I use CheckPoint's Firewall-1 (FW1) product, v.4.0 SP4 on NT 4.0 SP4. For
remote dial-in we equip our users with CheckPoint's 'SecuRemote' (SR) client
software, which can do both encryption and encapsulation. The thing works.
My question to this list is along the lines of "what can I reasonably expect
CheckPoint to tell me about _how_ their solution works?"
In particular, I want to understand _conceptually_ how the FW1 server and SR
client agree on a shared session key. CheckPoint's documentation claims
that the server and client use the Diffie-Hellman scheme, but I don't see
how that can be. There is no Certificate Authority to validate to the FW1
server that the DH public key from my SR client is authentic. So I don't
see how the server can generate a session key. (There _is_ a CA for the
server's DH key, and I understand how my client uses the CA to get the
server's DH public key).
CheckPoint's documentation also says that the SR client 'exchanges a session
key with the SecuRemote server and loads it into the SecuRemote server"
(VPN-1 manual, p. 104). Perhaps I have misunderstood something, but isn't
it the point of the whole DH scheme to avoid exchanging keys? Each end of
the connection, using its own private key and the public key of its
correspondent, can generate the session key on its own. If that's right,
then why would the server and client 'exchange' the key?
Well, CheckPoint won't tell me, claiming proprietary this and that.
It doesn't seem like this should be proprietary info at all. Rather, it
seems that they claim something (DH key usage for encryption) for their
product that isn't true, and aren't willing to admit it. How could it be
'proprietary' information that explains (conceptually) how their solution
works? Am I asking for too much?
Steve Adams
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
