Phase 1 Using Preshared Keys

IKE的main模式有六个包,六个包分为三个阶段:

1:These first two packets define the algorithms and hashes used to secure the IKE communications and are agreed upon in matching IKE SAs in each peer.

头两个包用于定义算法和hash值,主要用于保护IKE的安全通信,并且商议IKE SA,此时这两个包不是加密的,是明文传输的。In other words, the first exchange defines which IKE security association will be used.换句话说,IKE的第一个阶段中IKE的SA将被使用,那么IKE的SA指的是什么?就是我们定义的 crypto isakmp policy。如果两边的isakmp policy相同,那么才会有IKE main mode 的第二个阶段。

2:The second exchange sets up the secure channel and sets the stage for authentication. This exchange uses a Diffie-Hellman exchange, which is a process that generates a shared secret. This is done by using a method of exchanging nonces, which are random numbers ISAKMP Negotiation Information Diffie-Hellman Exchange, Secure Channel Setup Authentication Exchange IKE Main Mode Exchanges sent to the other party. These nonces are digitally signed and returned as part of authenticating the communication channel.

第二个阶段用于创建安全通道,并且为第三阶段的认证打下基础。此时的信息交换使用的是非对称加密算法DH(非对称加密算法里主要的是DH和RSA,而RSA主要用于数字签名和证书)DH用一个随机数来产生一个SKE-ID,第一篇文章提到非对称加密是不加密数据的,因为弊端很多,非对称加密算法实际应用之一就是对公共密钥的交换以及产生。

3:The third packet exchange proves the identity of the both peers to one another. This is where the authentication is completed. After all three packet exchanges are completed, a secure, authenticated control channel is created.

第三个阶段是认证双方实体,这里并没有介绍到,认证实际是个hash值,这个值的构成是由SKE-ID(SKE-ID共三个)中的一个+预先设置的key等等其它的,还记得key的作用吗,key不是加密的密钥,而是用于认证用的。真正实际的实际数据加密的share secret是由SKE-ID衍生出来的。而如果在实体中使用数字证书的话,就不需要在实体中设置pre-share key。因为认证可以由数字证书和数字签名来完成。此时IKE的main mode的使命完成。

IKE 的main mode主要完成了什么:1:产生用于实际数据加密的share secret。2:认证双方。使用key而不使用数字证书和数字签名也就是达到了真实性--Authenticity,我们确定了这个实体是要和那个实体做安全数据的通信。而达不到不可否认--Nonrepudiation。

————————————————————————————————————————

如果用最少的话来描述6个包:就是下面这句话和这个图了

The first two packets negotiate the IKE SAs; the next two set up the secure channel; and the last two authenticate the other side.

image

image