Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1258
Views
5
Helpful
1
Replies

Deffie Hellman key exchange question

23nick
Level 1
Level 1

‎07-24-2020 03:18 AM

Hello,

I understand that DH is used to generate a symmetric key over a unsecure channel, it is needed to send algorithm over a unsecure channel.

 

Below is my question:

R1------Internet------R2

 

For eg R1 & R2 negotiate on pre-defined key 10.

Then R1 generate random secret number 5(this will not be disclosed and it generated based on group number for eg group2, group5)

Now addition of pre-define key 10 and random secret no 5 = 15-->this key is shared to R2

 

R2 does same thing, addition of pre-define 10 and here random secret 15=25-->shares with R1.

Now when R1 will say whetever no i have received from R2, i will add my secret number to that.

i.e 25+5=30-->From this number they generate encryption & hashing algorithm

 

R2 does same process and gets same number i.e 30.

 

Question here is in my vpn configuration i haven't defined any pre-share no. How does R1 & R2 negotites on number 10 ?

 

crypto isakmp policy 1

authentication pre-share---->only used for authentication

hash md5

encryption 3des

group 2

crypto isakmp key cisco 123 address 192.1.23.3

 

Phase 2

crypto ipsec transform-set TSET1 esp-3des esp-md5-hmac

 

access-list 101 permit ip 10.1.1.0  0.0.0.255 10.3.3.0  0.0.0.255

 

Crypto map CMAP 10 ipsec-isakmp

set peer 192.1.23.3

set transform-set TSET1

match address 101

 

int e0/0

crypto map CMAP

 

 

Thanks,

Nick

0 Helpful
1 Reply 1

Marius Gunnerud
VIP
VIP

‎07-24-2020 02:00 PM - edited ‎07-24-2020 02:00 PM

The way you described the calculation of diffie hellman doesn't sound like how the calculation is made.  The formula for calculating Diffie-Hellman is: (where p = prime number (public), g = random number (public), and a = secret number (private))

Site1: A = (g^a) mod p

Site2: B = (g^a) mod p

Then A and B are exchanged between the two sites where the message is decrypted by inserting A and B respectively into the equation along with using their own private number and both sides will come to the same answer.

p and g are random positive numbers that are generated (I assume by the initiator...though this I am not certain of) and agreed upon by both sides.

for example:

p = 33
g = 14

Site 1:
a = 6
A = (14^6) mod 33 = 25
B = (5^6) mod 33 = 16

Site 2:
a = 3
B = (14^3) mod 33 = 5
A = (25^3) mod 33 = 16

Then once the calculations are completed, the number 16 can be used to secure the exchange of security associations which will be used to encrypt traffic.

--
Please remember to select a correct answer and rate helpful posts
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card