Yusuf's book is correct. It is the actual PSK-based IPSec implementation of
DH that uses PSK as part of the process. This is to reduce a potential
impact of DoS, when the attackers "guessed' the IKE policy. This way they
are prevented from hitting the authentication phase or even finishing the DH
exchange (CPU, etc).
DH is performed again in Phase II only if PFS has been configured. Otherwise
previously derived Phase I key (the one for IPSec phase) will be used to
alone to calculate encryption & integrity keys for data (per SA).
Cheers,
Piotr
On Tue, Jun 8, 2010 at 4:29 PM, ehtesham ali <conect2ehtesham_at_gmail.com>wrote:
> HI piotr ,
>
> yousuf's book says " DH allows two end users that have no prior knowledge
> of each other to establish a shared secret key over an insecure channel . "
>
> so i just want to confirm whether DH process is in any way uses pre-shared
> key ?
>
> and what keys are used for phase 2 encryption ? does phase 2 goes for DH
> again to derive key for bulk traffic encryption or pre-shared key are used
> for encrypting new key .?
>
> thanks
>
>
>
> On Tue, Jun 8, 2010 at 7:45 PM, Piotr Kaluzny <piotrk_at_ipexpert.com> wrote:
>
>> Hi,
>>
>> 1. PSK is for authentication. You need separate keys for the remaining
>> phase I exchange (integrity + encryption) + to derive keys for IPSec.
>> 2. Yes, partially.
>> 3. Group 1 on IOS and group 2 on the ASA, I believe.
>>
>> Cheers,
>> Piotr
>>
>>
>> On Tue, Jun 8, 2010 at 3:25 PM, ehtesham ali <conect2ehtesham_at_gmail.com>wrote:
>>
>>> HI experts ,
>>> i need to ask few questions about deffi hellman process of driving shared
>>> secret key ,
>>>
>>> 1) R1---------------------R2 are trying to peer with each other using
>>> ipsec
>>> , let say both use cisco as a password (pre-shared key ).
>>> since we already have a pre-shared key for encryption why do i need DH
>>> process again to derive SHARED SECRET KEY ?
>>>
>>> 2) IS SHARED SECRET key derived from pre-shared key ?
>>>
>>> 3) for a site -to site and remote access tunnel what is default DH gr no
>>> .?
>>>
>>>
>>> Thanks
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>> --
>> Piotr Kaluzny
>> CCIE #25665 (Security), CCSP, CCNP
>> Sr. Support Engineer - IPexpert, Inc.
>> URL: http://www.IPexpert.com
>>
>
>
-- Piotr Kaluzny CCIE #25665 (Security), CCSP, CCNP Sr. Support Engineer - IPexpert, Inc. URL: http://www.IPexpert.com Blogs and organic groups at http://www.ccie.netReceived on Tue Jun 08 2010 - 16:57:37 ART
This archive was generated by hypermail 2.2.0 : Sun Aug 01 2010 - 09:11:37 ART