- Posts: 80
- Thank you received: 0
Ughh.. Question about key generation methods
14 years 8 months ago #33989
by FlipRich
Rich
Network Engineer /CCNP, CCNA-S
Tallahassee, FL
Ughh.. Question about key generation methods was created by FlipRich
Consider this ISAKMP policy:
Global IKE policy
Protection suite of priority 10
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Well, just the default suite.. The authentication method is RSA so that is what's used to create the keys for encryption, right?
If RSA is being used, does the Diffie-Hellman option not matter? RSA has its own algorithm to calculate an encryption key so Diffie-Hellman isnt needed, right?
Or am I completely confused on this??????
Global IKE policy
Protection suite of priority 10
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Well, just the default suite.. The authentication method is RSA so that is what's used to create the keys for encryption, right?
If RSA is being used, does the Diffie-Hellman option not matter? RSA has its own algorithm to calculate an encryption key so Diffie-Hellman isnt needed, right?
Or am I completely confused on this??????
Rich
Network Engineer /CCNP, CCNA-S
Tallahassee, FL
14 years 8 months ago #33993
by Perlhack
Replied by Perlhack on topic Re: Ughh.. Question about key generation methods
ISAKMP is used to authenticate the remote peers and diffie hellman provides the framework to have a shared secret flow across a public medium. This is part of the IPSEC-phase I and no data plane encryption takes place in this phase. IPSEC Phase II is when encryption takes place.
Diffie hellman would matter with RSA-signatures or any other Phase I authentication method. It provides the framework for the symetric IPSEC keys to be shared.
Diffie hellman would matter with RSA-signatures or any other Phase I authentication method. It provides the framework for the symetric IPSEC keys to be shared.
14 years 8 months ago #33995
by FlipRich
I thought it was the hash method, SHA, that is used to authenticate peers at Phase 1.
I understand that no encryption is going on at phase 1 but the credentials for phase 2 is being exchanged, isnt it? Thats why an encryption method is specified in the policy. I think?
Rich
Network Engineer /CCNP, CCNA-S
Tallahassee, FL
Replied by FlipRich on topic Re: Ughh.. Question about key generation methods
ISAKMP is used to authenticate the remote peers and diffie hellman provides the framework to have a shared secret flow across a public medium.
I thought it was the hash method, SHA, that is used to authenticate peers at Phase 1.
This is part of the IPSEC-phase I and no data plane encryption takes place in this phase. IPSEC Phase II is when encryption takes place.
I understand that no encryption is going on at phase 1 but the credentials for phase 2 is being exchanged, isnt it? Thats why an encryption method is specified in the policy. I think?
Rich
Network Engineer /CCNP, CCNA-S
Tallahassee, FL
14 years 8 months ago #33999
by Perlhack
Replied by Perlhack on topic Re: Ughh.. Question about key generation methods
There are three options to authenticate peers in Phase I:
1811(config-isakmp)#authentication ?
pre-share Pre-Shared Key
rsa-encr Rivest-Shamir-Adleman Encryption
rsa-sig Rivest-Shamir-Adleman Signature
The SHA hash is to authenticate the packet.
Public Key cryptography takes place in phase I, very different than the symmetric key encryption provided by IPSEC. Ex using peers Bob and Alice.
1. Mod is prime = 199. g 43 is primitive root to mod 199.
2. Primitive root means that if g is a primitive root (mod n); (g ** powerof) % mod = 1.
Public vaues are mod=199 and g=43
Alices Secret 588 | Bobs Secret:298
Alice sends Bob: 106 = 43 ** 588 % 199 | Bob sends Alice: 43 = 43 ** 298 % 199
Alice computes: 106 = 43 ** 588 % 199 | Bob computes: 106 = 106 ** 298 % 199
Alice computes 106 | Bob computes 106
The credentials are being exchanged in phase I. The crypto isakmp policy has to have matching encry and hash functions for phase I to complete but has nothing to do with data plane encryption. IPSEC phase II data plane encryption is provisioned on the transform-set line in IOS.
1811(config-isakmp)#authentication ?
pre-share Pre-Shared Key
rsa-encr Rivest-Shamir-Adleman Encryption
rsa-sig Rivest-Shamir-Adleman Signature
The SHA hash is to authenticate the packet.
Public Key cryptography takes place in phase I, very different than the symmetric key encryption provided by IPSEC. Ex using peers Bob and Alice.
1. Mod is prime = 199. g 43 is primitive root to mod 199.
2. Primitive root means that if g is a primitive root (mod n); (g ** powerof) % mod = 1.
Public vaues are mod=199 and g=43
Alices Secret 588 | Bobs Secret:298
Alice sends Bob: 106 = 43 ** 588 % 199 | Bob sends Alice: 43 = 43 ** 298 % 199
Alice computes: 106 = 43 ** 588 % 199 | Bob computes: 106 = 106 ** 298 % 199
Alice computes 106 | Bob computes 106
The credentials are being exchanged in phase I. The crypto isakmp policy has to have matching encry and hash functions for phase I to complete but has nothing to do with data plane encryption. IPSEC phase II data plane encryption is provisioned on the transform-set line in IOS.
14 years 8 months ago #34001
by FlipRich
Oh OK, so RSA would only be used for peer authentication. OK, I'm straight on that. However, that brings me back to my original question.
What is Diffie-Hellman used for? I know what it is and how the algorithm calculates keys, but I dont what it's purpose in Phase 1 is..
Is this authentication for just phase one traffic or both?
[/quote]
Rich
Network Engineer /CCNP, CCNA-S
Tallahassee, FL
Replied by FlipRich on topic Re: Ughh.. Question about key generation methods
There are three options to authenticate peers in Phase I:
1811(config-isakmp)#authentication ?
pre-share Pre-Shared Key
rsa-encr Rivest-Shamir-Adleman Encryption
rsa-sig Rivest-Shamir-Adleman Signature
Oh OK, so RSA would only be used for peer authentication. OK, I'm straight on that. However, that brings me back to my original question.
What is Diffie-Hellman used for? I know what it is and how the algorithm calculates keys, but I dont what it's purpose in Phase 1 is..
The SHA hash is to authenticate the packet.
Is this authentication for just phase one traffic or both?
[/quote]
Rich
Network Engineer /CCNP, CCNA-S
Tallahassee, FL
14 years 8 months ago #34013
by Perlhack
Replied by Perlhack on topic Re: Ughh.. Question about key generation methods
DH is used so the IPSEC symmetric keys can be exchanged between the peers.
Packet authentication for phase I is in the crypto isakmp policy, phase II is defined in the transform-set
Packet authentication for phase I is in the crypto isakmp policy, phase II is defined in the transform-set
Time to create page: 0.134 seconds