RE: IKE phase 1 , Main Mode, how IKE use different hash and

Jeremy,

As Dan already stated the hashing algorithm is the same. The difference is
the hash value that has been calculated by each device. When they state
below HASH_i HASH_r it stands for initiator/responder. They are simplifying
it for you so you better understand it. So each uses its own hash in
protecting MSG5 and MSG6. MSG5 being sent by the initiator and MSG6 being
returned by the responder if he accepts MSG5 from the initiator.

Regards,
 
Tyson Scott - CCIE #13513 R&S, Security, and SP
Technical Instructor - IPexpert, Inc.
Mailto: tscott_at_ipexpert.com
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
jeremy co
Sent: Sunday, March 14, 2010 11:33 PM
To: Dan Shechter
Cc: Cisco certification
Subject: Re: IKE phase 1 , Main Mode, how IKE use different hash and encrypt
algorithm in msg 5 and 6 ?

Thanx for your response,

My question stem from a different interpretation found in the "IPSec VPN
Design" book , CH2 , section : Key Management and security Assessment

"The fifth and sixth messages are encrypted with SKEYIDe and authenticated
using the hashes derived, HASH_i and HASH_r, along with the different phase
1 encryption and hash algorithm that was negotiated as part of the first two
exchanges and use of SKEYIDe and SKEYIDa. The main part of the exchange is
the identification of the initiator and responder IDi and IDr."

Regards,
Jeremy

On Mon, Mar 15, 2010 at 2:24 PM, Dan Shechter <danshtr_at_gmail.com> wrote:

> Hi Jeremy,
>
> MSG5 and MSG6 are using the same algorithms. The purpose of MSG1 and MSG2
> is choose a share algorithm to be used in MSG5 and MSG6.
>
> Maybe you got a little confused by the fact that in MSG3 and MSG4 the
> parties (the routers) are choosing a shared hidden key using DH, which is
> later being used to protect MSG5, MSG6 and phase2.
>
> HTH,
> Dan #13685 (RS/Sec/SP)
> Troubleshooting blog: http://dans-net.com
>
>
>
> On Mon, Mar 15, 2010 at 5:05 AM, jeremy co <jeremy.cool14_at_gmail.com>wrote:
>
>> Hi,
>>
>> As I was studying IKE phase 1 Main mode (6 msg exchange) , I stumbled
>> across
>> how IKE Main mode msgs works.
>>
>> I read that it use different hash and encryption algorithms n MSG 5 & 6,
>> than it negotiated in MSG 1&2 . However, we only configure one set of
>> algorithms under " crypto isakmp policy" . So how the single config
under
>> isakmp policy lead to 2 different algorithms in msg 1&2 and MSG 5&6 of
the
>> IKE phase 1 Main mode ?
>>
>>
>>
>> Regards,
>>
>>
>> Jeremy
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Mon Mar 15 2010 - 10:44:25 ART