[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Please save the pre-shared key mode

To: Alex Alten <Alten@netvista.net>
Subject: RE: Please save the pre-shared key mode
From: Jan Vilhuber <vilhuber@cisco.com>
Date: Fri, 7 Dec 2001 20:20:49 -0800 (PST)
cc: Michael Choung Shieh <mshieh@netscreen.com>, "'Henry Spencer'" <henry@spsystems.net>, "Wang, Cliff" <CWang@smartpipes.com>, ipsec@lists.tislabs.com
In-Reply-To: <3.0.3.32.20011207192805.00f234d0@pop3.netvista.net>
Sender: owner-ipsec@lists.tislabs.com

On Fri, 7 Dec 2001, Alex Alten wrote:

> And "setup" better include:
> 1. Key generation
> 2. Key distribution (in a trustworthy manner)
> 3. Key performance during the initial authentication of the session.
> 
> Given these, PSK beats PK on #1 and #3 hands down.
> They are the same for #2.
> 
Re #1: Actually, you stand a better chance of having a device generate a
*good* RSA keypair, than coming up with a *good* pre-shared symmetric key by
yourself (most people don't like machine generated random pre-shared keys).
Most users pick dictionary words, so I'd say PK beats symmetric keys by a
long shot. It may TAKE longer (in terms of processing power), but you're
going to be more secure. But processing time doesn't mean a thing for key
generation as it's a one-time thing, and not per-connection-setup.

If #3 is a real concern, consider KINK...

jan


> - Alex
> 
> At 11:33 AM 12/7/2001 -0800, Michael Choung Shieh wrote:
> >
> >How about someone unwrap the myth.  I don't care if it's PK or PSK as long
> >as we can set it up as easy as setup PSK in IKE v1.
> >
> >Can someone show step-by-step procedure to set up PK?  In a typical
> >scenario, the HQ sys admin sets up vpn and sends config to his unknowledged
> >remote offic peer to download to remote device.  How do we do it when using
> >PK without using PKI?
> >
> >Let's prove if it's as easy as setting up PSK.
> >
> >--------------------------------------------
> >Michael Shieh
> >NetScreen Technologies, Inc
> >350 Oakmead Parkway
> >Sunnyvale, CA 94085
> >TEL: (408)730-6060
> >FAX: (408)730-6050
> >Email:  mshieh@netscreen.com
> >--------------------------------------------
> >
> >-----Original Message-----
> >From: Henry Spencer [mailto:henry@spsystems.net]
> >Sent: Friday, December 07, 2001 10:34 AM
> >To: Wang, Cliff
> >Cc: ipsec@lists.tislabs.com
> >Subject: RE: Please save the pre-shared key mode
> >
> >
> >On Fri, 7 Dec 2001, Wang, Cliff wrote:
> >>>> other hand, PSK based IKE and PKI based IKE has been the main way people
> >>>> deploying VPN. Under that context, PSK is simpler to run than PKI.   
> >>> I think that's the myth Dan was talking about.
> >>
> >> From the operation point of view, PSK is quick and easy to set up service.
> >> It works and customers are happy. It is more real than a myth.
> >
> >The myth being referred to is the notion that PSK is somehow unique in
> >being quick and easy to set up, because public keys absolutely require
> >PKI.  That's wrong.  It is just as quick and easy to set up with preshared
> >*public* keys.  You don't need a PKI to use public keys. 
> >
> >                                                          Henry Spencer
> >                                                       henry@spsystems.net
> >
> >
> --
> 
> Alex Alten
> Alten@Home.Com
> 

 --
Jan Vilhuber                                            vilhuber@cisco.com
Cisco Systems, San Jose                                     (408) 527-0847

References:

RE: Please save the pre-shared key mode

From: Alex Alten <Alten@netvista.net>

Prev by Date: RE: discussion of SIGMA-IKE
Next by Date: RE: Son-of-IKE Performance
Prev by thread: RE: Please save the pre-shared key mode
Next by thread: RE: Please save the pre-shared key mode
Index(es):
- Main
- Thread