Analysis of IKE and ISAKMP process in IPsec (main mode-message 1) - Programmer Sought
Analysis of IKE and ISAKMP process in IPsec (main mode-message 2) - Programmer Sought
Analysis of IKE and ISAKMP process in IPsec (main mode-message 3) - Programmer Sought
Analysis of IKE and ISAKMP process in IPsec (main mode-message 4) - Programmer Sought
| stage | Target | process | information |
| IKE Phase 1 | Create an ISAKMP SA | Realize the identity authentication and key exchange of double communication, and get the working key | (1)HDR,SA (2)HDR,SA,Cert_sig_r,Cert_enc_r (3) HDR, XCHi, SIGi (4)HDR,XCHr.SIGr (5) HDR*, HASHi (6) HDR*, HASHr |
| IKE Phase 2 | Negotiate IPsec SAs | Realize the IPsec SA of both communication parties, and get the ipsec security policy and session key | (1)HDR*,HASH(1),SA,By (2)HDR*,HASH(2),SA,No (3)HDR*,HASH(3) |
IKE completes the ISAKMP SA negotiation in the first phase (main mode) and obtains the working key through key exchange. Information in the second phase of IKE (quick mode) will be protected by the ISAKMP SA, so all payloads except the ISAKMP header must be encrypted.
After the HDR, the Hash structure (HMAC) is used to ensure the integrity of the message and the identification of the data source.
HAHS = PRF(SKEYID_a, Msg_id | Ni_b | SA [| IDi | IDr]), the HMAC key is SKEYID_a, IDi and IDr are optional fields.
The transformation ID of the transformation payload in the second stage is defined as follows, AH and ESP are identified separately.
The definition of each attribute value in the transform payload, key exchange attribute, encapsulation mode attribute and authentication algorithm attribute are as follows.
The packet capture data of message 1 in fast mode is as follows. HDR is transmitted in plain text, and then SM4-CBC encryption is used starting from the HASH structure (the packet length is 16 bytes, and the key is 16 bytes). Here, the ciphertext length is 144 bytes, namely Contains 9 groups.
