Internet Key Exchange (IKE) is a set of protocols used with IPSec to provide secure communication between devices. IKE establishes a security association (SA) and uses a multi-stage approach to negotiate and establish SAs between peers. It uses ISAKMP and OAKLEY/SKEME key exchange methods, and creates an IPSec tunnel for encrypted communication.
Internet Key Exchange (IKE) is a set of supporting protocols created by the Internet Engineering Task Force (IETF) and used with Internet Protocol Security Standards (IPSec) to provide secure communications between two devices or peers on a network. As a protocol, IKE can be used in a number of software applications. A common example is setting up a secure virtual private network (VPN). While it is standard on virtually all modern computer operating systems and networking equipment, much of what Internet Key Exchange does is hidden from view by the average user.
The protocols in IKE establish what is known as a security association (SA) between two or more peers over IPSec, which is required for any secure communication using IPSec. The SA defines the cryptographic algorithm used in communication, the encryption keys and their expiration dates; all of this then goes into each peer’s security association database (SAD). Although IPSec can manually configure its SA, Internet Key Exchange automatically negotiates and establishes security associations between peers, including the ability to create your own.
Internet Key Exchange is known as a hybrid protocol. IKE uses a protocol framework known as the Internet Security Association and Key Management Protocol (ISAKMP). ISAKMP provides IKE with the ability to establish the SA and does the job of defining the format of the data payload and deciding which key exchange protocol it will use. ISAKMP is capable of using several methods for exchanging keys, but its implementation in IKE uses two aspects. Most of the key exchange process uses the OAKLEY Key Determination Protocol (OAKLEY) method, which defines the various modes, but IKE also uses part of the Source Key Exchange Mechanism (SKEME) method, which enables public key encryption and has the ability to update keys quickly.
When peers want to communicate securely, they send each other what is called “interesting traffic”. Interesting traffic is messages that adhere to an IPSec policy established on the peers. An example of this policy found in firewalls and routers is called an access list. The access list is assigned an encryption policy by which certain statements within the policy determine whether or not specific data sent over the connection should be encrypted. Once the peers involved in secure communication have matched an IPSec security policy with each other, the Internet Key Exchange process begins.
The IKE process takes place in phases. Many secure connections start out in an unsecured state, so the first phase negotiates how the two peers will continue the secure communication process. IKE first authenticates the identity of the peers and then secures their identities by determining which security algorithms both peers will use. Using the Diffie-Hellman public key cryptography protocol, which is capable of creating matching keys over an unsecured network, Internet Key Exchange creates session keys. IKE ends Phase 1 by creating a secure connection, a tunnel, between the peers that will be used in Phase 2.
When IKE enters Phase 2, the peers use the new IKE SA to set up the IPSec protocols they will use during the rest of their connection. An authentication header (AH) is established which will verify that sent messages are received intact. Packets also need to be encrypted, so IPSec uses encapsulating security protocol (ESP) to encrypt the packets, protecting them from prying eyes. The AH is calculated based on the contents of the package and the package is encrypted, so packages are protected from anyone attempting to replace them with bogus packages or read the contents of a package.
IKE also exchanges cryptographic nonces during Phase 2. A nonce is a number or string that is used only once. The nonce is then used by a peer if it needs to create a new secret key or to prevent an attacker from generating false SAs, preventing what is called a replay attack.
The advantage of a multi-stage approach to IKE is that by using phase 1 SA, both peers can initiate a phase 2 at any time to renegotiate a new SA to ensure communication security. After the Internet Key Exchange has completed its stages, an IPSec tunnel is created to exchange information. Packets sent through the tunnel are encrypted and decrypted according to the SAs established during Phase 2. Once complete, the tunnel ends, either expiring according to a predetermined time limit or after a certain amount of data has been transferred. Of course, further IKE Phase 2 negotiations can keep the tunnel open or, alternatively, initiate a new Phase 1 and Phase 2 negotiation to establish a new secure tunnel.
Protect your devices with Threat Protection by NordVPN