Re: IKE/Racoon

From: Shoichi Sakane (sakane@kame.net)
Date: 07/25/01


To: ewancarr@yahoo.com
Date: Wed, 25 Jul 2001 20:11:05 +0900
From: Shoichi Sakane <sakane@kame.net>

ipsec wg's mailing list is suitable for asking this question.

> What I dont understand is why for the pre-shared
> key method of authentication you need to generate
> this additional diffe hellman shared key. Does this
> actually happen or is the 'formula' above just
> confusing..

pre-shared key is just the one of material for authentication.
IKE daemon mixes it with the shared secret of DH. the shared secret
of DH is generated in each phase 1 exchange. so the mixing of them
makes the decipherment attack difficult.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message