Current Cisco ××× technologies, such as point-to-point IPsec, IPsec/GRE, DM×××,GET×××, and Ez×××, use IKE as underlying protocol for authenticated key exchange.当前cisco 所有的*** 技术使用IKE这个协议。

The IKE protocol is a hybrid of the Oakley and SKEME protocols and operates inside a framework defined by Internet Security Association and Key Management Protocol
(ISAKMP),IKE协议本身是个混合协议,是由Oakley and SKEME、ISAKMP组成的。

Oakley and SKEME define the steps two peers must take to establish a shared, authenticated key. IKE uses the ISAKMP language to express these and other exchanges。Oakley and SKEME 定义的步骤是两个对等体之间必须建立一个共享的认证的key。IKE使用ISAKMP这个语言用来传递交换。

The primary purpose of IKE is to establish an authenticated key exchange between two peers, using the IKE SA process to derive the keys. While doing the IKE authentication,the two peers need to authenticate each other, which can be done by either using preshared keys or PKI.IKE的主要目的是两个:建立两个对等体之间的密钥交换;两个对等体之间的相互验证,这可以通过使用预共享密钥或PKI。

————————————————————————————

IKE Using Digital Certificates

IKE needs a mechanism to authenticate two ××× peers。 IKE需要一种机制来认证双方实体。一种是preshared key,另一种是数字证书。

PKI 基础理论-7_第1张图片

The key difference between IKE using the preshared and the public key lies in Steps 5 and 6. IKE using preshared authentication uses hash as the method to authenticate both the peers. When using PKI, the peers encrypt the hash with their respective private keys.The hash is then decrypted using the respective public key of the peers. Each peer would need to know the public key of the other peer by looking into the certificate, which is exchanged in Step 5 and Step 6.

使用preshare key 和数字证书做认证在第五步和第六步是不一样的。当使用PKI的时候,实体使用它们各自的私钥来加密hash值,而这个hash值得解密是对方收到后用公钥来解密。每个实体需要知道对方的公钥。而公钥从证书获得。