DH Shared Secret is used in SKEYIDs computation.
2011/6/15 waleed ' <[email protected]> > are all SKEYID's generated from DH ? > ------------------------------ > Date: Mon, 13 Jun 2011 12:57:22 +0200 > From: [email protected] > To: [email protected] > CC: [email protected] > Subject: Re: [OSL | CCIE_Security] Encryption after authentication and > Authentication after Encryption > > > There are separate keys used for DATA protection which are derived from > SKEYID_d. > > Regards, > Piotr > > > 2011/6/13 Kingsley Charles <[email protected]> > > Hi Piotr > > I agree that are three keys being generated. SKEYID_a and SKEYID_e are used > for encryption and authentication of IKE Phase 1 messages. SKEYID_d is the > keying material used for IPSec. > > So, is SKEYID_d used for encryption and authentication of IPSec messages or > is separate keys derived using SKEYID_d for encryption and authentication? > > > With regards > Kings > > > On Mon, Jun 13, 2011 at 1:45 PM, Piotr Matusiak <[email protected]> wrote: > > Hi Kings, > > There are 3 keys being generated: SKEYID_d, SKEYID_a and SKEYID_e. _a is > used for authentication, _e is used for encryption. Both are derived from > _d. > > Regards, > Piotr > > > > 2011/6/13 Kingsley Charles <[email protected]> > > When we use IPSec transform that does ESP encryption and authentication > like ESP-3DES + ESP-SHA, it seems the same key is used for both encryption > and authentication. > > My understanding was that SKEYID_d generated from IKE Phase 1 is used > generate separate keys for ESP encryption, ESP authentication and AH > authentication. > > Or is SKEYID_d is directly used for encryption and authentication? > > > ESP-3DES + ESP-SHA + AH-SHA uses two SPIs, one for ESP and other for AH. In > that case, it seems two keys are being used. This confirms that SKEYID_d > is not used for encryption or authentication rather it is used as a keying > material to generate keys for encryption and authentication. > > Any thoughts? > > > With regards > Kings > > > On Sun, Jun 12, 2011 at 9:34 AM, Kingsley Charles < > [email protected]> wrote: > > Exactly Piotr, that's what I even observed with wireshark capture. The ESP > packet is being authenticated by AH The AH header has next header value of > ESP. > > With regards > Kings > > > On Sat, Jun 11, 2011 at 10:27 PM, Piotr Matusiak <[email protected]> wrote: > > Hi Kings, > > According to my limited knowledge, if both AH and ESP are configured in > IPSec transform set, the result IPSec packet will be IP protocol 51 as the > AH will encapsulate ESP. You do not need to configure ESP in the ACL in this > case. > In addition to that both protocols use separate SPI number, so there are > two Inbound SA and two Outbound SA created (although there is on packet on > the wire). > > > Regards, > Piotr > > > > 2011/6/11 Kingsley Charles <[email protected]> > > I think, the following is the order for this combination: > > ESP Encryption + ESP Authentication ---- > ESP authenticates ESP > encrypted data > > > With regards > Kings > > > On Sat, Jun 11, 2011 at 7:15 PM, Vybhav Ramachandran <[email protected]>wrote: > > Thanks a lot for all the information Kingsley! :) > > Cheers, > TacACK > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > > > > > > > > _______________________________________________ For more information > regarding industry leading CCIE Lab training, please visit > www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
