Skip to main content
IBM 
ShopSupportDownloads
IBM HomeProductsConsultingIndustriesNewsAbout IBM
IBM : developerWorks : Security : Education - online courses
Virtual private networks, Part 2		Download tutorial zip fileView letter-sized PDF fileView A4-sized PDF fileE-mail this tutorial to a friend
Main menuSection menuGive feedback on this tutorialPreviousNext
4. Key exchange
  


Internet Key Exchange III page 3 of 11


A central idea of Oakley's PFS is that compromise of a single key will permit access to only data protected by a single key. For PFS to exist, the key used to protect transmission of data must not be used to derive any additional keys, and if the key used to protect transmission of data was derived from some other keying material, that material shall not be used to derive any more keys. This assures the "freshness" of a key.

While Oakley defines "modes," ISAKMP defines "phases." IKE presents different exchanges as modes that operate in one of two phases:

  • Phase 1 is where the two ISAKMP peers establish a secure, authenticated channel with which to communicate (the SA process). "Main Mode" and "Aggressive Mode" (we'll get to these later), each accomplish a phase 1 exchange. "Main Mode" and "Aggressive Mode" are only used in phase 1.
  • Phase 2 is where SAs are negotiated on behalf of IPSec or another service that needs key material. "Quick Mode" accomplishes a phase 2 exchange.

Main menuSection menuGive feedback on this tutorialPreviousNext
PrivacyLegalContact