How “Encrypted and Authenticated” Payload is Constructed

In the past I had published a few blog posts regarding IKEv2, which can be found here, here and here.


A quick refresh of the IKEv2 establishment can be summarised in the following figure: 




For a brief explanation of the used notation, please check my previous blogpost.


Of a special interest for the IKEv2 Establishment is the Encrypted Payload (also known as Encrypted and Authenticated Payload). This payload looks like this when captured by Wireshark


So, in one of my previous blog posts I had a question how this payload is constructed. It is a very good one, because although explained in RFC 7296, it is not that easy to figure this out (I had also several thorough looks to understand it). So. here you go.


In a nutshell, the Encrypted payload is constructed as follows:

where SK header is the header of the Encrypted payload, IV is the Initialisation Vector, int. hash is the integrity hash. 


A snippet Python code would be as follows: 


def encrypt_plain_text(plain,block_size,sk_ei,iv,hash_size):

    padlen = block_size - (len(plain) % block_size) - 1

    plain += b'\x00' * padlen + bytes([padlen])

    ciphertext=crypto.encrypt(sk_ei, bytes(iv), plain)

    encrypted = iv + ciphertext

    encrypted = encrypted + b'\x00' *hash_size

    return encrypted


The key sk_ei is calculated as described here


I hope this clarifies a few things. 


I am planning to release a white paper on the IKEv2 attack surface soon, accompanied by the release of an open source tool to perform the described on the paper tests. 


So, stay tuned ;-) 

Write a comment

Comments: 0