We are independent & ad-supported. We may earn a commission for purchases made through our links.
Advertiser Disclosure
Our website is an independent, advertising-supported platform. We provide our content free of charge to our readers, and to keep it that way, we rely on revenue generated through advertisements and affiliate partnerships. This means that when you click on certain links on our site and make a purchase, we may earn a commission. Learn more.
How We Make Money
We sustain our operations through affiliate commissions and advertising. If you click on an affiliate link and make a purchase, we may receive a commission from the merchant at no additional cost to you. We also display advertisements on our website, which help generate revenue to support our work and keep our content free for readers. Our editorial team operates independently of our advertising and affiliate partnerships to ensure that our content remains unbiased and focused on providing you with the best information and recommendations based on thorough research and honest evaluations. To remain transparent, we’ve provided a list of our current affiliate partners here.
Security

Our Promise to you

Founded in 2002, our company has been a trusted resource for readers seeking informative and engaging content. Our dedication to quality remains unwavering—and will never change. We follow a strict editorial policy, ensuring that our content is authored by highly qualified professionals and edited by subject matter experts. This guarantees that everything we publish is objective, accurate, and trustworthy.

Over the years, we've refined our approach to cover a wide range of topics, providing readers with reliable and practical advice to enhance their knowledge and skills. That's why millions of readers turn to us each year. Join us in celebrating the joy of learning, guided by standards you can trust.

What is the Internet Key Exchange?

By S.A. Keel
Updated: May 16, 2024
Views: 8,541
Share

The Internet Key Exchange (IKE) is a set of support protocols created by the Internet Engineering Task Force (IETF) and used with Internet protocol security (IPSec) standards to provide secure communications between two devices, or peers, over a network. As a protocol, IKE can be used in a number of software applications. One common example is setting up a secure virtual private network (VPN). While standard on virtually all modern computer operating systems and networking equipment, much of what the Internet Key Exchange does is hidden from view of the average user.

The protocols in IKE establish what is called a security association (SA) between two or more peers over IPSec, which is required for any secure communications via IPSec. The SA defines the cryptographic algorithm being used in the communication, the encryption keys, and their expiration dates; this all then goes into each peer's security association database (SAD). While IPSec can have its SA configured manually, the Internet Key Exchange negotiates and establishes the security associations among peers automatically, including the ability to create its own.

The Internet Key Exchange is known as a hybrid protocol. IKE makes use of a protocol framework known as the Internet Security Association and Key Management Protocol (ISAKMP). ISAKMP provides IKE with the ability to establish the SA, and does the jobs of defining the format of the data payload and deciding on the key exchange protocol that will be used. ISAKMP is capable of using several methods for exchanging keys, but its implementation in IKE uses aspects of two. Most of the key exchange process uses the OAKLEY Key Determination Protocol (OAKLEY) method, which defines the various modes, but IKE also uses some of the Source Key Exchange Mechanism (SKEME) method, which allows for public key encryption and has the ability to refresh keys rapidly.

When peers wish to communicate securely, they send what's called "interesting traffic" to one another. Interesting traffic is messages that adhere to an IPSec policy that has been established on the peers. One example of this policy found in firewalls and routers is called an access list. The access list is given a cryptography policy by which certain statements within the policy determine whether specific data sent over the connection should be encrypted or not. Once the peers interested in secure communication have matched an IPSec security policy with each other, the Internet Key Exchange process begins.

The IKE process takes place in phases. Many secure connections begin in an unsecured state, so the first phase negotiates how the two peers are going to continue the process of secure communication. IKE first authenticates the identity of the peers and then secures their identities by determining which security algorithms both peers will use. Using the Diffie-Hellman public key cryptography protocol, which is capable of creating matching keys via an unprotected network, the Internet Key Exchange creates session keys. IKE finishes Phase 1 by creating a secure connection, a tunnel, between the peers that will be used in Phase 2.

When IKE enters Phase 2, the peers use the new IKE SA for setting up the IPSec protocols they will use during the remainder of their connection. An authentication header (AH) is established that will verify that messages sent are received intact. Packets also need to be encrypted, so IPSec then uses the encapsulating security protocol (ESP) to encrypt the packets, keeping them safe from prying eyes. The AH is calculated based on the contents of the packet, and the packet is encrypted, so the packets are secured from anyone attempting to replace packets with phony ones or reading the contents of a packet.

IKE also exchanges cryptographic nonces during Phase 2. A nonce is a number or string that is used only once. The nonce is then used by a peer if it needs to create a new secret key or to prevent an attacker from generating fake SAs, preventing what's called a replay attack.

The benefits of a multi-phased approach for IKE is that by using the Phase 1 SA, either peer may initiate a Phase 2 at any time to re-negotiate a new SA to ensure the communication stays secure. After the Internet Key Exchange completes its phases, an IPSec tunnel is created for the exchange of information. The packets sent via the tunnel are encrypted and decrypted according to the SAs established during Phase 2. When finished, the tunnel terminates, by either expiring based on a pre-determined time limit, or after a certain amount of data has been transferred. Of course, additional IKE Phase 2 negotiations can keep the tunnel open or, alternatively, start a new Phase 1 and Phase 2 negotiation to establish a new, secure tunnel.

Share
EasyTechJunkie is dedicated to providing accurate and trustworthy information. We carefully select reputable sources and employ a rigorous fact-checking process to maintain the highest standards. To learn more about our commitment to accuracy, read our editorial process.
Discussion Comments
Share
https://www.easytechjunkie.com/what-is-the-internet-key-exchange.htm
Copy this link
EasyTechJunkie, in your inbox

Our latest articles, guides, and more, delivered daily.

EasyTechJunkie, in your inbox

Our latest articles, guides, and more, delivered daily.