Hot Downloads

Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1
  • 2

TOPIC: Ughh.. Question about key generation methods

Ughh.. Question about key generation methods 6 years 8 months ago #33989

  • FlipRich
  • FlipRich's Avatar
  • Offline
  • Distinguished Member
  • Posts: 80
  • Karma: 0
Consider this ISAKMP policy:

Global IKE policy
Protection suite of priority 10
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit




Well, just the default suite.. The authentication method is RSA so that is what's used to create the keys for encryption, right?

If RSA is being used, does the Diffie-Hellman option not matter? RSA has its own algorithm to calculate an encryption key so Diffie-Hellman isnt needed, right?

Or am I completely confused on this??????
Rich
Network Engineer /CCNP, CCNA-S
Tallahassee, FL
The administrator has disabled public write access.

Re: Ughh.. Question about key generation methods 6 years 8 months ago #33993

  • Perlhack
  • Perlhack's Avatar
  • Offline
  • Frequent Member
  • Posts: 49
  • Karma: 0
ISAKMP is used to authenticate the remote peers and diffie hellman provides the framework to have a shared secret flow across a public medium. This is part of the IPSEC-phase I and no data plane encryption takes place in this phase. IPSEC Phase II is when encryption takes place.

Diffie hellman would matter with RSA-signatures or any other Phase I authentication method. It provides the framework for the symetric IPSEC keys to be shared.
The administrator has disabled public write access.

Re: Ughh.. Question about key generation methods 6 years 8 months ago #33995

  • FlipRich
  • FlipRich's Avatar
  • Offline
  • Distinguished Member
  • Posts: 80
  • Karma: 0
ISAKMP is used to authenticate the remote peers and diffie hellman provides the framework to have a shared secret flow across a public medium.

I thought it was the hash method, SHA, that is used to authenticate peers at Phase 1.
This is part of the IPSEC-phase I and no data plane encryption takes place in this phase. IPSEC Phase II is when encryption takes place.

I understand that no encryption is going on at phase 1 but the credentials for phase 2 is being exchanged, isnt it? Thats why an encryption method is specified in the policy. I think?
Rich
Network Engineer /CCNP, CCNA-S
Tallahassee, FL
The administrator has disabled public write access.

Re: Ughh.. Question about key generation methods 6 years 8 months ago #33999

  • Perlhack
  • Perlhack's Avatar
  • Offline
  • Frequent Member
  • Posts: 49
  • Karma: 0
There are three options to authenticate peers in Phase I:
1811(config-isakmp)#authentication ?
pre-share Pre-Shared Key
rsa-encr Rivest-Shamir-Adleman Encryption
rsa-sig Rivest-Shamir-Adleman Signature

The SHA hash is to authenticate the packet.

Public Key cryptography takes place in phase I, very different than the symmetric key encryption provided by IPSEC. Ex using peers Bob and Alice.

1. Mod is prime = 199. g 43 is primitive root to mod 199.
2. Primitive root means that if g is a primitive root (mod n); (g ** powerof) % mod = 1.

Public vaues are mod=199 and g=43
Alices Secret 588 | Bobs Secret:298
Alice sends Bob: 106 = 43 ** 588 % 199 | Bob sends Alice: 43 = 43 ** 298 % 199
Alice computes: 106 = 43 ** 588 % 199 | Bob computes: 106 = 106 ** 298 % 199
Alice computes 106 | Bob computes 106


The credentials are being exchanged in phase I. The crypto isakmp policy has to have matching encry and hash functions for phase I to complete but has nothing to do with data plane encryption. IPSEC phase II data plane encryption is provisioned on the transform-set line in IOS.



The administrator has disabled public write access.

Re: Ughh.. Question about key generation methods 6 years 8 months ago #34001

  • FlipRich
  • FlipRich's Avatar
  • Offline
  • Distinguished Member
  • Posts: 80
  • Karma: 0
There are three options to authenticate peers in Phase I:
1811(config-isakmp)#authentication ?
pre-share Pre-Shared Key
rsa-encr Rivest-Shamir-Adleman Encryption
rsa-sig Rivest-Shamir-Adleman Signature

Oh OK, so RSA would only be used for peer authentication. OK, I'm straight on that. However, that brings me back to my original question.

What is Diffie-Hellman used for? I know what it is and how the algorithm calculates keys, but I dont what it's purpose in Phase 1 is..

The SHA hash is to authenticate the packet.

Is this authentication for just phase one traffic or both?





[/quote]
Rich
Network Engineer /CCNP, CCNA-S
Tallahassee, FL
The administrator has disabled public write access.

Re: Ughh.. Question about key generation methods 6 years 8 months ago #34013

  • Perlhack
  • Perlhack's Avatar
  • Offline
  • Frequent Member
  • Posts: 49
  • Karma: 0
DH is used so the IPSEC symmetric keys can be exchanged between the peers.

Packet authentication for phase I is in the crypto isakmp policy, phase II is defined in the transform-set
The administrator has disabled public write access.
  • Page:
  • 1
  • 2
Time to create page: 0.085 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup