The Internet Key Exchange (IKE) is a set of support protocols created by the Internet Engineering Task Force (IETF) and used with Internet protocol security (IPSec) standards to provide secure communications between two devices, or peers, over a network. As a protocol, IKE can be used in a number of software applications. One common example is setting up a secure virtual private network (VPN). While standard on virtually all modern computer operating systems and networking equipment, much of what the Internet Key Exchange does is hidden from view of the average user.
The protocols in IKE establish what is called a security association (SA) between two or more peers over IPSec, which is required for any secure communications via IPSec. The SA defines the cryptographic algorithm being used in the communication, the encryption keys, and their expiration dates; this all then goes into each peer's security association database (SAD). While IPSec can have its SA configured manually, the Internet Key Exchange negotiates and establishes the security associations among peers automatically, including the ability to create its own.
The Internet Key Exchange is known as a hybrid protocol. IKE makes use of a protocol framework known as the Internet Security Association and Key Management Protocol (ISAKMP). ISAKMP provides IKE with the ability to establish the SA, and does the jobs of defining the format of the data payload and deciding on the key exchange protocol that will be used. ISAKMP is capable of using several methods for exchanging keys, but its implementation in IKE uses aspects of two. Most of the key exchange process uses the OAKLEY Key Determination Protocol (OAKLEY) method, which defines the various modes, but IKE also uses some of the Source Key Exchange Mechanism (SKEME) method, which allows for public key encryption and has the ability to refresh keys rapidly.
When peers wish to communicate securely, they send what's called "interesting traffic" to one another. Interesting traffic is messages that adhere to an IPSec policy that has been established on the peers. One example of this policy found in firewalls and routers is called an access list. The access list is given a cryptography policy by which certain statements within the policy determine whether specific data sent over the connection should be encrypted or not. Once the peers interested in secure communication have matched an IPSec security policy with each other, the Internet Key Exchange process begins.
The IKE process takes place in phases. Many secure connections begin in an unsecured state, so the first phase negotiates how the two peers are going to continue the process of secure communication. IKE first authenticates the identity of the peers and then secures their identities by determining which security algorithms both peers will use. Using the Diffie-Hellman public key cryptography protocol, which is capable of creating matching keys via an unprotected network, the Internet Key Exchange creates session keys. IKE finishes Phase 1 by creating a secure connection, a tunnel, between the peers that will be used in Phase 2.
When IKE enters Phase 2, the peers use the new IKE SA for setting up the IPSec protocols they will use during the remainder of their connection. An authentication header (AH) is established that will verify that messages sent are received intact. Packets also need to be encrypted, so IPSec then uses the encapsulating security protocol (ESP) to encrypt the packets, keeping them safe from prying eyes. The AH is calculated based on the contents of the packet, and the packet is encrypted, so the packets are secured from anyone attempting to replace packets with phony ones or reading the contents of a packet.
IKE also exchanges cryptographic nonces during Phase 2. A nonce is a number or string that is used only once. The nonce is then used by a peer if it needs to create a new secret key or to prevent an attacker from generating fake SAs, preventing what's called a replay attack.
The benefits of a multi-phased approach for IKE is that by using the Phase 1 SA, either peer may initiate a Phase 2 at any time to re-negotiate a new SA to ensure the communication stays secure. After the Internet Key Exchange completes its phases, an IPSec tunnel is created for the exchange of information. The packets sent via the tunnel are encrypted and decrypted according to the SAs established during Phase 2. When finished, the tunnel terminates, by either expiring based on a pre-determined time limit, or after a certain amount of data has been transferred. Of course, additional IKE Phase 2 negotiations can keep the tunnel open or, alternatively, start a new Phase 1 and Phase 2 negotiation to establish a new, secure tunnel.