The DH generates shared secret which is used to generate the SKEIDs, Based on my understanding, somewhere here the PSK is included either during shared secret or SKEID generation.
With regards Kings On Wed, Mar 14, 2012 at 6:07 PM, Piotr Matusiak <[email protected]> wrote: > Perhaps this is a matter of terminology but for me DH shred secret is > calculated on Initiator as (Xb)a mod p. The PSK is used to calculate SKEYID > which has nothing to DH shared secret in case of PSK authentication. > > Regards, > Piotr > > > > 2012/3/14 Kingsley Charles <[email protected]> > >> Piotr >> >> Do you mean that psk is not used as an ingredient for generating the >> shared secret? >> >> With regards >> Kings >> >> >> On Wed, Mar 14, 2012 at 4:14 PM, Piotr Matusiak <[email protected]> wrote: >> >>> Hi Joe, >>> >>> >>> PSK is not used by DH but it is required to be known after DH exchange >>> and before sending MM5. This is a real disadvantage (and security risk) >>> when you're using MM with PSK. >>> You're right saying that PSK in EasyVPN must be known earlier as all >>> information (including ID Payload) is sent using AM Msg#1. This is only >>> used with EasyVPN (I mean AM is used). When using RSA-sig with EasyVPN this >>> is done with MM. >>> >>> Using AM with RSA-sig is also possible but not recommended. >>> >>> Regards, >>> Piotr >>> >>> >>> 2012/3/14 Joe Astorino <[email protected]> >>> >>>> Oh. I think it is because the PSK is used as part of the DH key >>>> exchange in MM4. If the server does not have the group ID at that >>>> point (because it is not communicated to the server until MM5) it >>>> would be unable to deduce what PSK to use for DH key exchange. Is that >>>> right? >>>> >>>> Conversely with rsa-sig obviously the PSK is not used in the DH key >>>> exchange so we can proceed with MM >>>> >>>> Sorry it seems I have been answering my own questions after pondering >>>> them a bit. Also, when learning fresh things I always need lots of >>>> reassurance I got it right : ) >>>> >>>> >>>> >>>> >>>> >>>> On 3/14/12, Joe Astorino <[email protected]> wrote: >>>> > Can anybody help me understand why EZVPN with PSK auth uses IKE MM but >>>> > with rsa-sig uses IKE AM? >>>> > >>>> > I get that in aggrssive mode we pass the IKE ID in clear text and that >>>> > the ID we pass identifies the group name and thus allows the server to >>>> > find the PSK configured for the group. >>>> > >>>> > I am just fuzzy on why that can't still happen with IKE MM encrypted >>>> > in MM5. Thanks! >>>> > >>>> > >>>> > >>>> > -- >>>> > Sent from my mobile device >>>> > >>>> > Regards, >>>> > >>>> > Joe Astorino >>>> > CCIE #24347 >>>> > http://astorinonetworks.com >>>> > >>>> > "He not busy being born is busy dying" - Dylan >>>> > >>>> >>>> -- >>>> Sent from my mobile device >>>> >>>> Regards, >>>> >>>> Joe Astorino >>>> CCIE #24347 >>>> http://astorinonetworks.com >>>> >>>> "He not busy being born is busy dying" - Dylan >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, >>>> please visit www.ipexpert.com >>>> >>>> Are you a CCNP or CCIE and looking for a job? Check out >>>> www.PlatinumPlacement.com >>>> >>> >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, >>> please visit www.ipexpert.com >>> >>> Are you a CCNP or CCIE and looking for a job? Check out >>> www.PlatinumPlacement.com >>> >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
