[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: On shared keys
On Wed, 28 Nov 2001, Tylor Allison wrote:
> On Tue, 27 Nov 2001, Ricky Charlet wrote:
> > I think that we should do a PSK authentication method because it would
> > be useful.
>
> I agree with you Ricky ... IMO, if we leave out PSK authentication from
> SOI, then we are not addressing the needs of the marketplace. First, as
> others have pointed out, for site-to-site VPNs, PSK seems to be the
> de-facto standard. Why? Because they are simple to setup/manage and they
> work (interoperable implementations). Can the new SOI standard be used to
>[...]
In an earlier mail I pointed out another alternative that
I think would work for site-to-site setups: let the key
exchange protocol support only RSA, and generate RSA keypairs
deterministically from the pre-shared secret.
In essence, you take the pre-shared secret, create a PRNG out of
the secret using a hash function, and then use a determining
RSA keypair generator to create the keypair. Both communicating
hosts use the same pre-shared secret, and thus end up with the
same RSA keypair.
Thus, no PSK support in the key exchange, but the same simple
administration.
-Sami
Follow-Ups:
References: