SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 133
Registered: ‎03-11-2017
0 Kudos

ipsec nonces

what are the uses of nonces and cookies in ipsec ?

Super Contributor
Posts: 88
Registered: ‎07-19-2016
0 Kudos

Re: ipsec nonces

[ Edited ]

Nonce : a randomly generated number that the initiator sends. This nonce is hashed along with the other items using the agreed key and is sent back. The initiator checks the cookie including the nonce, and rejects any messages which do not have the right nonce. This helps prevent replay since no third party can predict what the randomly generated nonce is going to be.

Cookie:

The two peers generate a pseudo-random number that is used for anticlogging purposes. These cookies are based on a unique identifier for each peer (src and destination IP addresses) and therefore protect against replay attacks. The ISAKMP RFC states that the method of creating the cookie is implementation-dependent but suggests performing a hash of the IP source and destination address, the UDP source and destination ports, a locally generated random value, time, and date. The cookie becomes a unique identifier for the rest of the messages that are exchanged in IKE negotiation.
The following list shows how each peer generates its cookie:
Generation of the initiator cookie—An 8-byte pseudo-random number used for anti-clogging
CKY-I = md5{(src_ip, dest_ip), random number, time, and date}
Generation of the responder cookie—An 8-byte pseudo-random number used for anti-clogging
CKY-R = md5{(src_ip, dest_ip), random number, time, and date}

Super Contributor
Posts: 209
Registered: ‎07-18-2012
0 Kudos

Re: ipsec nonces

Hi Folks,

Some pointers on the same, relevent to IKE Phase 1 messages sent.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB6393&actp=METADATA

-Python
#Please mark my solution as accepted if it helped, Kudos are appreciated as well.
Contributor
Posts: 133
Registered: ‎03-11-2017
0 Kudos

Re: ipsec nonces

So let me get this straight , 
what i understand is that a cookie is 8byte pesudeo random number that contain a hash ( sour,dest IP address , sour,dest Port , timestamp and nonce ) and the nonce is a random number inserted inside the cookie ,  ???????

* but how does this provide protection , a man in the middle can just take it and send it back ???

Distinguished Expert
Posts: 1,116
Registered: ‎08-29-2013
0 Kudos

Re: ipsec nonces

i hope this article is bit more simple and clear https://en.m.wikipedia.org/wiki/Cryptographic_nonce
Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
Highlighted
Distinguished Expert
Posts: 5,118
Registered: ‎03-30-2009
0 Kudos

Re: ipsec nonces

The primary means to prevent the man in the middle for the IPSEC vpn is the use of the pre-shared key.  This is manually entered on both sides and never crosses the wire.  

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home