Re: Decrypting ID payload in Main Mode w/shared secrets

[Dan Harkins <dharkins@network-alchemy.com>]

  Yet another thought. How about an exchange ala New Group Mode that is
New ID_KEY_ID mode? Upon successful authentication using an identity of 
ID_KEY_ID this can be used to associate a new ID_KEY_ID with an existing 
pre-shared key. That way you don't use the same ID_KEY_ID every time and 
whatever sort of identity traffic analysis you were imagining would be 
impossible. 

  Yet another thought. After someone authenticates with an identity that's
an ID_KEY_ID have each side recompute a new ID_KEY_ID based upon the old
one: new-key-id = prf(SKEYID_d, old-key-id). This behavior could (should)
be protected by a vendor ID payload. 

  Dan.

On Tue, 27 Apr 1999 17:11:35 PDT you wrote
> RE: pre-shared key
> 
> Another thought...
> 
> How about we have the road-warrior send an ID_KEY_ID payload in the first Mai
>n
> Mode exchange containing a hash of the road-warrior's pre-shared key identity
>?
> That way, the gateway could determine which identity the road-warrior ought t
>o
> be using while preserving identity protection for the actual ID payloads...
> 
> Derrell
> 
>

---

References:

• Re: Decrypting ID payload in Main Mode w/shared secrets
• From: "Derrell D. Piper" <ddp@network-alchemy.com>

---

• Prev by Date: Re: Decrypting ID payload in Main Mode w/shared secrets
• Next by Date: Re: linux-ipsec: Decrypting ID payload in Main Mode w/shared secrets
• Prev by thread: Re: Decrypting ID payload in Main Mode w/shared secrets
• Next by thread: Re: linux-ipsec: Decrypting ID payload in Main Mode w/shared secrets
• Index(es):
  • Main
  • Thread