162 Identity Protection (Main Mode)
Frame 4: 162 bytes on wire (1296 bits), 162 bytes captured (1296 bits)
Ethernet II, Src: Vmware_18:43:c9 (00:0c:29:18:43:c9), Dst: Vmware_9a:aa:8b (00:0c:29:9a:aa:8b)
Internet Protocol Version 4, Src: 192.168.18.102 (192.168.18.102), Dst: 192.168.18.101 (192.168.18.101)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Internet Security Association and Key Management Protocol
Initiator cookie: 3be760f4e2560ce1
Responder cookie: b24281eaa9ce3517
Next payload: Security Association (1)
Version: 1.0
Exchange type: Identity Protection (Main Mode) (2)
Flags: 0x00
Message ID: 0x00000000
Length: 120
Type Payload: Security Association (1)
Next payload: Vendor ID (13)
Payload length: 56
Domain of interpretation: IPSEC (1)
Situation: 00000001
Type Payload: Proposal (2) # 0
Next payload: NONE / No Next Payload (0)
Payload length: 44
Proposal number: 0
Protocol ID: ISAKMP (1)
SPI Size: 0
Proposal transforms: 1
Type Payload: Transform (3) # 0
Next payload: NONE / No Next Payload (0)
Payload length: 36
Transform number: 0
Transform ID: KEY_IKE (1)
Transform IKE Attribute Type (t=11,l=2) Life-Type : Seconds
Transform IKE Attribute Type (t=12,l=2) Life-Duration : 3600
Transform IKE Attribute Type (t=1,l=2) Encryption-Algorithm : AES-CBC
Transform IKE Attribute Type (t=2,l=2) Hash-Algorithm : SHA
Transform IKE Attribute Type (t=3,l=2) Authentication-Method : RSA-SIG
Transform IKE Attribute Type (t=4,l=2) Group-Description : 2048 bit MODP group
Transform IKE Attribute Type (t=14,l=2) Key-Length : 128
Type Payload: Vendor ID (13) : Unknown Vendor ID
Next payload: Vendor ID (13)
Payload length: 16
Vendor ID: 4f4576795c6b677a57715c73
Vendor ID: Unknown Vendor ID
Type Payload: Vendor ID (13) : RFC 3706 DPD (Dead Peer Detection)
Next payload: NONE / No Next Payload (0)
Payload length: 20
Vendor ID: afcad71368a1f1c96b8696fc77570100
Vendor ID: RFC 3706 DPD (Dead Peer Detection)
0000 00 0c 29 9a aa 8b 00 0c 29 18 43 c9 08 00 45 00 ..).....).C...E.
0010 00 94 00 00 40 00 40 11 94 3d c0 a8 12 66 c0 a8 ....@.@..=...f..
0020 12 65 01 f4 01 f4 00 80 6e ff 3b e7 60 f4 e2 56 .e......n.;.`..V
0030 0c e1 b2 42 81 ea a9 ce 35 17 01 10 02 00 00 00 ...B....5.......
0040 00 00 00 00 00 78 0d 00 00 38 00 00 00 01 00 00 .....x...8......
0050 00 01 00 00 00 2c 00 01 00 01 00 00 00 24 00 01 .....,.......$..
0060 00 00 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 ................
0070 00 02 80 03 00 03 80 04 00 0e 80 0e 00 80 0d 00 ................
0080 00 10 4f 45 76 79 5c 6b 67 7a 57 71 5c 73 00 00 ..OEvy\kgzWq\s..
0090 00 14 af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 ......h...k...wW
00a0 01 00 ..
2.2简析
第二包相对简单,是响应方从第一包中列举出的各个SA提议中,选取自己支持的提议,将其发回给发起方。再加上一些VID。
3第三包
3.1内容
No. Time Source Destination Protocol Length Info
5 9.701122 192.168.18.101 192.168.18.102 ISAKMP 350 Identity Protection (Main Mode)
Frame 5: 350 bytes on wire (2800 bits), 350 bytes captured (2800 bits)
Ethernet II, Src: Vmware_9a:aa:8b (00:0c:29:9a:aa:8b), Dst: Vmware_18:43:c9 (00:0c:29:18:43:c9)
Internet Protocol Version 4, Src: 192.168.18.101 (192.168.18.101), Dst: 192.168.18.102 (192.168.18.102)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Internet Security Association and Key Management Protocol
Initiator cookie: 3be760f4e2560ce1
Responder cookie: b24281eaa9ce3517
Next payload: Key Exchange (4)
Version: 1.0
Exchange type: Identity Protection (Main Mode) (2)
Flags: 0x00
Message ID: 0x00000000
Length: 308
Type Payload: Key Exchange (4)
Next payload: Nonce (10)
Payload length: 260
Key Exchange Data: fd16361786d228f0a68ed23873ae5bb08972a437d61b00b9...
