Re: [dtn-security] Key generation

"Ivancic, William D. (GRC-RHN0)" <> Wed, 15 July 2009 12:28 UTC

Received: from ( []) by (8.13.8/8.13.8) with ESMTP id n6FCSha8001160 for <>; Wed, 15 Jul 2009 05:28:43 -0700
Received: from ( []) by (Postfix) with ESMTP id D7F692D82F5; Wed, 15 Jul 2009 07:27:11 -0500 (CDT)
Received: from ( []) by (8.14.3/8.14.3) with ESMTP id n6FCRCp1024466; Wed, 15 Jul 2009 07:27:12 -0500
Received: from ([]) by ([]) with mapi; Wed, 15 Jul 2009 07:27:11 -0500
From: "Ivancic, William D. (GRC-RHN0)" <>
To: Sushil Chaudhari <>, "" <>
Date: Wed, 15 Jul 2009 07:27:08 -0500
Thread-Topic: [dtn-security] Key generation
Thread-Index: AcoExy3xLI6/+mVqQ6OPJsUGYqeR7AAfrgdg
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=1.12.7400:2.4.4, 1.2.40, 4.0.166 definitions=2009-07-15_04:2009-07-03, 2009-07-15, 2009-07-15 signatures=0
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from base64 to 8bit by id n6FCSha8001160
Subject: Re: [dtn-security] Key generation
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DTN Security Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 15 Jul 2009 12:28:44 -0000

SETKEY is for IPsec and comes from IPsec tools.  So, SETKEY is for IP not DTN. But the concepts apply.

Openssl is what you want.  Openssl can create all types of keys and certificates.

For a quick tutorial on setting up a test Certificate Authority and associated keys, I recommend the Strongswan configuration guide.  Someone put a lot of time and money into Strongswan as the documentation is very good - better than most commercial system IMHO.  I read this first then look at the appropriate Openssl man pages below, then run through the sample here.  After that, you should have a decent idea on what you may want to do with Openssl and certificates.

Use Openssl to create keys.  Having used Openssl, I found the books rather limiting.  You may want to  go online and use the manuals as there are lots of hyperlinks.


>-----Original Message-----
>From: [mailto:dtn-
>] On Behalf Of Sushil
>Sent: Tuesday, July 14, 2009 5:06 PM
>Subject: Re: [dtn-security] Key generation
>There’s setkey <host> <siphersuite> <key> command used to set the key
>for the specified host and ciphersuite.
>What utility is used to produce the key?
>If security policy is set to use “confidentiality block” and no external
>key is provided, how’s the key get generated by DTN2?
>dtn-security mailing list