[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: On shared keys

To: Tylor Allison <allison@securecomputing.com>
Subject: Re: On shared keys
From: "sami.vaarala" <sva@netseal.com>
Date: Wed, 28 Nov 2001 18:45:54 +0200 (EET)
cc: Ricky Charlet <rcharlet@redcreek.com>, IPsec WG <ipsec@lists.tislabs.com>
In-Reply-To: <Pine.GSO.4.33.0111281048530.15515-100000@gandalf.sctc.com>
Sender: owner-ipsec@lists.tislabs.com

On Wed, 28 Nov 2001, Tylor Allison wrote:
 > On Tue, 27 Nov 2001, Ricky Charlet wrote:
 > > 	I think that we should do a PSK authentication method because it would
 > > be useful.
 > 
 > I agree with you Ricky ...  IMO, if we leave out PSK authentication from
 > SOI, then we are not addressing the needs of the marketplace.  First, as
 > others have pointed out, for site-to-site VPNs, PSK seems to be the
 > de-facto standard.  Why?  Because they are simple to setup/manage and they
 > work (interoperable implementations).  Can the new SOI standard be used to
 >[...]

In an earlier mail I pointed out another alternative that
I think would work for site-to-site setups:  let the key
exchange protocol support only RSA, and generate RSA keypairs
deterministically from the pre-shared secret.

In essence, you take the pre-shared secret, create a PRNG out of
the secret using a hash function, and then use a determining
RSA keypair generator to create the keypair.  Both communicating
hosts use the same pre-shared secret, and thus end up with the
same RSA keypair.

Thus, no PSK support in the key exchange, but the same simple
administration.

-Sami

Follow-Ups:

Re: On shared keys

From: Derek Atkins <warlord@mit.edu>

References:

Re: On shared keys

From: Tylor Allison <allison@securecomputing.com>

Prev by Date: Gee, shared secrets suck (was: Re: SOI: identity protection and DOS)
Next by Date: Re: Gee, shared secrets suck (was: Re: SOI: identity protection and DOS)
Prev by thread: Re: On shared keys
Next by thread: Re: On shared keys
Index(es):
- Main
- Thread