Type Payload: Nonce (10)
Next payload: NONE / No Next Payload (0)
Payload length: 20
Nonce DATA: 3ea8e9d3030161246017cd31a4ac96d2
0000 00 0c 29 18 43 c9 00 0c 29 9a aa 8b 08 00 45 00 ..).C...).....E.
0010 01 50 00 00 40 00 40 11 93 81 c0 a8 12 65 c0 a8 .P..@.@......e..
0020 12 66 01 f4 01 f4 01 3c a7 69 3b e7 60 f4 e2 56 .f.....<.i;.`..V
0030 0c e1 b2 42 81 ea a9 ce 35 17 04 10 02 00 00 00 ...B....5.......
0040 00 00 00 00 01 34 0a 00 01 04 fd 16 36 17 86 d2 .....4......6...
0050 28 f0 a6 8e d2 38 73 ae 5b b0 89 72 a4 37 d6 1b (....8s.[..r.7..
0060 00 b9 12 28 af 50 bd c7 94 d0 75 6c c7 40 32 b8 ...(.P....ul.@2.
0070 29 b2 df c5 bc ec a5 56 ff 95 a3 2d e1 35 2a d8 )......V...-.5*.
0080 b5 a9 93 5d a9 65 7e 1d 75 80 a0 f4 09 04 14 b2 ...].e~.u.......
0090 79 df ed 95 35 dd d7 08 3b 42 39 66 ea 5c d3 1e y...5...;B9f.\..
00a0 d0 88 49 de 08 c5 5d c1 e0 86 6f 15 f7 95 65 46 ..I...]...o...eF
00b0 64 85 c7 9c e5 59 85 28 d6 4d 57 2a 74 b5 10 17 d....Y.(.MW*t...
00c0 83 cb 28 42 11 b1 f8 c9 28 0d 64 14 00 2f 37 4e ..(B....(.d../7N
00d0 e9 d6 7d ee 9f 76 62 ce 1f b5 e5 62 78 9c fe 1b ..}..vb....bx...
00e0 00 76 6a 2a f9 c3 ab 94 71 15 3e bb b9 60 19 e5 .vj*....q.>..`..
00f0 97 c3 11 a1 c3 5f af b6 a0 37 3b 18 b4 bf 8c 23 ....._...7;....#
0100 47 c9 1f 39 1f 36 1b 62 f2 90 6b eb 42 5d 01 9d G..9.6.b..k.B]..
0110 80 fb fb 99 79 45 f7 ae 56 af a4 0c c8 7e 0d 7b ....yE..V....~.{
0120 45 55 fa 74 76 23 ad a1 98 71 60 c9 58 89 e8 17 EU.tv#...q`.X...
0130 78 19 79 fc a5 5a 5f ba be c4 a7 73 f6 a6 00 a4 x.y..Z_....s....
0140 0e 82 a0 fc 77 2f 86 4a ef f7 00 00 00 14 3e a8 ....w/.J......>.
0150 e9 d3 03 01 61 24 60 17 cd 31 a4 ac 96 d2 ....a$`..1....
3.2简析
第三包是按前两包双方协商的SA属性,进行密钥素材的交换。在本文介绍的例子中,使用签名来验证的IKE第一阶段:
Transform IKEAttribute Type (t=3,l=2) Authentication-Method : RSA-SIG
所以第三包是发起方发送KE_i和Nonce_i。其中KE_i是DH交换中的公开密钥信息g^xmod p,Nonce用于防止中间人攻击。
在这个DH交换过程中,g和p由前两包双方协商的Oakley组来决定,在本文介绍的例子中,使用第14个Oakley组:
TransformIKE Attribute Type (t=4,l=2) Group-Description : 2048 bit MODP group
这个组没有在RFC2409中定义,而是定义在draft-ietf-ipsec-ike-modp-groups-03.txt中,其中,g=2,p为:
FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F 83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D 670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9 DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510 15728E5A 8AACAA68 FFFFFFFF FFFFFFFF
参见:http://tools.ietf.org/html/draft-ietf-ipsec-ike-modp-groups-03
4第四包
4.1内容
No. Time Source Destination Protocol Length Info
6 9.703946 192.168.18.102 192.168.18.101 ISAKMP 350 Identity Protection (Main Mode)
Frame 6: 350 bytes on wire (2800 bits), 350 bytes captured (2800 bits)
Ethernet II, Src: Vmware_18:43:c9 (00:0c:29:18:43:c9), Dst: Vmware_9a:aa:8b (00:0c:29:9a:aa:8b)
Internet Protocol Version 4, Src: 192.168.18.102 (192.168.18.102), Dst: 192.168.18.101 (192.168.18.101)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Internet Security Association and Key Management Protocol
Initiator cookie: 3be760f4e2560ce1
Responder cookie: b24281eaa9ce3517
Next payload: Key Exchange (4)
Version: 1.0
Exchange type: Identity Protection (Main Mode) (2)
Flags: 0x00
Message ID: 0x00000000
Length: 308
Type Payload: Key Exchange (4)
Next payload: Nonce (10)
Payload length: 260
Key Exchange Data: 1755b4d995393d873aa20027754417fccc98c5f925815ad1...
