Fortinet 50A Key management, Manual Keys, AutoIKE with pre-shared keys, AutoIKE with certificates

Key management

There are three basic elements in any encryption system:

•an algorithm that changes information into code,

•a cryptographic key that serves as a secret starting point for the algorithm,

•a management system to control the key.

IPSec provides two ways to handle key exchange and management:

•Manual Keys

•Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates

Manual Keys

When using manual keys, matching security settings must be entered at both ends of the tunnel. These settings, which include both the encryption and authentication keys, must be kept secret so that unauthorized parties cannot decrypt the data, even if they know which encryption algorithm is being used.

Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates

For using multiple tunnels, an automated system of key management is required.

IPSec supports the automated generation and negotiation of keys using the Internet

Key Exchange protocol. This method of key management is referred to as AutoIKE.

Fortinet supports AutoIKE with pre-shared keys and AutoIKE with certificates.

AutoIKE with pre-shared keys

If both peers in a session are configured with the same pre-shared key, they can use it to authenticate themselves to each other. The peers do not send the key to each other. Instead, as part of the security negotiation process, they use it in combination with a Diffie-Hellman group to create a session key. The session key is used for encryption and authentication and is automatically regenerated by IKE during the communication session.

Pre-shared keys are similar to manual keys in that they require the network administrator to distribute and manage matching information at the VPN peer sites. Whenever a pre-shared key changes, the administrator must update both sites.

AutoIKE with certificates

This method of key management involves a trusted third party, the certificate authority (CA). Each peer in a VPN is first required to generate a set of keys, known as a public/private key pair. The CA signs the public key for each peer, creating a signed digital certificate. The peer then contacts the CA to retrieve their own certificates, plus that of the CA. After the certificates are uploaded to the FortiGate units and appropriate IPSec tunnels and policies are configured, the peers are ready to communicate. As they do, IKE manages the exchange of certificates, sending signed digital certificates from one peer to another. The signed digital certificates are validated by the presence of the CA certificate at each end. With authentication complete, the IPSec tunnel is then established.

In some respects, certificates are simpler to manage than manual keys or pre-shared keys. For this reason, certificates are best suited to large network deployments.