[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSEC Security Gateways & NAT
Derek, I have not seen Radia's paper so I can't comment on it.
However, what you say here:
> Think about the process this way:
>
> 1) Compute a key agreement using DH
> 2) Encrypt the identities in the agreed-upon key
> 3) Authenticate step 1 (and 2) using the shared secret with the
> peer (now that you know the identity).
is indeed a good explanation of the rationale for the change to pre-shared
mode I suggested in a previous message.
This is why I changed SKEYID_e to depend on g^xy only but left the
HASH_I/R computations to depend on the preshared key (SKEYID)
Hugo
Follow-Ups:
References: