Fortinet 400 Key management, Manual Keys, AutoIKE with pre-shared keys, AutoIKE with certificates

Key management

There are three basic elements in any encryption system:

•an algorithm which changes information into code,

•a cryptographic key which serves as a secret starting point for the algorithm,

•a management system to control the key.

IPSec provides two ways to handle key exchange and management: manual keying and IKE for automated key management.

•Manual Keys

•Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates

Manual Keys

When manual keys are employed, matching security parameters must be entered at both ends of the tunnel. These settings, which include both the encryption and authentication keys, must be kept secret so that unauthorized parties cannot decrypt the data, even if they know which encryption algorithm is being used.

Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates

To facilitate deployment of multiple tunnels, an automated system of key management is required. IPSec supports the automated generation and negotiation of keys using the Internet Key Exchange protocol. This method of key management is typically referred to as AutoIKE. Fortinet supports AutoIKE with pre-shared keys and AutoIKE with certificates.

AutoIKE with pre-shared keys

When both peers in a session have been configured with the same pre-shared key, they can use it to authenticate themselves to each other. The peers do not actually send the key to each other. Instead, as part of the security negotiation process, they use it in combination with a Diffie-Hellman group to create a session key. The session key is used for encryption and authentication purposes, and is automatically regenerated during the communication session by IKE.

Pre-shared keys are similar to the manual keys in that they require the network administrator to distribute and manage matching information at the VPN peer sites. Whenever a pre-shared key changes, the administrator must update both sites.

AutoIKE with certificates

This method of key management involves the participation of a trusted third party, the certificate authority (CA). Each peer in a VPN is first required to generate a set of keys, known as a public/private key pair. The CA signs the public key for each peer, creating a signed digital certificate. The peer then contacts the CA to retrieve their own certificates, plus that of the CA itself. Once the certificates have been uploaded to the FortiGate units and appropriate IPSec tunnels and policies have been configured, the peers are ready to start communicating. As they do, IKE manages the exchange of certificates, transmitting signed digital certificates from one peer to another. The signed digital certificates are validated by the presence of the CA certificate at each end. With authentication complete, the IPSec tunnel is then established.

In some respects, certificates are simpler to manage than manual keys or pre-shared keys. For this reason, certificates are best suited to large network deployments.