@Wall-ED wrote:
dear all
I was wondering after studying jncis-sec ipsec chapter,
1- what is the use of deffie helman if we have already have a PSK?
2- the deffie helman exchange is public, anyone can sniff the packet and claim to be the other party and continue the process?
3- if the psk is compromised, anyone can claim to be the other party and exchange ipsec phase 2 packets?
4- whats the point of using 2 tunnels? If the IKE Phase 1 tunnel is secure and encrypted, why not encrypt data through it?
I'm sorry if my questions are long but the most important part I dont get is the use of DH and PSK and which key of each is used to encrypt actual data
thanks a lot in advance
1- what is the use of deffie helman if we have already have a PSK?
They are used for different purposes. The PSK is used for authentication, while DH is used for exchanging keys.
The key to this conumdrum is to get a very clear and good understanding of ALL the concepts. First lets understand Diffie-hellman. DH is a key exchange algorithm. Supposed you and I wanted to exchange information and encrypt it. We are distance apart and must agree on the encryption key safely. Do you think it is possible for both of us to just know what the encryption key is without telling each other what it is? I mean read my mind and we are both accurate? Okay, DH is kind of like that. DH allows both party to send a random number Publicly for all to see, but cannot compute how that number was generated. So both parties send a random odd/prime number and they compute and derive the encryption key without exchanging said key.
In cryptography, a pre-shared key or PSK is a shared secret which was previously shared between the two parties using some secure channel before it needs to be used...
This is te crucial part. How do you send this key securely and guarantee that no body can see this key? Email? USB, hand deliver?... pre-shared keys are held by both parties to the communication, and so can be compromised at one end, without the knowledge of anyone at the other..
(http://en.wikipedia.org/wiki/Pre-shared_key) They are rarely changed and being manual are prone to config errors.
2- the deffie helman exchange is public, anyone can sniff the packet and claim to be the other party and continue the process?
This is a great explanation of DH:
https://www.khanacademy.org/computing/computer-science/cryptography/modern-crypt/v/diffie-hellman-key-exchange-part-2
3- if the psk is compromised, anyone can claim to be the other party and exchange ipsec phase 2 packets?
Which is why we use all kinds methods such as PFS to prevent this compromise. Anyone getting a hold the PSK can decrypt the data.
PFS is for added security:
http://www.perfectforwardsecrecy.com/
The concept of Perfect Forward Secrecy (PFS) is the property that ensures that a session key derived from a set of long-term public and private keys will not be compromised if one of the (long-term) private keys is compromised in the future. Online systems such as IPSEC can negotiate new keys for every communication and if a key is compromised only the specific session it protected will be revealed.
This is a must read as it gives a very good explanation PFS:
http://www.computerworld.com/article/2473792/encryption/perfect-forward-secrecy-can-block-the-nsa-from-secure-web-pages--but-no-one-uses-it.html
4- whats the point of using 2 tunnels? If the IKE Phase 1 tunnel is secure and encrypted, why not encrypt data through it?
Not sure which two tunnels you are referring to. There are two IPsec modes- Transport and Tunnel depending on whether the tunel is established between two gateways or between host behind the gateway.
There are two steps in setting the tunnel. Phase 1- First step is to create an encrypted tunnel. That is the tunnel. Phase 2- Next step is to determine what we are going to use to encrypt and send data in the tunnel. The data can be sent into the tunnel without encryption, but for added security, the data is encrypted before being sent into the tunnel.