Webeks.net - freelance programming
freelance programming - php, Joomla, Zend ...
Home :: Articles :: Inf. systems :: OAKLEY Key exchange protocol

OAKLEY Key exchange protocol

Written by Miha

The Oakley Key Determination Protocol is a key-agreement protocol that allows authenticated parties to exchange keying material across an insecure connection using the Diffie-Hellman key exchange algorithm.

  • generic key management protocol (no implementation formats are specified)
  • based on Diffie-Hellman key exchange algorithm but improved
  • enables parameters adjustments
  • uses cookies to prevent exhaustion of resources - clogging attacks
  • uses authentication to prevent man-in-the-middle attacks

 

 

Authentication types used with OAKLEY

digital signatures

each party encrypts exchange parameters hash (user IDs and nonces) with their private key

public key encryption

exchange parameters encrypted with sender's private kex

symmetric key encryption

key derived by out-of-band means is used for encryption

 

OAKLEY protocol operation

initiator A sends an initiative message to B

  • it states algorithms for public cryptography, hash functions, authentication algorithms
  • includes ids for A and B, random number, group (abstract mathematical structure Diffie-Hellman (DH) relies upon), its own public DH key and offered algorithms

recipient B verifies message signature using A's public key and sends response

  • acknowledges message with response that includes:

entity A verifies the signature of the received message with B's public key

  • A sends last message to confirm receipt of B's message
  • this message is similar to the first one (instead of offered algorithms it contains the selected ones)

After this steps entities are able to calculate session key. Only three steps are needed for key exchange - thus this is called aggressive. Identities are not protected! ISAKMP protocol is needed to manage security associations for ISPec.

 

EXHAUSTION OF RESOURCES - CLOGGING ATTACKS

Clogging attack is a type of denial of service (DoS) attack against a public key cryptography system.

  1. attacker sends public key with false IP address to the server
  2. server under attack computes private key for session and returned it to IP address provided
  3. intensive computation of private keys can lead to resources exhaustion

OAKLEY prevents this with use of cookies

  1. initiation message must be send that includes a cookie - random number
  2. reply to this message is sent that includes the same cookie
  3. if IP address is not valid, attacker will not be able to include proper cookie in a reply message

 

MAN-IN-THE-MIDDLE ATTACKS

Man-in-the-middle attack or bucket-brigade attack (often abbreviated MITM) is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection when in fact the entire conversation is controlled by the attacker.

more on wikipedia

 

OUT-OF-BAND

Out-of-band is a technical term that refers to communications which occur outside of a previously established communications method or channel.

 

Related Articles

blog comments powered by Disqus
back to top
< Prev   Next >