: In this paper we suggest improved IKE key exchange protocol combined with the Computer Security USB Key device to solve the problems in using IKE and IKE v2 protocol.
The network layer virtual private network programs such as "strongSwan" and "Openswan" support both of the IKE and the IKEv2, but many networks still use IKE. Unlike IKEv2, DoS(Denial of service) attack may happen in IKE protocol.(Dos attack for the DH calculation that happens when a lot of aggressive mode IKE requests having forged source IP addresses are received) [1] In IKE/IKEv2, Man-in-the-middle attacks to SA payload and KE payload may happen, when user uses the electronic certificate distributed as the file format (eg. *p12), the authentication function of the user's certification can be dropped because of the electronic certificate keeping problem, so that the reliability of network communication can be decreased. [2,3]
To solve the problems in IKE/IKEv2, Computer Security USB Key device is used.
The Computer Security USB Key device is composed of CPU, NAND memory, power unit, USB connector.
NAND memory is divided into manager region where user can not read and write, virtual CD region where only reading is possible and the user’s region where reading and writing are possible. Manager’s region is divided into private key storing region, encrypt algorithm region and electronic certificate storing region.
In private key storing region of the manager’s region the keys(or data that can create key) that can be used in security program or encrypt algorithm can be stored and device serial number for device uniqueness exists.
Computer Security USB Key device and its Implementation IKE 1 st phase security negotiation process in aggressive mode is used as an example for suggested method. Improved IKE 1 st phase security negotiation process is as follows.
① Before the payload SA, KE, Ni and IDii are transmitted, the initiator should get the device serial number from the Computer Security USB Key device, makes UMi payload with device serial number and then encrypts it by using encryption key “key1” inside the device (key1 is same for all Computer Security USB Key device) to transmit to the responder.
If initiator can’t get serial number, IKE 1 st phase security negotiation process is stopped.
② The responder recognizes the initiator as the legal user which didn’t do DoS attack if encrypted UMi payload is decrypted successfully using encryption key “key1” of its Computer Security USB Key device and continues next stage.
In this stage too, the responder who doesn’t have the Computer Security USB Key device can’t take part in negotiation, so that the function of principal’s identity authentication is raised to protect DoS attack from above two stages.
③ The responder works as the initiator to make UMr payload, generates signature using electronic certification kept in the Computer Security USB Key device of responder and encrypts CERT and SIG_R payload reflected electronic certification and signature as an encryption key(serial number of its Computer Security USB Key device) respectively to send to initiator. (In fact, CERT and SIG_R payload is transmitted as the plain text in aggressive mode. It is important to make these payload encrypt in order to raise the identity authentication function.)
④ After the initiator makes sure the responder’s identity by decrypting encrypted UMr , CERT, SIG_R payloads, he makes signature by using electronic certification kept on initiator’s Computer Security USB Key device and encrypts CERT and SIG_R with electronic certification and signature as an encryption key(serial number of its Computer Security USB Key device)respectively to send to responder.
⑤ The responder makes sure the initiator’s identity by decrypting encrypted CERT, SIG_I payloads respectively.
Encrypt algorithm used in improved IKE 1 st phase security negotiation process can be done by
This content is AI-processed based on open access ArXiv data.
