Virtual vpn in the cloud

11 
tunnel could support AH or ESP option. The key management portion of IPsec involves the 
determination and distribution of secret keys. 
Different authentication methods [21] [27] suitable for enhancing security in the cloud are 
discussed below: 
•
Pre-shared key 
•
Digital signatures 
The different methods for authenticating the IPSec-VPN peers are as follows: 
3.2.1
 
Pre-Shared Keys 
Definition:
Pre shared keys [21] is string of unicoded characters used in the authentication 
of IPSec-VPN entities. The peers use the pre shared keys and nonce (an arbitary number 
used only once for communication) to create a hash that is used to authenticate messages. 
Working:
With pre-shared keys, the same pre-shared key is configured on each IPSec peer. 
During negotiation, information is encrypted prior to transmission using a session key. The 
session key is created using the Diffie-Hellman calculation and shared secret key. If the 
receiving peer is able to independently create the same hash using its pre-shared key, then it 
knows that both peers must share the same secret, thus authenticating the other peer, if not 
packet is discarded. Pre-shared keys are easier to configure than manually configuring IPSec 
policy values on each IPSec peer.
 
Example: 
In IKEv2, negotiation of IKE SAs takes place in two phases. The first phase 
begins with the exchange of nonce between the two sides, followed by Diffie-Hellman 
exchange. The two sides then generate a set of IKE keys using the nonce, Diffie-Hellman 
key and the pre-shared key. Authentication data is then exchanges, via IKE encrypted 
messages. In the second phase, with the exchange of SPI values and possibly another Diffie-
Hellman exchange IPSec SAs are generated. Thus encrypted traffic is sent across the two 
peers after the establishment of IPSec SA.

Download 2,76 Mb.

Do'stlaringiz bilan baham: