Skip to main content

Ughh.. Question about key generation methods

More
14 years 9 months ago #33989 by FlipRich
Consider this ISAKMP policy:

Global IKE policy
Protection suite of priority 10
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit




Well, just the default suite.. The authentication method is RSA so that is what's used to create the keys for encryption, right?

If RSA is being used, does the Diffie-Hellman option not matter? RSA has its own algorithm to calculate an encryption key so Diffie-Hellman isnt needed, right?

Or am I completely confused on this??????

Rich
Network Engineer /CCNP, CCNA-S
Tallahassee, FL
More
14 years 9 months ago #33993 by Perlhack
ISAKMP is used to authenticate the remote peers and diffie hellman provides the framework to have a shared secret flow across a public medium. This is part of the IPSEC-phase I and no data plane encryption takes place in this phase. IPSEC Phase II is when encryption takes place.

Diffie hellman would matter with RSA-signatures or any other Phase I authentication method. It provides the framework for the symetric IPSEC keys to be shared.
More
14 years 9 months ago #33995 by FlipRich

ISAKMP is used to authenticate the remote peers and diffie hellman provides the framework to have a shared secret flow across a public medium.


I thought it was the hash method, SHA, that is used to authenticate peers at Phase 1.

This is part of the IPSEC-phase I and no data plane encryption takes place in this phase. IPSEC Phase II is when encryption takes place.


I understand that no encryption is going on at phase 1 but the credentials for phase 2 is being exchanged, isnt it? Thats why an encryption method is specified in the policy. I think?

Rich
Network Engineer /CCNP, CCNA-S
Tallahassee, FL
More
14 years 9 months ago #33999 by Perlhack
There are three options to authenticate peers in Phase I:
1811(config-isakmp)#authentication ?
pre-share Pre-Shared Key
rsa-encr Rivest-Shamir-Adleman Encryption
rsa-sig Rivest-Shamir-Adleman Signature

The SHA hash is to authenticate the packet.

Public Key cryptography takes place in phase I, very different than the symmetric key encryption provided by IPSEC. Ex using peers Bob and Alice.

1. Mod is prime = 199. g 43 is primitive root to mod 199.
2. Primitive root means that if g is a primitive root (mod n); (g ** powerof) % mod = 1.

Public vaues are mod=199 and g=43
Alices Secret 588 | Bobs Secret:298
Alice sends Bob: 106 = 43 ** 588 % 199 | Bob sends Alice: 43 = 43 ** 298 % 199
Alice computes: 106 = 43 ** 588 % 199 | Bob computes: 106 = 106 ** 298 % 199
Alice computes 106 | Bob computes 106


The credentials are being exchanged in phase I. The crypto isakmp policy has to have matching encry and hash functions for phase I to complete but has nothing to do with data plane encryption. IPSEC phase II data plane encryption is provisioned on the transform-set line in IOS.



More
14 years 9 months ago #34001 by FlipRich

There are three options to authenticate peers in Phase I:
1811(config-isakmp)#authentication ?
pre-share Pre-Shared Key
rsa-encr Rivest-Shamir-Adleman Encryption
rsa-sig Rivest-Shamir-Adleman Signature


Oh OK, so RSA would only be used for peer authentication. OK, I'm straight on that. However, that brings me back to my original question.

What is Diffie-Hellman used for? I know what it is and how the algorithm calculates keys, but I dont what it's purpose in Phase 1 is..

The SHA hash is to authenticate the packet.


Is this authentication for just phase one traffic or both?





[/quote]

Rich
Network Engineer /CCNP, CCNA-S
Tallahassee, FL
More
14 years 9 months ago #34013 by Perlhack
DH is used so the IPSEC symmetric keys can be exchanged between the peers.

Packet authentication for phase I is in the crypto isakmp policy, phase II is defined in the transform-set
Time to create page: 0.136 seconds