The document summarizes the Internet Security Association and Key Management Protocol (ISAKMP). ISAKMP allows two parties to negotiate a security association (SA) to protect subsequent communications. It operates in two phases: first, the parties negotiate an ISAKMP SA used to securely exchange keying material, and second, the keying material is used to establish SAs for protocols like IPsec. The document describes the ISAKMP negotiation process, key material derived during negotiation like SKEYID, and the structure of ISAKMP message headers.

1. 1
Internet Security Association and Key
Management Protocol (ISAKMP)
Mr. RAJASEKAR RAMALINGAM
Faculty - Department of IT, College of Applied Sciences – Sur,
Post Box: 484 Post Code: 411, Sultanate of Oman.
vrrsekar@yahoo.com

2. 2
Presentation Path
1. ISAKMP: Introduction
2. ISAKMP Negotiations
3. Key Material
4. Main mode with Pre-shared secret
5. Message Exchange description
6. ISAKMP Header

3. 3
• Two Parties, Initiator and Responder, call ISAKMP to
establish a common SA (Secure channel)
1. ISAKMP: Introduction
• The protocol runs in two stages:
1. Two peers negotiate a common ISAKMP SA
2. ISAKMP SA is used to exchange key material for
IPSec SA (IPSec_AH SA and IPSec_ESP SA)

4. 4
• The negotiated attributes are encryption algorithms,
hashing algorithms, authentication methods and DH
groups for key agreement
2. ISAKMP Negotiations
• Additionally, pseudorandom bit generator is
negotiated
• An ISAKMP SA is bi-directional and provides
confidentiality and authenticity

5. 5
3. Key Material
• The primary key, SKEYID, is obtained for any one the option
1. SKEYID = PBG(Ni Nr, gxixy
) for signatures
2. SKEYID = PBG(H(Ni Nr, CKYi  CKYr)) for public
key encryption
3. SKEYID = PBG(key, Ni Nr) for preshared keys
Ni , Nr nonces, g
xi
, g
xy
public keys, CKYi , CKYr are tokens
(also called cookies)
SKEYID is the secret key upon which all subsequent keys
are based

6. 6
Key Material
SKEYID is used to obtained specific keys
1. SKEYIDd = PBG(SKEYID, g
xixy
CKYi  CKYr0)
2. SKEYIDa = PBG(SKEYID, SKEYIDd  gxixy
CKYi  CKYr1)
3. SKEYIDe = PBG(SKEYID, SKEYIDa  g
xixy
CKYi  CKYr2)
• SKEYIDd is used to create keys for SAs of Phase 2 operations
(IPSec AH and ESP)
• SKEYIDa is used for data authentication and integrity in
ISAKMP SA
• SKEYIDe is used to encrypt IKE messages in ISAKMP SA

7. 7
4. Main mode with Pre-shared secret
ISAKMP Header,
Accepted SA
proposals and one
transform set
ISAKMP Header,
SA proposals and
transform sets
Initiator Responder
Msg # 1
Msg # 2
1
ISAKMP Header,
KE and nonce
ISAKMP Header,
KE and nonce
Msg # 3
Msg # 4
2
ISAKMP Header,
ID_i and Hash
ISAKMP Header,
ID_r and Hash
Msg # 5
Msg # 6
3

8. 8
5. Message Exchange description
• First exchange obtains:
1) Initiator Cookie, 2) Responder Cookie and 3) Security
suite: ESP-DES and ESP HMAC-MD5
• Second exchange obtains:
SKEYID, SKEYIDd, SKEYIDa , SKEYIDe, Nonce and DH key
• Third exchange obtains:
Hash = PBG(SKEYID, g
xixy
CKYi  CKYr SAi  ID_i)
After the third exchange, phase 2 operation commences.

9. 9
6. ISAKMP HEADER
Initiator Cookie: 64 bit
Responder Cookie: 64 bit
Message ID: 32 bit
32 bit
Length: 32 bit
Next Pay
8 bit
MJ Ver
4 bit
Flags
8 bit
MN Ver
4 bit
Exch Type
8 bit

10. 10
Thank You