HI piotr ,
yousuf's book says " DH allows two end users that have no prior knowledge of
each other to establish a shared secret key over an insecure channel . "
so i just want to confirm whether DH process is in any way uses pre-shared
key ?
and what keys are used for phase 2 encryption ? does phase 2 goes for DH
again to derive key for bulk traffic encryption or pre-shared key are used
for encrypting new key .?
thanks
On Tue, Jun 8, 2010 at 7:45 PM, Piotr Kaluzny <piotrk_at_ipexpert.com> wrote:
> Hi,
>
> 1. PSK is for authentication. You need separate keys for the remaining
> phase I exchange (integrity + encryption) + to derive keys for IPSec.
> 2. Yes, partially.
> 3. Group 1 on IOS and group 2 on the ASA, I believe.
>
> Cheers,
> Piotr
>
>
> On Tue, Jun 8, 2010 at 3:25 PM, ehtesham ali <conect2ehtesham_at_gmail.com>wrote:
>
>> HI experts ,
>> i need to ask few questions about deffi hellman process of driving shared
>> secret key ,
>>
>> 1) R1---------------------R2 are trying to peer with each other using
>> ipsec
>> , let say both use cisco as a password (pre-shared key ).
>> since we already have a pre-shared key for encryption why do i need DH
>> process again to derive SHARED SECRET KEY ?
>>
>> 2) IS SHARED SECRET key derived from pre-shared key ?
>>
>> 3) for a site -to site and remote access tunnel what is default DH gr no
>> .?
>>
>>
>> Thanks
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> Piotr Kaluzny
> CCIE #25665 (Security), CCSP, CCNP
> Sr. Support Engineer - IPexpert, Inc.
> URL: http://www.IPexpert.com
Blogs and organic groups at http://www.ccie.net
Received on Tue Jun 08 2010 - 19:59:33 ART
This archive was generated by hypermail 2.2.0 : Sun Aug 01 2010 - 09:11:37 ART