Type Payload: Nonce (10)
Next payload: NONE / No Next Payload (0)
Payload length: 20
Nonce DATA: 61354fd608d53485f28a5b5c6b5c1858
0000 00 0c 29 9a aa 8b 00 0c 29 18 43 c9 08 00 45 00 ..).....).C...E.
0010 01 50 00 00 40 00 40 11 93 81 c0 a8 12 66 c0 a8 .P..@.@......f..
0020 12 65 01 f4 01 f4 01 3c 85 26 3b e7 60 f4 e2 56 .e.....<.&;.`..V
0030 0c e1 b2 42 81 ea a9 ce 35 17 04 10 02 00 00 00 ...B....5.......
0040 00 00 00 00 01 34 0a 00 01 04 17 55 b4 d9 95 39 .....4.....U...9
0050 3d 87 3a a2 00 27 75 44 17 fc cc 98 c5 f9 25 81 =.:..'uD......%.
0060 5a d1 20 4a 74 8e d7 9c c0 90 84 29 d0 cc 1b 35 Z. Jt......)...5
0070 6b cd 5b d4 ed 66 14 f5 e1 2c ac 44 52 e7 9f a3 k.[..f...,.DR...
0080 78 fc 3c 39 63 50 38 aa 23 20 49 37 ec 1c 00 98 x.<9cP8.# I7....
0090 00 45 ef 81 b2 e8 08 87 59 dc 8b 80 cb 11 10 12 .E......Y.......
00a0 8c 46 59 d4 42 58 f2 87 a5 ad b9 21 82 a0 70 20 .FY.BX.....!..p
00b0 4b e5 40 b5 34 d3 4d 6c f1 f9 dc f8 51 59 29 f5 K.@.4.Ml....QY).
00c0 3d c6 83 25 27 c4 4e a5 f5 37 3d 0b 93 0b 84 a2 =..%'.N..7=.....
00d0 e5 29 fa 41 62 40 40 d0 a3 43 d3 e4 87 9c 6e e0 .).Ab@@..C....n.
00e0 78 d2 db 12 2e da 7f 7f da 2b cc 50 72 2c 56 7c x........+.Pr,V|
00f0 2a 9f e8 e4 59 b6 2d 89 c9 ff 88 33 55 36 b2 11 *...Y.-....3U6..
0100 1e a9 c9 aa 79 36 e1 7c 58 ad 97 88 c3 4c cd f7 ....y6.|X....L..
0110 44 1f e0 e1 3a f9 9f ea ab 09 c7 43 83 dd 51 95 D...:......C..Q.
0120 85 3c 0a 46 d8 11 01 fe ea 99 fe 98 23 95 3c b5 .<.F........#.<.
0130 41 f2 e3 8c d4 e3 95 32 89 21 1b 1c e1 be 3b 13 A......2.!....;.
0140 1b c3 84 c9 81 36 e5 d2 31 a4 00 00 00 14 61 35 .....6..1.....a5
0150 4f d6 08 d5 34 85 f2 8a 5b 5c 6b 5c 18 58 O...4...[\k\.X
4.2简析
和第三包作用一样,第四包是响应方发送的KE_r和Nonce_r。其中KE_r即g^ymod p。至此,响应方已经可以计算出SA的密钥信息了。
g^xymod p = KE_i ^ y mod p
= (g^x mod p)^y mod p
g^xy mod p,以下简写为g^xy。
SKEYID= prf(Nonce_i_b | Nonce_r_b, g^xy mod p)
SKEYID_d= prf(SKEYID, g^xy | CKY-I | CKY-R | 0)
SKEYID_a= prf(SKEYID, SKEYID_d | g^xy | CKY-I | CKY-R | 1)
SKEYID_e= prf(SKEYID, SKEYID_a | g^xy | CKY-I | CKY-R | 2)
其中,prf为双方协商的的Hash算法的HMAC:
TransformIKE Attribute Type (t=2,l=2) Hash-Algorithm : SHA
其它符号的含义请参见RFC2409。
5第五包
5.1内容
No. Time Source Destination Protocol Length Info
7 9.711339 192.168.18.101 192.168.18.102 ISAKMP 374 Identity Protection (Main Mode)
Frame 7: 374 bytes on wire (2992 bits), 374 bytes captured (2992 bits)
Ethernet II, Src: Vmware_9a:aa:8b (00:0c:29:9a:aa:8b), Dst: Vmware_18:43:c9 (00:0c:29:18:43:c9)
Internet Protocol Version 4, Src: 192.168.18.101 (192.168.18.101), Dst: 192.168.18.102 (192.168.18.102)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Internet Security Association and Key Management Protocol
Initiator cookie: 3be760f4e2560ce1
Responder cookie: b24281eaa9ce3517
Next payload: Identification (5)
Version: 1.0
Exchange type: Identity Protection (Main Mode) (2)
Flags: 0x01
Message ID: 0x00000000
Length: 332
Encrypted Data (304 bytes)
0000 00 0c 29 18 43 c9 00 0c 29 9a aa 8b 08 00 45 00 ..).C...).....E.
