Internet Security Association and Key Management Protocol (ISAKMP) is a protocol defined by RFC 2408 for establishing
Security association (SA) and cryptographic keys in an Internet environment. ISAKMP only provides a framework for authentication and key exchange and is designed to be key exchange independent; protocols such as
Internet Key Exchange
In computing, Internet Key Exchange (IKE, sometimes IKEv1 or IKEv2, depending on version) is the protocol used to set up a security association (SA) in the IPsec protocol suite. IKE builds upon the Oakley protocol and ISAKMP.The Internet Key Exch ...
(IKE) and
Kerberized Internet Negotiation of Keys (KINK) provide authenticated keying material for use with ISAKMP. For example: IKE describes a protocol using part of Oakley and part of SKEME in conjunction with ISAKMP to obtain authenticated keying material for use with ISAKMP, and for other security associations such as AH and ESP for the IETF IPsec DOI.
Overview
ISAKMP defines the procedures for authenticating a communicating peer, creation and management of
Security Associations,
key generation
Key generation is the process of generating keys in cryptography. A key is used to encrypt and decrypt whatever data is being encrypted/decrypted.
A device or program used to generate keys is called a key generator or keygen.
Generation in crypt ...
techniques and threat mitigation (e.g. denial of service and replay attacks). As a framework,
ISAKMP typically utilizes
IKE
Ike or IKE may refer to:
People
* Ike (given name), a list of people with the name or nickname
* Dwight D. Eisenhower (1890–1969), Supreme Commander of the Allied forces in Europe during World War II and President of the United States Surname
...
for key exchange, although other methods have been implemented such as
Kerberized Internet Negotiation of Keys. A Preliminary SA is formed using this protocol; later a fresh keying is done.
ISAKMP is distinct from
key exchange protocols in order to cleanly separate the details of security association management (and key management) from the details of key exchange. There may be many different key exchange protocols, each with different security properties. However, a common framework is required for agreeing to the format of SA attributes and for negotiating, modifying and deleting SAs. ISAKMP serves as this common framework.
ISAKMP can be implemented over any transport protocol. All implementations must include send and receive capability for ISAKMP using
UDP on port 500.
Implementation
OpenBSD first implemented ISAKMP in 1998 via it
isakmpd(8)software.
The
IPsec
In computing, Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in ...
Services Service in
Microsoft Windows handles this functionality.
The
KAME project
The KAME project, a sub-project of the WIDE Project, was a joint effort of six organizations in Japan which aimed to provide a free IPv6 and IPsec (for both IPv4 and IPv6) protocol stack implementation for variants of the BSD Unix computer opera ...
implements ISAKMP for Linux and most other open source
BSDs
There are a number of Unix-like operating systems under active development, descended from the Berkeley Software Distribution (BSD) series of UNIX variants developed (originally by Bill Joy) at the University of California, Berkeley Electrical Eng ...
.
Modern
Cisco
Cisco Systems, Inc., commonly known as Cisco, is an American-based multinational digital communications technology conglomerate corporation headquartered in San Jose, California. Cisco develops, manufactures, and sells networking hardware, ...
routers implement ISAKMP for VPN negotiation.
Vulnerabilities
Leaked
NSA
The National Security Agency (NSA) is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence (DNI). The NSA is responsible for global monitoring, collecti ...
presentations released by ''
Der Spiegel'' indicate that ISAKMP is being exploited in an unknown manner to decrypt IPSec traffic, as is
IKE
Ike or IKE may refer to:
People
* Ike (given name), a list of people with the name or nickname
* Dwight D. Eisenhower (1890–1969), Supreme Commander of the Allied forces in Europe during World War II and President of the United States Surname
...
. The researchers who discovered the
Logjam attack state that breaking a 1024-bit
Diffie–Hellman group would break 66% of VPN servers, 18% of the top million HTTPS domains, and 26% of SSH servers, which is consistent with the leaks according to the researchers.
See also
*
Oakley protocol The Oakley Key Determination Protocol is a key-agreement protocol that allows authenticated parties to exchange keying material across an insecure connection using the Diffie–Hellman key exchange algorithm. The protocol was proposed by Hilarie K. ...
*
IPsec
In computing, Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in ...
*
IKE
Ike or IKE may refer to:
People
* Ike (given name), a list of people with the name or nickname
* Dwight D. Eisenhower (1890–1969), Supreme Commander of the Allied forces in Europe during World War II and President of the United States Surname
...
*
GDOI Group Domain of Interpretation or GDOI is a cryptographic protocol for group key management. The GDOI protocol is specified in an IETF Standard, RFC 6407, and is based on Internet Security Association and Key Management Protocol (ISAKMP), RFC 2408 ...
References
External links
* — ''Internet Security Association and Key Management Protocol''
* {{IETF RFC, 2407, link=no — ''The Internet IP Security Domain of Interpretation for ISAKMP''
IPsec
Cryptographic protocols
Key management