Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
29492
Views
1
Helpful
2
Replies

How to generate secure pre-shared keys (PSK) for an IPSec VPN

Philip D'Ath
VIP Alumni
VIP Alumni

‎06-01-2016 03:39 PM - edited ‎02-21-2020 08:50 PM

I build VPNs regularly, and one of the problems that comes up regularly is how to exchange PSK's.  Some people are happy to exchange them over email, and others not (particularly because of ISO/IEC 27002).

Some people like to use TXT messages - but this is horrible.  I would say 90% of the PSK's that people try to TXT me get mangled.  What ends up happening is you usually weaken the key a lot to get it through the TXT system - but the whole point of a PSK is to provide initial security, so this really feels wrong to me.

Other people try to actually recite them over the phone.  This is also horrible.  More often than not you spend an hour trying to type in the key, trying the VPN, have it fail, and repeat until it works.  Sometimes the key, once again, gets weakened so it can be read out over a phone.

What to do?  Well, I pondered the issue for a while, and then wrote a tool to make the problem simpler.

https://www.ifm.net.nz/cookbooks/IPSec-Pre-shared-Key-PSK-Generator.html

I admit, its' not perfect, but better than using a TXT message or trying to recite the key over the phone.

What is this tool?  It is a piece of client side javascript (so you can download the web page, unplug your computer from the network, and still use it), that generates long and strong PSK's that rotate every 24 hours at GMT 00:00.  You can then make your output strong by typing in two extra source keys that you can agree over on the phone, or any other insecure method.

So I can call you, and tell you to pick a colour, put it into "Key 1", and tell me what it is.  I enter the same key into "Key 1".  I then pick a colour and put it into "key 2", tell you, and you also enter it into "key 2".  You now click the "Generate" button, and both your machine and mine will calculate (the same) 24 character PSK.  You can then copy and paste this into your config.

If you wait 24 hours and repeat you will get a different PSK.

So you now have an easy way to generate a long and strong PSK that is never transmitted - ever.

Labels:
2 Replies 2

4phta3v929xx8
Level 1
Level 1

‎05-04-2017 02:32 PM

Any key you generate by this method will only be as strong as the source keys, so this is just a complicated way to weaken the PSK.

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to 4phta3v929xx8

‎05-04-2017 03:51 PM

I don't agree.  You start with no PSK - so for a start anything beyond that will be stronger - not weaker.

However, I do invite you to produce something better that also solves the problem of creating a PSK without exchanging any keys in the clear text.

0 Helpful
Customers Also Viewed These Support Documents