Re: Ipsec encryption key when using digital certs

Please see my comments inline.

On 15 April 2012 07:34, Brian McGahan <bmcgahan_at_ine.com> wrote:

> IPsec uses symmetrical encryption. This means that the key used for
> encryption is the same one that's used for decryption. This is why the DH
> exchange is needed, to hide the negotiation of the encryption/decryption
> symmetrical key. If this key were to be compromised, someone could use it
> to decrypt packets or possibly encrypt packets to do an injection attack.
>

[Ajay] Understood, Cisco Implementation of IPsec uses symmetric key for
encryp/decryp. Only in case of PSK as authentication method , symmetric key
is derived from PSk along with other inputs as Petr also clarified...

>
> With Digital Signatures, or Public Key Infrastructure (PKI), there is a
> separate encryption vs. decryption key. The idea is that each party
> generates both a private key and a public key. Like the names imply the
> private key has to be kept secret, but the public key you can give to
> anyone. Something that is encrypted with my private key can only be
> decrypted with my public key. Likewise something encrypted with my public
> key can only be decrypted with my private key. The reason that it works
> both ways is because in certain cases you want to use PKI just to
> authenticate the other party, but in other cases you may want to encrypt
> data going to a specific party. The first case is what is done with
> Certificate Authority.
>

[Ajay] understood

>
> With CA based authentication, both you and I generate both public and
> private keys, and then we then get the public key of the CA server. Next
> we both send our public keys to the CA server, who adds some authentication
> strings to them, and then encrypts them with the CA's private key. The
> result of this is our signed certificates. Remember that something
> encrypted with a private key can be decrypted with a public key. This
> means that if I give you my certificate (which was signed with the private
> key of the CA) you can decrypt it by using the CA's public key, and find
> the authentication strings that the CA added. You then decrypt your own
> certificate with the CA's public key, get the authentication strings, and
> compare it against mine. If these strings match it means that both our
> certificates were signed by the same CA, and the authentication is
> successful.
>
> [Ajay] Understood

The second case for PKI, which is outside of CA authentication, is if I
> want to encrypt something that only you can decrypt. In this case I
> encrypt the data using your public key, which means that it can only be
> decrypted with your private key. This is why PKI is considered
> asymmetrical because different keying material is used for the encryption
> vs. the decryption. This also means that something like the DH exchange
> isn't needed for PKI, because it doesn't matter who gets the public keys as
> long as the private keys stay secret.
>
> [Ajay] understood , in Cisco Ipsec implemetation PKI is not used for
encryp/decryp..Only for authentication so DH is used even in PKI (for both
phase 1 and 2).

Let me know if that answers your question.
>
>
Thank you very much ALL for taking time and helping me here..

HTH,
>
> Brian McGahan, CCIE #8593 (R&S/SP/Security)
> bmcgahan_at_INE.com
>
> Internetwork Expert, Inc.
> http://www.INE.com
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Ajay mehra
> Sent: Saturday, April 14, 2012 12:54 AM
> To: ccielab_at_groupstudy.com
> Subject: Ipsec encryption key when using digital certs
>
> Hi Guys,
>
> I understand that when using pre shared keys, DH uses pre shared keys to
> derive the shared secret key to encrypt/decrypt . Can I clarify how does
> the secret key is derived using DH when using digital certs?
> In case of digital certs since we are generating a key pair locally, is
> the private key from this key pair is used in DH algo to generate a
> seperate secret key? offcourse the key pair is also meant to generate a
> digital cert request (authentication only).
>
>
> Regards,
> Ajay
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Tue Apr 17 2012 - 12:13:20 ART