4.1 Main Mode - No Extended Mode

The following figure details a main mode (MM) exchange without a Diffie-Hellman exchange where the GSS-API secret is used to generate the keying material.

The exchanges are as shown in the following figure.

Main mode - no extended mode exchange

Figure 31: Main mode - no extended mode exchange

Message #1: The initiator sends security association (SA) proposals (Kerberos or TLS), the MM crypto options, and a nonce. Diffie-Hellman is not required, and the initiator does not send a key exchange (KE) payload.

Message #2: The responder looks up the policy based on IP addresses only. It chooses an SA proposal, such as Kerberos with 3DES. The responder also sends its security principal name, the MM nonce, and the quick mode nonce.

Message #3: The initiator calls GSS-API to get a token for the peer security principal name. This token is sent unmodified.

Message #4: The responder calls GSS-API on the initiator token. This generates a new token, which the responder sends back. In this example, only one exchange is needed. The responder's GSS-API exchange is done, and a GSS-API cryptographic context is available.

Message #5: The initiator calls GSS-API on the responder token. This succeeds, and the initiator now has a cryptographic context. All the previous payloads are hashed and then signed with the key that is generated by the GSS-API exchange. This is the HAuth1 payload. The initiator includes the traffic selectors (IDi, IDr) for the traffic to be secure on the wire, proposals for encryption or integrity in the QM SA payload, and a nonce.

Message #6: The responder verifies HAuth1 and generates a similar HAuth2. The responder looks up its policy based on the traffic selectors. The responder sends back the traffic selectors and SA proposals that it has chosen. The responder then adds the QM SAs.

When the initiator receives the last packet, it validates HAuth2 and adds its QM SAs. If the last packet that is sent by the responder is lost, the initiator retransmits its last packet. Upon receiving it, the responder resends its last Authenticated Internet Protocol packet.