Specifications
OmniAccess Reference: AOS-W System Reference
114 Part 031652-00 May 2005
Encryption
Encrypting the transmitted data is only one part of the security process.
Although this affords some security, all the common data encryption schemes
such as WEP (Wired Equivalent Privacy) have been broken and anyone with the
software can read your data in plain text.
IKE (Internet Key Exchange) Encryption
IKE encryption is based on establishing a contract between the two computers
(or servers) that are exchanging data. This security method is accomplished in
two phases, the first establishes the identity of the computers and
authenticates the security contract between them. The second phase is the
establishment of the encryption of the payload data. The negotiations during
phase II are protected by the methods established in phase I.
Phase I Negotiations
The negation of a contract initially involves three basic steps:
z Policy negotiation
z DH public value exchange
z Authentication
Policy negotiation consists of four mandatory parameters: encryption
algorithm (DES, 3DES), hash algorithm, authentication method, and
Diffie-Hellman (DH) group.
During the DH exchange only the base information required to generate the
actual key’s is exchanged.
Authentication of the DH key exchange is done to assure that the keys were
generated and correctly passed.
Phase II Negotiations
Phase II is the negotiation of the algorithms used to encrypt the payload data.
This is comprised of 3 steps:
z Policy Negotiation
z Session key materials are exchanged or renewed
z As (Security Associations), keys, and SPI (Security Parameters Index)
are passed to the IPSec driver.