This paper describes key generating process of IKE, explains that this process may generates weak keys and this could reduce the security of the system. Related RFCs of IKE give no coincident conclusions on whether the weak keys in IKE deployment should be filtered, and no convincible arguments. In this context, this paper discusses the weak keys of ciphering algorithms labeled as MUST and some other ciphering algo-rithms labeled as SHOULD or MAY in related RFCS. Then the effect of weak keys based on practical use is analyzed,including life time of keys,message format of IKE/IPsec, etc. Finally,this paper explictly draws the conclusion that there is no need to filter weak keys of the currently-involved ciphering algorithms.%文中介绍了IKE中密钥的产生过程,明确该过程可能产生对系统安全不利的弱密钥。对于IKE部署中是否需要进行弱密钥过滤的问题, IKE相关的多个标准文档中并未给出一致的结论,亦未给出充分的依据。在此背景下,对IKE标准文档中要求必须使用的密码算法、部分建议使用的密码算法的弱密钥进行了研究。结合IKE的实际使用情况,包括密钥生存周期、IKE/IPsec报文格式等,分析了弱密钥对IKE系统的影响,明确给出了目前涉及的密码算法都不需要进行弱密钥过滤的结论。
展开▼
