SRX

last person joined: 4 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  HMAC

    Posted 04-26-2017 06:48

    During phase 2 HMAC is using as authentication method, and HMAC apend a key to the data before hashing.

    How the 2 peers agree on that key ??? 



  • 2.  RE: HMAC

    Posted 04-26-2017 12:21

    Hi

     

    It comes from Diffie-Hellman exchange. DH allows two peers communicating over insecure medium to generate a secret key that only they know.

     

    However DH is vulnerable to man-in-the middle attack that's why either pre-shared key or certificates are needed to make sure you connect to the right peer...



  • 3.  RE: HMAC

    Posted 04-27-2017 09:17

    any updates please 



  • 4.  RE: HMAC
    Best Answer

    Posted 04-27-2017 14:36

    That is correct. Not exactly the same key, but something that is calculated from it using some simple formula. If you take a look at RFC 2409 (IKEv1, https://tools.ietf.org/html/rfc2409) the original session key is called SKEYID and the derived keys are SKEYID_e (encryption), SKEYID_a (authentication = HMAC).



  • 5.  RE: HMAC

    Posted 04-27-2017 15:17

    Dont know how thank you for the reat explanation, i have understood what i was looking for

    the article which you provided https://tools.ietf.org/html/rfc2409) is very difficult to understand i wish if one day i would found someone like you explaning phase 1 and phase 2 in details 

     

    thx again for your help



  • 6.  RE: HMAC

    Posted 04-26-2017 15:01
    Thx for the replay
    Please let me get this straight, so the session key created by the DH exchange is used as a key in the HMAC algorithm and as an encryption key in the 3des for example ??