Saturday, October 20, 2018

The secrets of IKE (Internet Key Exchange) 03 - PSK Aggressive Mode

This is the 3rd post in this IKE series. You can find the other posts of this series from the following:

01 - Introduction & IKE structure
02 - PSK Main Mode
03 - PSK Aggressive Mode
04 - Digital Signature Main Mode
05 - Digital Signature Aggressive Mode
06 - IKE Phase 2 Quick Mode

In the previous post, we went through the Phase 1 of PSK Main Mode. In this post, we will take a look at the PSK Aggressive Mode.

PSK Aggressive Mode:
In Aggressive Mode, only 3 packets will be exchanged between the Initiator and Responder.  It is much simpler then the Main Mode,. However, in Aggressive Mode, some information are exposed in a clear message (not encrypted) and this may cause some security issues. But for some particular scenarios, Aggressive Mode is the only option.

Packet 1 (Initiator -> Responder):

In the 1st packet, the ISAKMP header contains:

CKY-I:  The Initiator's ISAKMP SPI
CKY-R: The Responder's ISAKMP SPI. At this point, this value is all "0s".

In the payload, it contains:

SA Proposal: In Agressive Mode, only one SA proposal is allowed.
g^xi: The generated DH public key from Initiator
Ni_b: Nonce, the random generated number for key creation
IDii: Initiator's ISAKMP ID. In PSK Aggressive Mode, the IDii can be hostname, IKE-ID (any user define string), and IP address
NAT-T Negotiation: NAT enabled sign

Different from Main Mode, the IDii is transmitted in clear text. This make Aggressive mode less secure than Main Mode.

Remember the second question raised in the first post?
Why aggressive mode initiator can only have a single SA proposal?

Only a single SA proposal can be put in the 1st packet from Initiator. The Responder can only accept or decline. Doesn't like in Main Mode, the Responder can select one from the SA proposals provided by the Initiator. The reason is that before sending the 1st packet to Responder, the Initiator will need to use a selected DH (Diffie-Hellman) group method to generate DH private/public key pair and put the public key (g^xi) in the 1st packet. Therefore, the DH group is chosen already. And the Responder doesn't have an option to pick other DH group. 

Packet 2 (Initiator <- Responder):
Before assembling the 2nd packet, the Responder needs to generate the SKEYID (seed key) and other 3 keys:

SKEYID = prf(pre-shared-key, Ni_b | Nr_b)

SKEYID_d = prf(SKEYID, g^xy | CKY-I | CKY-R | 0)
SKEYID_a = prf(SKEYID, SKEYID_d | g^xy | CKY-I | CKY-R | 1)
SKEYID_e = prf(SKEYID, SKEYID_a | g^xy | CKY-I | CKY-R | 2)

If you are not familiar with these keys and the elements in the "prf", you can go back to the 2nd post of this IKE series and there are detailed descriptions for them.

When these keys are ready, it can start assembling the packet.This 2nd Packet is also in clear text. 

In the Packet Header, the value of CKY-R is added.

In its payload, it contains the following values:

SA: If Responder accept the Initiator's SA proposal, it will reply with the same SA

g^xr: The generated DH public key from Responder

Nr_b: This is the nonce, the random number

IDir: The ISAKMP ID of the Responder

HASH_R: This value will be used by the Initiator to verify the identity of the Responder. It's calculated by the following formula:
HASH_R = prf(SKEYID, g^xr | g^xi | CKY-R | CKY-I | SAi_b | IDir)
* SAi_b is the entire body of the SA payload

NAT-T Negotiation: NAT enabled sign

Detected Initiator's IP/port HASH, Responder's IP/port HASH: These two values are used for NAT-T detection. They are calculated from the following:
HASH = HASH(CKY-I | CKY-R | IP | Port)

I think we can answer the 2nd half of question 1 in the first post now:
Why remote VPN peer with dynamic IP can ONLY use aggressive mode to connect to the hub VPN server?

In Aggressive Mode, the Initiator's IDii is sent in the 1st Packet in clear text. Therefore, the Responder can obtain the Initiator's PSK based on its configured IDii-to-PSK mapping and use the Initiator's PSK to generate the SKEYID and other keys.

If the remote VPN peer doesn't have static IP then it cannot use IP address as its IDii, bui it can use Hostname or IKE-ID instead. This only works in the Aggressive Mode.

Packet 3 (Initiator -> Responder):

Similarly, Initiator will generate the SKEYID and other 3 keys. HASH_I value will be calculated based on these keys:

HASH_I: The value used by Responder to verify the Identity of the Initiator.
HASH_I = prf(SKEYID, g^xi | g^xr | CKY-I | CKY-R | SAi_b | IDii )

Detected Responder's IP/port HASH, Initiator's IP/port HASH: Up to this point, both Initiator and Responder have their own IP/Port Hash and the peer's detected IP/port Hash. They can figure out whether the peer is behind NAT and whether NAT-T is in used. 

Also, please be noted that the 3rd packet is the only encrypted packet in the Aggressive Mode. SKEYID_e and the Encryption method in the SA will be used to encrypt this packet by Initiator.

After exchanging these three packets, the PSK Aggressive Mode IKE phase 1 is completed. A captured pacp file which can demonstrate this process can be download from the link below:

In the next post, we will work out how the Digital Signature Main Mode work. Stay tuned!


No comments:

Post a Comment

NSX Load Balancer "Application Rules" Examples:

Load Balancing is one of the features provided by the NSX Edge Services Gateway (ESG). It can provide L7 Load Balancing by utilizing the HA...