Current Cisco *** technologies, such as point-to-point IPsec, IPsec/GRE, DM***,GET***, and Ez***, use IKE as underlying protocol for authenticated key exchange.當前cisco 所有的*** 技術使用IKE這個協議。
The IKE protocol is a hybrid of the Oakley and SKEME protocols and operates inside a framework defined by Internet Security Association and Key Management Protocol
(ISAKMP),IKE協議本身是個混合協議,是由Oakley and SKEME、ISAKMP組成的。
Oakley and SKEME define the steps two peers must take to establish a shared, authenticated key. IKE uses the ISAKMP language to express these and other exchanges。Oakley and SKEME 定義的步驟是兩個對等體之間必須建立一個共享的認證的key。IKE使用ISAKMP這個語言用來傳遞交換。
The primary purpose of IKE is to establish an authenticated key exchange between two peers, using the IKE SA process to derive the keys. While doing the IKE authentication,the two peers need to authenticate each other, which can be done by either using preshared keys or PKI.IKE的主要目的是兩個:建立兩個對等體之間的密鑰交換;兩個對等體之間的相互驗證,這可以通過使用預共享密鑰或PKI。
————————————————————————————
IKE Using Digital Certificates
IKE needs a mechanism to authenticate two *** peers。 IKE需要一種機制來認證雙方實體。一種是preshared key,另一種是數字證書。
The key difference between IKE using the preshared and the public key lies in Steps 5 and 6. IKE using preshared authentication uses hash as the method to authenticate both the peers. When using PKI, the peers encrypt the hash with their respective private keys.The hash is then decrypted using the respective public key of the peers. Each peer would need to know the public key of the other peer by looking into the certificate, which is exchanged in Step 5 and Step 6.
使用preshare key 和數字證書做認證在第五步和第六步是不一樣的。當使用PKI的時候,實體使用它們各自的私鑰來加密hash值,而這個hash值得解密是對方收到後用公鑰來解密。每個實體需要知道對方的公鑰。而公鑰從證書獲得。