topic Deffie Hellman key exchange question in Network Security https://community.cisco.com/t5/network-security/deffie-hellman-key-exchange-question/m-p/4124888#M1072277 <P>Hello,</P><P>I understand that DH is used to generate a symmetric key over a unsecure channel, it is needed to send algorithm over a unsecure channel.</P><P>&nbsp;</P><P>Below is my question:</P><P>R1------Internet------R2</P><P>&nbsp;</P><P>For eg R1 &amp; R2 negotiate on pre-defined key <STRONG>10.</STRONG></P><P>Then <STRONG>R1</STRONG> generate random <STRONG>secret number 5</STRONG>(this will not be disclosed and it generated based on group number for eg group2, group5)</P><P>Now <STRONG>addition of pre-define key</STRONG> <STRONG>10</STRONG> <STRONG>and random secret no</STRONG> <STRONG>5</STRONG> =<STRONG>&nbsp;15</STRONG>--&gt;this key is shared to R2</P><P>&nbsp;</P><P>R2 does same thing, <STRONG>addition of pre-define 10 and here random secret 15=25</STRONG>--&gt;shares with R1.</P><P>Now when R1 will say whetever no i have received from R2, i will add my secret number to that.</P><P>i.e <STRONG>25+5=30--&gt;</STRONG>From this number they generate encryption &amp; hashing algorithm</P><P>&nbsp;</P><P>R2 does same process and gets same number i.e 30.</P><P>&nbsp;</P><P><STRONG>Question here is in my vpn configuration i haven't defined any pre-share no. How does R1 &amp; R2 negotites on number 10 ?</STRONG></P><P>&nbsp;</P><P>crypto isakmp policy 1</P><P>authentication pre-share----&gt;only used for authentication</P><P>hash md5</P><P>encryption 3des</P><P>group 2</P><P>crypto isakmp key cisco 123 address 192.1.23.3</P><P>&nbsp;</P><P>Phase 2</P><P>crypto ipsec transform-set TSET1 esp-3des esp-md5-hmac</P><P>&nbsp;</P><P>access-list 101 permit ip 10.1.1.0&nbsp; 0.0.0.255 10.3.3.0&nbsp; 0.0.0.255</P><P>&nbsp;</P><P>Crypto map CMAP 10 ipsec-isakmp</P><P>set peer 192.1.23.3</P><P>set transform-set TSET1</P><P>match address 101</P><P>&nbsp;</P><P>int e0/0</P><P>crypto map CMAP</P><P>&nbsp;</P><P>&nbsp;</P><P>Thanks,</P><P>Nick</P> Fri, 24 Jul 2020 10:18:04 GMT 23nick 2020-07-24T10:18:04Z Deffie Hellman key exchange question https://community.cisco.com/t5/network-security/deffie-hellman-key-exchange-question/m-p/4124888#M1072277 <P>Hello,</P><P>I understand that DH is used to generate a symmetric key over a unsecure channel, it is needed to send algorithm over a unsecure channel.</P><P>&nbsp;</P><P>Below is my question:</P><P>R1------Internet------R2</P><P>&nbsp;</P><P>For eg R1 &amp; R2 negotiate on pre-defined key <STRONG>10.</STRONG></P><P>Then <STRONG>R1</STRONG> generate random <STRONG>secret number 5</STRONG>(this will not be disclosed and it generated based on group number for eg group2, group5)</P><P>Now <STRONG>addition of pre-define key</STRONG> <STRONG>10</STRONG> <STRONG>and random secret no</STRONG> <STRONG>5</STRONG> =<STRONG>&nbsp;15</STRONG>--&gt;this key is shared to R2</P><P>&nbsp;</P><P>R2 does same thing, <STRONG>addition of pre-define 10 and here random secret 15=25</STRONG>--&gt;shares with R1.</P><P>Now when R1 will say whetever no i have received from R2, i will add my secret number to that.</P><P>i.e <STRONG>25+5=30--&gt;</STRONG>From this number they generate encryption &amp; hashing algorithm</P><P>&nbsp;</P><P>R2 does same process and gets same number i.e 30.</P><P>&nbsp;</P><P><STRONG>Question here is in my vpn configuration i haven't defined any pre-share no. How does R1 &amp; R2 negotites on number 10 ?</STRONG></P><P>&nbsp;</P><P>crypto isakmp policy 1</P><P>authentication pre-share----&gt;only used for authentication</P><P>hash md5</P><P>encryption 3des</P><P>group 2</P><P>crypto isakmp key cisco 123 address 192.1.23.3</P><P>&nbsp;</P><P>Phase 2</P><P>crypto ipsec transform-set TSET1 esp-3des esp-md5-hmac</P><P>&nbsp;</P><P>access-list 101 permit ip 10.1.1.0&nbsp; 0.0.0.255 10.3.3.0&nbsp; 0.0.0.255</P><P>&nbsp;</P><P>Crypto map CMAP 10 ipsec-isakmp</P><P>set peer 192.1.23.3</P><P>set transform-set TSET1</P><P>match address 101</P><P>&nbsp;</P><P>int e0/0</P><P>crypto map CMAP</P><P>&nbsp;</P><P>&nbsp;</P><P>Thanks,</P><P>Nick</P> Fri, 24 Jul 2020 10:18:04 GMT https://community.cisco.com/t5/network-security/deffie-hellman-key-exchange-question/m-p/4124888#M1072277 23nick 2020-07-24T10:18:04Z Re: Deffie Hellman key exchange question https://community.cisco.com/t5/network-security/deffie-hellman-key-exchange-question/m-p/4125209#M1072282 <P>The way you described the calculation of diffie hellman doesn't sound like how the calculation is made.&nbsp; The formula for calculating Diffie-Hellman is: (where p = prime number (public), g = random number (public), and a = secret number (private))</P> <P>Site1: A = (g^a) mod p</P> <P>Site2: B = (g^a) mod p</P> <P>Then A and B are exchanged between the two sites where the message is decrypted by inserting A and B respectively into the equation along with using their own private number and both sides will come to the same answer.</P> <P>p and g are random positive numbers that are generated (I assume by the initiator...though this I am not certain of) and agreed upon by both sides.</P> <P>for example:</P> <P>p = 33<BR />g = 14</P> <P>Site 1:<BR />a = 6<BR />A = (14^6) mod 33 = 25<BR />B = (5^6) mod 33 = 16</P> <P>Site 2:<BR />a = 3<BR />B = (14^3) mod 33 = 5<BR />A = (25^3) mod 33 = 16</P> <P>Then once the calculations are completed, the number 16 can be used to secure the exchange of security associations which will be used to encrypt traffic.</P> Fri, 24 Jul 2020 21:00:58 GMT https://community.cisco.com/t5/network-security/deffie-hellman-key-exchange-question/m-p/4125209#M1072282 Marius Gunnerud 2020-07-24T21:00:58Z