Internet shared secret exchange protocol (IKE) is a mixed protocol, configured in a
framework specified by Internet Security Association and Key Management
Protocol (ISAKMP). IKE will provide automatic negotiation and exchange of shared
key for IPSec and configure Security Association, thus to simplify IPSec application
and management.

Network security has 2 meanings: one is internal LAN security, the other is external
data exchange security. The former is implemented by means of Firewall, network
address translation (NAT) etc. Emerging IPSec (IP Security) implements the latter.
IPSec Security Association can be established by manual configuration, but when
nodes increase in the network, manual configuration will be very difficult, and
hard to ensure security. In this case, the IKE automatic negotiation can be used to
establish Security Association and exchange shared secret.

IKE has a series of self-protection mechanisms to safely distribute shared key,
authenticate identity, and establish IPSec Security Association etc. in unsecured
network.

IKE security mechanism includes:

■

Diffie-Hellman (DH) exchange and shared key distribution.

Diffie-Hellman algorithm is a shared key algorithm. The both parties in
communication can exchange some data without transmitting shared key and
find the shared key by calculation. The pre-condition for encryption is that the
both parties must have shared key. The merit of IKE is that it never transmits
shared key directly in the unsecured network, but calculates the shared key by
exchanging a series data. Even if the third party (e.g. Hackers) captured all
exchange data used to calculate shared key for both parties, he cannot figure
out the real shared key.

■

Perfect Forward Secrecy (PFS)