Net Security Notes

Network Security past Paper + Tutorial Questions and Answers:

Past Paper

Group 1 Internet Key Exchange (IKE)

Question 1

(a) Shown below is the first message of the Main Mode of IKE Phase 1 using signature authentication:

write down the other five messages in this format.

ANSWER:

(b) For the messages in (a) above, describe the contents of each of the IKE payloads in the messages sent by Responder, i.e. the second, fourth and sixth messages.

SA= is the Security Association payload, in message two it contains the responders choice of algorithm.

KE= is the key exchange payload, it contains the responders DH key exchange parameters.

Nr= Nis the nonce payload and contains random data used to guarantee liveness during an exchange and protect IKE against replay attacks.

ID= is the identification payload contains data used to exchange identification information which is used for determining the identities of communicating.

SIG = signature payload used to verify the end entity identity as well as message authentication of all the messages exchanged so far.

Question 2

(a) Phase 2 of the IKE protocol consists of a number of messages exchanged between Initiator and Responder. Describe the functions of these messages.

Note: Do not just simply list the exchanged messages without any description.

Message 1: Initiator to Responder, send cookies and crypto methods and Initiators SPI, initiators nonce.

Message 2: Responder To initiator, responder send back cookies, chosen crypto algorithm, responders SPI and responders nonce.

Message 3: Initiator to responder, this message servers as an acknowledgment.

(b) Describe the advantages in separating the IKE protocol into two phases, i.e., Phase 1 and Phase 2. Advantages are mainly in security and efficiency.

Using Phase 1, mutual authentication is only performed once for the two end entities to create an IKE SA, which can then be used to create as many as IPsec SAs as required. This is more...