0010 01 68 00 00 40 00 40 11 93 69 c0 a8 12 65 c0 a8 .h..@.@..i...e..
0020 12 66 01 f4 01 f4 01 54 a7 81 3b e7 60 f4 e2 56 .f.....T..;.`..V
0030 0c e1 b2 42 81 ea a9 ce 35 17 05 10 02 01 00 00 ...B....5.......
0040 00 00 00 00 01 4c 73 fc 82 af 2d d8 b5 88 5d e2 .....Ls...-...].
0050 23 5f 61 4c 23 6f 86 6e 1b bb 57 d8 96 06 44 01 #_aL#o.n..W...D.
0060 f3 87 a0 8f cb 25 5a 27 b1 1a 8d 47 a8 aa d3 f1 .....%Z'...G....
0070 40 d1 7b b5 db ca 5d a8 09 45 a0 c1 9f 4e 04 50 @.{...]..E...N.P
0080 0e ba f1 55 7d cd 9d 98 b2 09 dc de 95 0b 25 d4 ...U}.........%.
0090 fc e7 07 2e 85 78 44 3e 01 db e8 3a d9 b7 fc 4b .....xD>...:...K
00a0 10 e3 04 2e 1c ab 34 c6 d9 e6 ee 67 57 f3 13 79 ......4....gW..y
00b0 66 0c 6b 9d f3 c5 57 83 6e f9 f5 07 82 98 21 b8 f.k...W.n.....!.
00c0 d2 63 fe 93 77 51 60 a0 78 7b a7 92 21 9a cb 4d .c..wQ`.x{..!..M
00d0 c0 10 46 94 3d ed 41 94 cc 9f b9 5c ae f7 9a 72 ..F.=.A....\...r
00e0 41 cd 0d b5 69 d5 21 14 74 c4 87 b9 41 98 4d 6b A...i.!.t...A.Mk
00f0 ba 64 ea ac 72 8e 18 b7 c6 6f 72 75 ef 0c 08 74 .d..r....oru...t
0100 79 4f de c9 ef 5c dd fd 87 18 f1 d4 97 b4 b9 39 yO...\.........9
0110 2d 61 34 9b db 33 87 5e f5 6b 43 de da 6b 95 2c -a4..3.^.kC..k.,
0120 4a a1 07 a6 0b 3f f8 5c a9 c4 56 41 2f 92 3d 2f J....?.\..VA/.=/
0130 87 0a 3d 0d 86 3e 48 ef 45 d2 99 80 47 2b fa b2 ..=..>H.E...G+..
0140 80 ae e2 74 dd 7e c7 09 e5 dc 67 da 92 43 82 82 ...t.~....g..C..
0150 d0 1b 64 e5 8d 18 8c 63 a0 7c 56 5e b2 91 9d 0c ..d....c.|V^....
0160 f9 09 78 bb 4d 09 97 d2 c8 ab 7a ad d7 9e 0c a0 ..x.M.....z.....
0170 cd 00 8f 79 0d e0 ...y..
5.2简析
发起方在收到第四包后,生成SKEYID、SKEYID_d、SKEYID_a和SKEYID_e。至此,双方可以进行加密通信。
第五包、第六包是对上述协商结果的验证。给第五包解密后,可以发现,它带着一个标示载荷ID_i和一个签名载荷SIG_i。SIG_i是使用双方协商的认证方法产生的:
TransformIKE Attribute Type (t=3,l=2) Authentication-Method : RSA-SIG
需要注意的是,SIG_i,并不是通过PKCS#1格式(它包括hash算法的OID)中的签名方案产生的,它实际是通过对HASH_i进行私钥加密来产生的。相对应的当对方验证这个签名值时,应用公钥解密该签名值,得HASH_i,再与自己计算的HASH_i比较,相同则签名验证成功。
6第六包
参见上一节,第五包。