Updated April 18, 2023
Introduction to ISAKMP protocol
The protocol used in IPSec for key management is called ISAKMP/Oakley. ISAKMP stands for the Internet Security Association and Key Management Protocol. It is a protocol platform used for key management. It defines the procedure and packet formats for negotiating, establishing, modifying, and deleting SAs. ISAKMP messages can be transmitted via the TCP or UDP transport protocol. Port number 500 of TCP and UDP are reserved for ISAKMP protocol. The initial version of ISAKMP mandated the use of the Oakley protocol. Oakley is based on the Diffie Hellman key exchange protocol.
So first, we will discuss the Oakley and then will discuss the ISAKMP.
Oakley protocol is a refined version of the Diffie Hellman key exchange protocol. Diffie Hellman offers two main features like the creation of secret keys as and when required and no requirement for any pre-existing infrastructure. However, the Diffie Hellman key exchange protocol also has some problems. Oakley protocol is designed to solve these problems. Features of Oakley are as follows.
- It enables the exchange of Diffie Hellman public key values
- To defeat the congestion attacks, it implements a mechanism which is called cookies.
- To defeat the man in the middle attack, it provides an authentication mechanism.
Below are the approaches that are taken by the Oakley protocol to solve the problems of Diffie Hellman key protocol.
1. Authentication: Oakley protocol support three authentication mechanism which is follow
- Digital signatures: Generation of a message digest and its encryption with the private key of the sender
- Public key encryption: Encryption of information such as user ID of the sender and public key of the receiver.
- Secret key encryption: Key derived by using some out of band mechanism.
2. dealing with congestion attacks: to defeat the congestion attack, Oakley uses the cookie concept. In this type of attack, an attacker forges the source address of another legitimate user and sends a public Diffie Hellman key to another legitimate user. Then the receiver performs some calculation to calculate the secret key. Several calculations. Performed rapidly one after another other cause the congestion of the victim’s computer. To defeat this, each side in Oakley must send the pseudo-random number, which is called a cookie, in the initial message, which the other side must acknowledge. This acknowledges must be repeated in the first message of the Diffie key exchange protocol. If an attacker forges the source address, he does get the acknowledgement cookie from the victim, and her attacks fail.
3. ISAKMP: This protocol defines the procedure and the format for establishing, maintaining, and deleting the SA information. ISAKMP message contains an ISAKMP header followed by one or more payloads. The entire block is encapsulated inside the transport segment.
ISAKMP Protocol header files
There are 9 fields in the ISAKMP headers files. Let’s discuss them one by one.
- Initiator cookie: This is a 64-bit field which contains the cookie of the entity that initiates the SA establishment or deletion.
- Responder cookie: This IA 64 bit field which contains the cookie of the responding entity. Initially, this field contains null when the initiator sends the very first ISAKMP message to the responder.
- Next payload: This is an 8-bit field which indicates the type of the first payload of the message. ISAKMP specifies the various payload types; for example, to start the SA establishment, the SA payload is used. Key exchange payload is used to exchange the key, etc.
- Major version: It is a 4-bit field that defines the major version of the ISAKMP protocol as used in the current exchange.
- Minor version: It is a 4-bit field that defines a minor version of the ISAKMP protocol as used in the current exchange.
- Exchange type: It is an 8-bit field that is used to define the type of exchange. ISAKMP protocol provides 5 exchange types. The base exchange allows me an h key transmission and authentication material. Identity exchange is used to expand the base exchange to protect the user’s identity. Authentication only exchange is used to perform mutual authentication. Aggressive exchange is used to minimize the number of exchanges at the cost of hiding the user’s identities. Information exchange is used to perform the one-way transmission of information for SA management.
- Flags: it is an 8-bit field which indicates the specific set of options for ISAKMP exchange
- Message-ID: It is a 32-bit field which is used to identify the unique ID for the message
- Length: It is a 32-bit field that specifies the total length of the message, including the header and all payloads in octets.
This is a guide to ISAKMP Protocol. Here we discuss the Oakley protocol and the 9 fields in the ISAKMP headers files one by one. You may also have a look at the following articles to learn more –