On Thu, Dec 27, 2001 at 05:18:57PM -0700, Trevor Osatchuk wrote: > I am a newbie and I have a Sonicwall-Pro. I have been doing a little > research on Diffie-Hellman and I wanted to know what the shared secret used > for vpn's in the Sonicwall does. Does it have anything to do with IKE? Is > it a proprietary device? I'm not intimately familiar with the Sonicwall, but IKE does have a shared secret mode. Basicly the IKE protocol to setup a security association (SA, read: an [authenticated] session encryption key) is done by agreeing on a common encryption key (with a DH-exchange) and only after this by verifying the identity of the other party (to prevent an attacker to perform a man-in-the-middle attack). Proof of identity is done by proving posession of a shared secret, posession of the private key corresponding to the public key in the certificate or one of the client authentication mechanisms. Main disadvantage of shared secrets is that they need to be securely established between any two systems that want to communicate _prior_ to their communication. This quickly results in a large amount of keys (for N systems to communicate with all other systems, N*(N-1) keys are needed that must be securely stored), key distribution problems (when adding a new system, all the old systems need to get another shared secret with this new system) and can cause revocation problems when a system is compromised (all the systems that had a shared secret with the compromised system must be informed of its rogue status). As a result, shared secrets are mostly used in centralized hub configurations where all systems communicate with one central point (this cuts down the number of keys to N-1 and all keymanagement can be done at the center of the hub). PKI-based authentication allows the communicating systems to wait with acquiring each others credentials (certificates) until they actually need to set up the security association. This comes at the cost of setting up the appropiate infrastructure though (especially revocation can be troublesome).
With kind regards, Wouter Slegers Your Creative Solutions "Security solutions you can trust and verify!" _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
