[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Decrypting ID payload in Main Mode w/shared secrets
Yet another thought. How about an exchange ala New Group Mode that is
New ID_KEY_ID mode? Upon successful authentication using an identity of
ID_KEY_ID this can be used to associate a new ID_KEY_ID with an existing
pre-shared key. That way you don't use the same ID_KEY_ID every time and
whatever sort of identity traffic analysis you were imagining would be
impossible.
Yet another thought. After someone authenticates with an identity that's
an ID_KEY_ID have each side recompute a new ID_KEY_ID based upon the old
one: new-key-id = prf(SKEYID_d, old-key-id). This behavior could (should)
be protected by a vendor ID payload.
Dan.
On Tue, 27 Apr 1999 17:11:35 PDT you wrote
> RE: pre-shared key
>
> Another thought...
>
> How about we have the road-warrior send an ID_KEY_ID payload in the first Mai
>n
> Mode exchange containing a hash of the road-warrior's pre-shared key identity
>?
> That way, the gateway could determine which identity the road-warrior ought t
>o
> be using while preserving identity protection for the actual ID payloads...
>
> Derrell
>
>
References: