Internet Key Exchange (IKE)
Internet Key Exchange (IKE) is the protocol used to set up a secure, authenticated communications channel between two parties. IKE typically uses X.509 PKI certificates for authentication and the Diffie–Hellman key exchange protocol to set up a shared session secret.
IKE is part of the Internet Security Protocol (IPSec) which is responsible for negotiating security associations (SAs), which are a set of mutually agreed-upon keys and algorithms to be used by both parties trying to establish a VPN connection/tunnel.
IKE is comprised of two phases. In phase 1, IKE creates an authenticated, secure channel between the two IKE peers. This is done using the Diffie-Hellman key agreement protocol. IKE supports multiple authentication methods as part of the phase 1 exchange. Methods include:
- Pre-shared keys. A key value entered into each peer manually (out of band) and used to authenticate the peer.
- RSA signatures. Uses a digital certificate authenticated by an RSA signature.
- RSA encrypted nonces. Uses RSA encryption to encrypt a nonce value (a random number generated by the peer).
In phase 2, IKE negotiates the IPSec security associations and generates the required key material for IPSec.
IKEv2 is an improvement on IKEv1 that was released in 2005, 7 years after the introduction of IKEv1. Improvements introduced in IKEv2 include (i) less bandwidth consumption, (ii) support for EAP authentication, required for connecting with existing enterprise authentication systems, (iii) support for MOBIKE, which allows IKE to be used in mobile platforms like phones, (iv) built-in NAT traversal, necessary to support situations where a router along the route performs Network Address Translations, and (v) detection whether a tunnel is still alive, to enable IKE to automatically re-establish the connection when needed.
IKE is comprised of two phases. In phase 1, IKE creates an authenticated, secure channel between the two IKE peers. In phase 2, IKE negotiates the IPSec security associations and generates the required key material for IPSec.
IKE in general, and IKEv2 specifically are the part of the Internet Security Protocol (IPSec) responsible for performing the upfront authenticating, exchanging of cryptographic keys and negotiation of algorithms to be used.
Internet Security Association and Key Management Protocol (ISAKMP) defines how to establish, negotiate, modify and delete Security Associations containing the information required for execution of various network security services, such as the IP layer services (such as header authentication and payload encapsulation), transport or application layer services or self-protection of negotiation traffic.
ISAKMP typically utilizes IKE for key exchange, although other methods have been implemented. It does not define key exchange protocols in order to cleanly separate the details of security association management (and key management) from the details of key exchange.