Re: Please kill preshared key.

["david chen" <ietf_davidchen@hotmail.com>]

Sounds like a good haker taget,
can you share with everyone which is this entity? :-)
--- David

----- Original Message ----- 
From: "Marcus D. Leech" <mleech@nortelnetworks.com>
To: "Jan Vilhuber" <vilhuber@cisco.com>
Cc: "Bill Sommerfeld" <sommerfeld@east.sun.com>; <ipsec@lists.tislabs.com>
Sent: Friday, December 07, 2001 11:20 AM
Subject: Re: Please kill preshared key.


> The current PSK methods in IKEv1 lead to some horrible, insecure hacks
> in real
>   implementations/deployments.
> 
> I know of at least one VPN/Road-Warrior implementation where the server
> uses
>   PSK to authenticate itself to a client--but it uses the SAME PSK for
> every
>   member of a "group", where groups are very large.  This means that
> anyone in
>   the group can pretend to be a server to any other member of the group.
>   This wouldn't happen in a self-signed PK-style pre-share.  The
>   client adds the PK self-signed pre-share to their "trusted" list, and
>   only the real server (possessor of the private key) can convince a
> client
>   of its authenticity.
> 
> If symmetric PSKs are kept, it had better be possible to do it right,
> and
>   rather hard to do it wrong.
>

---

References:

• Re: Please kill preshared key.
• From: Jan Vilhuber <vilhuber@cisco.com>
• Re: Please kill preshared key.
• From: "Marcus D. Leech" <mleech@nortelnetworks.com>

---

• Prev by Date: RE: Please save the pre-shared key mode
• Next by Date: RE: Son-of-IKE Selection Criteria?
• Prev by thread: Re: Please kill preshared key.
• Next by thread: Re: Please kill preshared key.
• Index(es):
  • Main
  • Thread