Internet Security Association and Key Management Protocol (ISAKMP) is a protocol defined by RFC 2408 for establishing

Security association A security association (SA) is the establishment of shared security attributes between two network entities to support secure communication. An SA may include attributes such as: cryptographic algorithm and mode; traffic encryption key; and paramet ...

(SA) and cryptographic keys in an Internet environment. ISAKMP only provides a framework for authentication and key exchange and is designed to be key exchange independent; protocols such as

Internet Key Exchange In computing, Internet Key Exchange (IKE, sometimes IKEv1 or IKEv2, depending on version) is the protocol used to set up a security association (SA) in the IPsec protocol suite. IKE builds upon the Oakley protocol and ISAKMP.The Internet Key Excha ...

(IKE) and Kerberized Internet Negotiation of Keys (KINK) provide authenticated keying material for use with ISAKMP. For example: IKE describes a protocol using part of Oakley and part of SKEME in conjunction with ISAKMP to obtain authenticated keying material for use with ISAKMP, and for other security associations such as AH and ESP for the IETF IPsec DOI.

Overview

ISAKMP defines the procedures for authenticating a communicating peer, creation and management of Security Associations,

key generation Key generation is the process of generating keys in cryptography. A key is used to encrypt and decrypt whatever data is being encrypted/decrypted. A device or program used to generate keys is called a key generator or keygen. Generation in crypto ...

techniques and threat mitigation (e.g. denial of service and replay attacks). As a framework, ISAKMP typically utilizes

IKE Ike or IKE may refer to: People * Ike (given name), a list of people with the name or nickname * Dwight D. Eisenhower (1890–1969), Supreme Commander of the Allied forces in Europe during World War II and President of the United States Surname ...

for key exchange, although other methods have been implemented such as Kerberized Internet Negotiation of Keys. A Preliminary SA is formed using this protocol; later a fresh keying is done. ISAKMP is distinct from key exchange protocols in order to cleanly separate the details of security association management (and key management) from the details of key exchange. There may be many different key exchange protocols, each with different security properties. However, a common framework is required for agreeing to the format of SA attributes and for negotiating, modifying and deleting SAs. ISAKMP serves as this common framework. ISAKMP can be implemented over any transport protocol. All implementations must include send and receive capability for ISAKMP using UDP on port 500.

Implementation

OpenBSD OpenBSD is a security-focused, free and open-source, Unix-like operating system based on the Berkeley Software Distribution (BSD). Theo de Raadt created OpenBSD in 1995 by forking NetBSD 1.0. According to the website, the OpenBSD project em ...

first implemented ISAKMP in 1998 via it
isakmpd(8)
software. The

IPsec In computing, Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in ...

Services Service in

Microsoft Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...

handles this functionality. The

KAME project The KAME project, a sub-project of the WIDE Project, was a joint effort of six organizations in Japan which aimed to provide a free IPv6 and IPsec (for both IPv4 and IPv6) protocol stack implementation for variants of the Berkeley Software Distrib ...

implements ISAKMP for Linux and most other open source

BSDs There are a number of Unix-like operating systems under active development, descended from the Berkeley Software Distribution (BSD) series of UNIX variants developed (originally by Bill Joy) at the University of California, Berkeley Electrical Eng ...

. Modern

Cisco Cisco Systems, Inc., commonly known as Cisco, is an American-based multinational digital communications technology conglomerate corporation headquartered in San Jose, California. Cisco develops, manufactures, and sells networking hardware, ...

routers implement ISAKMP for VPN negotiation.

Vulnerabilities

Leaked

NSA The National Security Agency (NSA) is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence (DNI). The NSA is responsible for global monitoring, collecti ...

presentations released by ''

Der Spiegel ''Der Spiegel'' (, lit. ''"The Mirror"'') is a German weekly news magazine published in Hamburg. With a weekly circulation of 695,100 copies, it was the largest such publication in Europe in 2011. It was founded in 1947 by John Seymour Chaloner ...

'' indicate that ISAKMP is being exploited in an unknown manner to decrypt IPSec traffic, as is

. The researchers who discovered the Logjam attack state that breaking a 1024-bit Diffie–Hellman group would break 66% of VPN servers, 18% of the top million HTTPS domains, and 26% of SSH servers, which is consistent with the leaks according to the researchers.

References

External links

* — ''Internet Security Association and Key Management Protocol'' * {{IETF RFC, 2407, link=no — ''The Internet IP Security Domain of Interpretation for ISAKMP'' IPsec Cryptographic protocols Key management

Overview

Implementation

Vulnerabilities

See also

References

External links