Except this line from me "Do you mean that psk is not used as an ingredient for generating the shared secret?", did I tell anywhere the DH is using PSK to generate the shared secret?
In that line, I was referring shared secret to SKEID, may be that confused everyone. >From the beginning, I was trying to tell that the PSK is used along with shared secret to generate the SKEIDs :-) DH is an algorithm that is just used in IKE. PSK doesn't come into picture with DH.... With regards Kings On Thu, Mar 15, 2012 at 6:09 PM, Joe Astorino <[email protected]>wrote: > Kings, > > The shared secret derived from DH key exchange in MM3/MM4 does not > involve the PSK. If it did, the DH key exchange would have to define > some variable for that, and it doesn't. DH key exchange is strictly a > function of the variables defined (I believe the values are g, a or b, > and p and none of those represents the PSK) > > After the shared secret is derived from DH exchange, THEN that shared > secret is used in conjunction with the PSK to generate session keys > (SKEY). This happens just before MM5. > > > > On 3/15/12, Kingsley Charles <[email protected]> wrote: > > I still believe PSK is also used for generating the keys. > > > > There is no way we can check the internal working. But to prove that psk > is > > used, IPSec VPN with psk requires the crypto isakmp key to be configured > > with address not hostname. Hostnames can be used with Aggressive mode > only > > with psk as authentication method. > > > > With regards > > Kings > > > > On Thu, Mar 15, 2012 at 12:37 PM, Piotr Matusiak <[email protected]> wrote: > > > >> Yes. > >> > >> > >> 2012/3/15 Kingsley Charles <[email protected]> > >> > >>> So you agree with me that the SKEY has PSK as an ingredient.... > >>> > >>> With regards > >>> Kings > >>> > >>> > >>> On Wed, Mar 14, 2012 at 7:55 PM, Joe Astorino > >>> <[email protected]>wrote: > >>> > >>>> Piotr, > >>>> > >>>> Perfect explanation, thank you! I didn't have the DH in front of me > >>>> late last night (early this morning hehe) but now it is plain to > >>>> see... Kings, if you take a look at the DH exchange you will see Piotr > >>>> is spot on. MM3 and MM4 are only exchanges of DH public values and > >>>> noonces. It is after MM4 but before MM5 that the shared secret > >>>> derived from DH is actually calculated, and also during this time SKEY > >>>> is generated, which is partly based on the PSK. > >>>> > >>>> It makes sense now...I was on the right track, but missing some of the > >>>> small details (and you all know how much I love the details!) > >>>> > >>>> On Wed, Mar 14, 2012 at 6:44 AM, Piotr Matusiak <[email protected]> > wrote: > >>>> > Hi Joe, > >>>> > > >>>> > > >>>> > PSK is not used by DH but it is required to be known after DH > exchange > >>>> and > >>>> > before sending MM5. This is a real disadvantage (and security risk) > >>>> when > >>>> > you're using MM with PSK. > >>>> > You're right saying that PSK in EasyVPN must be known earlier as all > >>>> > information (including ID Payload) is sent using AM Msg#1. This is > >>>> only used > >>>> > with EasyVPN (I mean AM is used). When using RSA-sig with EasyVPN > this > >>>> is > >>>> > done with MM. > >>>> > > >>>> > Using AM with RSA-sig is also possible but not recommended. > >>>> > > >>>> > Regards, > >>>> > Piotr > >>>> > > >>>> > 2012/3/14 Joe Astorino <[email protected]> > >>>> >> > >>>> >> Oh. I think it is because the PSK is used as part of the DH key > >>>> >> exchange in MM4. If the server does not have the group ID at that > >>>> >> point (because it is not communicated to the server until MM5) it > >>>> >> would be unable to deduce what PSK to use for DH key exchange. Is > >>>> >> that > >>>> >> right? > >>>> >> > >>>> >> Conversely with rsa-sig obviously the PSK is not used in the DH key > >>>> >> exchange so we can proceed with MM > >>>> >> > >>>> >> Sorry it seems I have been answering my own questions after > pondering > >>>> >> them a bit. Also, when learning fresh things I always need lots of > >>>> >> reassurance I got it right : ) > >>>> >> > >>>> >> > >>>> >> > >>>> >> > >>>> >> > >>>> >> On 3/14/12, Joe Astorino <[email protected]> wrote: > >>>> >> > Can anybody help me understand why EZVPN with PSK auth uses IKE > MM > >>>> but > >>>> >> > with rsa-sig uses IKE AM? > >>>> >> > > >>>> >> > I get that in aggrssive mode we pass the IKE ID in clear text and > >>>> that > >>>> >> > the ID we pass identifies the group name and thus allows the > server > >>>> to > >>>> >> > find the PSK configured for the group. > >>>> >> > > >>>> >> > I am just fuzzy on why that can't still happen with IKE MM > >>>> >> > encrypted > >>>> >> > in MM5. Thanks! > >>>> >> > > >>>> >> > > >>>> >> > > >>>> >> > -- > >>>> >> > Sent from my mobile device > >>>> >> > > >>>> >> > Regards, > >>>> >> > > >>>> >> > Joe Astorino > >>>> >> > CCIE #24347 > >>>> >> > http://astorinonetworks.com > >>>> >> > > >>>> >> > "He not busy being born is busy dying" - Dylan > >>>> >> > > >>>> >> > >>>> >> -- > >>>> >> Sent from my mobile device > >>>> >> > >>>> >> Regards, > >>>> >> > >>>> >> Joe Astorino > >>>> >> CCIE #24347 > >>>> >> http://astorinonetworks.com > >>>> >> > >>>> >> "He not busy being born is busy dying" - Dylan > >>>> >> _______________________________________________ > >>>> >> For more information regarding industry leading CCIE Lab training, > >>>> please > >>>> >> visit www.ipexpert.com > >>>> >> > >>>> >> Are you a CCNP or CCIE and looking for a job? Check out > >>>> >> www.PlatinumPlacement.com > >>>> > > >>>> > > >>>> > >>>> > >>>> > >>>> -- > >>>> Regards, > >>>> > >>>> Joe Astorino > >>>> CCIE #24347 > >>>> http://astorinonetworks.com > >>>> > >>>> "He not busy being born is busy dying" - Dylan > >>>> _______________________________________________ > >>>> For more information regarding industry leading CCIE Lab training, > >>>> please visit www.ipexpert.com > >>>> > >>>> Are you a CCNP or CCIE and looking for a job? Check out > >>>> www.PlatinumPlacement.com > >>>> > >>> > >>> > >> > > > > -- > Sent from my mobile device > > Regards, > > Joe Astorino > CCIE #24347 > http://astorinonetworks.com > > "He not busy being born is busy dying" - Dylan >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
