IPSec Security Association, Internet Key Exchange, IKE, Main Mode, Quick Mode

Security Association (SA) form the basis of Internet Protocol Security (IPSec).

A Security Association (SA) is a simplex (one-way channel) and logical connection that provides relationship between two or more systems to build a unique secure connection. A Security Association (SA) can be viewed as an agreement between two devices about how to protect information during transit.

The Security Association (SA) are one way (simplex). If two devices, Dev-A and Dev-B, are communicating using IPSec, then the DevA will have two Security Association's. One Security Association is used for processing out-bound packets and other Security Association is used for processing inbound packets.

A Security Association (SA) consists of three things.

1) A Security Parameter Index (SPI)

2) An IP destination address

3) A IPSec Protocol Identifier. IPSec protocols are Authentication Header (AH) and Encapsulating Security Payload (ESP).

The protocol Internet Key Exchange (IKE or IKEv2) is used to set up Security Associations (SAs) between two devices. IKE uses a Diffie-Hellman key exchange to set up a shared secret key, from which cryptographic keys are derived. Diffie-Hellman (developed by Whitfield Diffie and Martin Hellman) algorithm is a method for securely exchanging a shared secret (key) between two devices over an untrusted network. The secret key is generated at two devices and it is never transmitted over the network.

Internet Key Exchange (IKE) protocol used for generating Security Association is a two-phase process.

The first phase (also known as Main Mode negotiation) is a policy negotiation phase in which four parameters are negotiated.

• The encryption algorithm (DES or 3DES).

• The hash algorithm (MD5 (Message Digest 5) or SHA (Secure Hash Algorithm)).

• The authentication method (Certificate, Pre-shared key, or Kerberos).

• The exchange of DH material for key generation.

In the second phase (also known as Quick Mode negotiation), the following parameters are negotiated.

• The IPSec protocol (AH or ESP).

• The hash algorithm (MD5 of SHA).

• The algorithm for encryption, if requested (DES or 3DES).

After Main Mode and Quick Mode negotiations, common agreement is reached, and two Security Associations (SAs) are established. One Security Association (SA) is for inbound communication and the other Security Association (SA) is for outbound communication. As part of the second phase (Quick Mode), session key material is refreshed, and a new pair of keys is generated. This can prevent the cracking of session key by an attacker.