Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
410
Views
0
Helpful
2
Replies

vpn queries - cisco s2s vpn

secureIT
Level 4
Level 4

‎04-20-2013 11:22 PM

Read more websites, and confused more.... Can anyone give clear picture on the below..

what is a session key ?

what is a shared secret key ?

how preshared keys are detected and authenticated by its ipsec peer ?

what is hash ?

in phase 1 and phase 2, how encryption actually works ?

Labels:
0 Helpful
2 Replies 2

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎04-22-2013 12:21 AM

Session key in cryptography is meant to describe a key which actually used in protection of a given transaction/set of transcations.

Shared secret key, I guess you are referring to IKE's Pre-shared key (PSK), it's a key mutually agreed between two parties. In IKE it is used to authenticate given peer.

PSK or RSA-SIG or RSA-ENC as the authentication mechanism as long as mechanisms used to protect later parts of exchange is "negotiated" in MM1/MM2 or AM1 and AM2.

Hash - is one was crypto function - read more

http://en.wikipedia.org/wiki/Hash_function

Phase 1 (from MM5) and Phase 2 exchanges are protected by whatever will be negotiated in MM1/MM2. Phase 2 esteblishes how actual traffic will be encrypted.

If you want to read about the encapsulation mechanism and math behind it, RFC(s) are your freiends.

0 Helpful

secureIT
Level 4
Level 4
In response to Marcin Latosiewicz

‎04-22-2013 04:43 AM

Thanks Marcin,

Upon reading all Rfc, below are my understanding. plz correct if it is wrong.

session key = derived from DH using local pvt key & remote pub key. This session key used in phase 1 is to keep a secured isakmp channel for quick mode.

shared secret key = phase 1 preshared key, which again used as an input to hash algorightm and encrypted using des/3des and authenticates each peer using the hash value (which is never decrypted).

Encryption is available in phase1 and 2, but phase1 is used for negotiation and hash value exchanges..

phase 2 encryption used for actual encryption of the message.

Can you pls verify this...

0 Helpful
Customers Also Viewed These Support Documents