Re: [IPsec] Fw: Preshared key authentication in IKEv2
"Valery Smyslov" <svanru@gmail.com> Mon, 02 November 2009 14:40 UTC
Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 5C0413A6885 for <ipsec@core3.amsl.com>;
Mon, 2 Nov 2009 06:40:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.627
X-Spam-Level:
X-Spam-Status: No, score=-0.627 tagged_above=-999 required=5 tests=[AWL=-1.000,
BAYES_20=-0.74, J_CHICKENPOX_36=0.6, XMAILER_MIMEOLE_OL_7533E=0.513]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ots8bUW9SrGD for
<ipsec@core3.amsl.com>; Mon, 2 Nov 2009 06:40:32 -0800 (PST)
Received: from mail-ew0-f218.google.com (mail-ew0-f218.google.com
[209.85.219.218]) by core3.amsl.com (Postfix) with ESMTP id D1E2F3A6817 for
<ipsec@ietf.org>; Mon, 2 Nov 2009 06:40:31 -0800 (PST)
Received: by ewy18 with SMTP id 18so4451792ewy.43 for <ipsec@ietf.org>;
Mon, 02 Nov 2009 06:40:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
h=domainkey-signature:received:received:message-id:from:to:cc
:references:subject:date:mime-version:content-type
:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer :x-mimeole;
bh=tP48V8DYFx+4tWHYDeeq01mIRHx6ga4rvuy+q0Ep9xg=;
b=Y99/dg1FMwAm1dzBxUOidtGrT4S366DFxSsZyCa4eqBaoVP6+vmp5Rjdi9cNIBSB60
da+rjxqaMfc26J4csLpe/SlDjvSVTIDBL3jSSLWKmG4NKvb07vcKvmyQW6vTmDrTnFy2
6B2w9NNHb+gx/OW8Cgrj9VDOCWyquraEztD/o=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
h=message-id:from:to:cc:references:subject:date:mime-version
:content-type:content-transfer-encoding:x-priority:x-msmail-priority
:x-mailer:x-mimeole;
b=MUixWhA8y31JRivBw7+/LJHKSwD8F2grd2WcMrUzNe8nCSDk3KW4gUchQJUCP2ewNr
NsIPf/wFqVAjU5Uf49gSwiUp1u4BSaPbrAiVX+T77++LcqGT5ZfBKzQJK24XyvPiFgLS
shwBG1GGU/GDz9EGYBSL0Gea2L7WxjDHqE0ws=
Received: by 10.216.93.6 with SMTP id k6mr4731834wef.89.1257172846980;
Mon, 02 Nov 2009 06:40:46 -0800 (PST)
Received: from svanpc ([82.138.51.4]) by mx.google.com with ESMTPS id
10sm15368657eyz.43.2009.11.02.06.40.44 (version=SSLv3 cipher=RC4-MD5);
Mon, 02 Nov 2009 06:40:45 -0800 (PST)
Message-ID: <1A567F18E9E144989D2F06830DB24CC6@trustworks.com>
From: "Valery Smyslov" <svanru@gmail.com>
To: "Tero Kivinen" <kivinen@iki.fi>, "Paul Hoffman" <paul.hoffman@vpnc.org>
References: <82DFB96E88E54DE98E9B6B5F766C3EB8@trustworks.com><p06240896c710cc6eae34@[10.20.30.158]>
<19182.59664.628328.76563@fireball.kivinen.iki.fi>
Date: Mon, 2 Nov 2009 17:40:57 +0300
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4963.1700
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4963.1700
Cc: ipsec@ietf.org
Subject: Re: [IPsec] Fw: Preshared key authentication in IKEv2
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>,
<mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>,
<mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Nov 2009 14:40:33 -0000
Hi Paul and Tero, thank you for your answers. > > The PRF (or set of PRFs) is known by the receiving party. If the two > > parties always only use one PRF, it is known. The padding is not a > > universal solution for the reasons you give, but it works in the > > common case of peers who know each other's crypto choices. > > As Paul said recipient knows which algorithms it support, and it can Sometimes it doesn't. I refer to implementations with pluggable crypto, when crypto providers are separated from IKE implementation and can be added/removed later. > store the pre-shared key using all of those algoritms to its database. > I.e. if it supports PRF_HMAC_SHA1, and PRF_AES128_XCBC then it needs > to calculate the PRF(Shared Secret, "Key Pad for IKEv2") using those > two PRFs and store both of the results to its authentication database. With this approach in case of pluggable crypto user must re-enter shared secret after any change in crypto configuration. It's not a big deal, just a bit inconvinient... Regards, Smyslov Valery.
- [IPsec] Fw: Preshared key authentication in IKEv2 Valery Smyslov
- Re: [IPsec] Fw: Preshared key authentication in... Paul Hoffman
- Re: [IPsec] Fw: Preshared key authentication in... Tero Kivinen
- Re: [IPsec] Fw: Preshared key authentication in... Valery Smyslov
- Re: [IPsec] Fw: Preshared key authentication in... Tero Kivinen