[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
I-D: Extended Key exchange protocol
Hello,
I have written a draft on an "Extended Key Exchange Protocol" in a
very first version.
In short, it describes an extended protocol (E-IKE) based on IKE
which allows involving more than two parties in the authentication
process and key exchange. It supports extended SA management / ~
establishment by applying security policies of the involved parties
during the protocol (I've appended the TOC for a short overview)
Feel free to get a copy from
http://www.imib.med.tu-dresden.de/imib/Internet/index.html
I would appreciate discussion on this with interested people. (I'll
be in L.A., so also a -hopefully positive ;-)- personal communication
will be possible...)
Thanks,
Kai
*****
Table of Contents
1. ABSTRACT 2
2. DISCUSSION 2
3. TERMS AND DEFINITIONS 3
4. THE PROTOCOL 4
4.1 DESIGN OBJECTIVES 4
4.2 INITIAL MESSAGE ROUTING 4
4.3 PROTOCOL USING COMPLETE IKE EXCHANGES 5
4.4 PROTOCOL USING A IKE-SECURED CHANNEL 6
4.5 MESSAGE FORMAT 7
4.5.1 Message Blocks / Message Matrixes 7
4.5.2 Authentication fields / Authentication Methods 8
4.6 MESSAGE FLOW 10
4.7 MESSAGE MATRIX 15
4.8 RESTRICTIONS 16
4.9 KEY GENERATION 17
4.10 COMPARISON 17
5. LOCAL SA MANAGEMENT 19
5.1 SA BUNDLING 19
5.2 ASYMMETRIC SAS 20
6. SECURITY POLICY MANAGEMENT ON GATEWAYS AND END NODES 20
7 SECURITY CONSIDERATIONS 22
APPENDIX A.1 - SYMBOLIC FUNCTIONS USED 22
APPENDIX A.2 - FIRST PROTOCOL APPROACH 24
APPENDIX A.3 - SECOND APPROACH 26
APPENDIX B - EXAMPLES 38
B.1 REMOTE ACCESS 38
B.2 VPN
# Kai Martius #
# Dpt. of Medical CS and Biometrics / Dresden University of Technology #
# PGP Fingerprint: to be compared after download of my key #
# available at http://www.imib.med.tu-dresden.de/imib/personal/kai.html #
# #
# See our project (and me) at CeBit'98 fair Hannover/Germany 19-25.3.98 #
# Infos: http://www.inf.tu-dresden.de/~hf2/cebit98 #