Virtual Private Networks
Overview
10-10
Router
Security
1
proposals for
IKE SA
2
Both compute Diffie-Hellman public value
Diffie-Hellman
3
public value
4
Both compute encryption and authentication lays
Authentication
5
information
(encrypted)
6
Figure 10-2. IKE Phase 1
Authentication. In the third IKE phase 1 exchange, hosts confirm each
other's identities according to the method agreed upon in the first exchange.
The method can be:
preshared keys
digital certificates
Preshared keys are symmetric. Hosts using preshared keys have determined
the same secret value beforehand. They now exchange this value to authenti-
cate each other, and the IKE SA is established.
Digital certificates use asymmetric keys. That is, each host receives two keys
from a certificate authority (CA)—one to encrypt data and one to decrypt data.
The host's private key encrypts data, which can then only be decrypted with
that host's public key.
Router
Internet
Matching
proposal
Diffie-Hellman
public value
Authentication
information
(encrypted)