[dtn-security] Re(2): Key generation

Peter Lovell <plovell@mac.com> Wed, 15 July 2009 15:43 UTC

Received: from asmtpout017.mac.com (asmtpout017.mac.com []) by maillists.intel-research.net (8.13.8/8.13.8) with ESMTP id n6FFh5cF010155 for <dtn-security@maillists.intel-research.net>; Wed, 15 Jul 2009 08:43:06 -0700
MIME-version: 1.0
Content-transfer-encoding: 7BIT
Content-type: text/plain; charset=US-ASCII
Received: from [] by asmtp017.mac.com (Sun Java(tm) System Messaging Server 6.3-8.01 (built Dec 16 2008; 32bit)) with ESMTPSA id <0KMT000HUY91MT00@asmtp017.mac.com> for dtn-security@maillists.intel-research.net; Wed, 15 Jul 2009 08:41:34 -0700 (PDT)
From: Peter Lovell <plovell@mac.com>
To: "Ivancic, William D. (GRC-RHN0)" <william.d.ivancic@nasa.gov>, Sushil Chaudhari <schaudhari@mzeal.com>, dtn-security@maillists.intel-research.net
Date: Wed, 15 Jul 2009 11:41:25 -0400
Message-id: <20090715154125.1031934993@smtp.mac.com>
In-reply-to: <3A5AA67A8B120B48825BFFCF5443856137E50D04FE@NDJSSCC03.ndc.nasa.gov>
References: <20090714210539.45611.qmail@mzeal.com> <3A5AA67A8B120B48825BFFCF5443856137E50D04FE@NDJSSCC03.ndc.nasa.gov>
X-Mailer: CTM PowerMail version 5.6.3 build 4504 English (PPC) <http://www.ctmdev.com>
Subject: [dtn-security] Re(2): Key generation
X-BeenThere: dtn-security@maillists.intel-research.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DTN Security Discussion <dtn-security.maillists.intel-research.net>
List-Unsubscribe: <http://maillists.intel-research.net/mailman/listinfo/dtn-security>, <mailto:dtn-security-request@maillists.intel-research.net?subject=unsubscribe>
List-Archive: <http://maillists.intel-research.net/pipermail/dtn-security>
List-Post: <mailto:dtn-security@maillists.intel-research.net>
List-Help: <mailto:dtn-security-request@maillists.intel-research.net?subject=help>
List-Subscribe: <http://maillists.intel-research.net/mailman/listinfo/dtn-security>, <mailto:dtn-security-request@maillists.intel-research.net?subject=subscribe>
X-List-Received-Date: Wed, 15 Jul 2009 15:43:06 -0000

Hi Will,

in this case, "setkey" is part of a small command set that's included in

It doesn't support ciphersuites other than BA1 though.

Your suggestion to use openssl for key creation is good -- I recommend it too.


On Wed, Jul 15, 2009, Ivancic, William D. (GRC-RHN0)
<william.d.ivancic@nasa.gov> wrote:

>SETKEY is for IPsec and comes from IPsec tools.  So, SETKEY is for IP
>not DTN. But the concepts apply.
>Openssl is what you want.  Openssl can create all types of keys and
>For a quick tutorial on setting up a test Certificate Authority and
>associated keys, I recommend the Strongswan configuration guide. 
>Someone put a lot of time and money into Strongswan as the documentation
>is very good - better than most commercial system IMHO.  I read this
>first then look at the appropriate Openssl man pages below, then run
>through the sample here.  After that, you should have a decent idea on
>what you may want to do with Openssl and certificates.
>Use Openssl to create keys.  Having used Openssl, I found the books
>rather limiting.  You may want to  go online and use the manuals as
>there are lots of hyperlinks.
>>-----Original Message-----
>>From: dtn-security-bounces@maillists.intel-research.net [mailto:dtn-
>>security-bounces@maillists.intel-research.net] On Behalf Of Sushil
>>Sent: Tuesday, July 14, 2009 5:06 PM
>>To: dtn-security@maillists.intel-research.net
>>Subject: Re: [dtn-security] Key generation
>>There's setkey <host> <siphersuite> <key> command used to set the key
>>for the specified host and ciphersuite.
>>What utility is used to produce the key?
>>If security policy is set to use "confidentiality block" and no external
>>key is provided, how's the key get generated by DTN2?