Comprar ou Renovar
Comprar ou Renovar
cancelar
Activar sugestões
A sugestão automática ajuda-o a especificar os resultados de pesquisa sugerindo-lhe correspondências enquanto escreve.
Mostrar resultados para 
Pesquisar em vez de 
Queria dizer: 
cancel
Iniciar uma conversa
29645
Apresentações
15
Útil
9
Respostas

what is PFS?

Ir para a Solução
ribin.jones
Level 1
Level 1

em ‎11-17-2009 05:14 AM

Could some one explain me the basic concept of PFS (Perfect Forward Secrecy)?

I do have some VPN's configured in my router with no PFS. What is the extra security feature that PFS provide?

Thanks in advance,

Ribin

Rótulos:
  • VPN
0 Útil
1 Soluções Aceita

Soluções aceites

Ir para a Solução
Patrick0711
Level 3
Level 3

em ‎11-19-2009 06:54 PM

During the initial IKE Phase 1 negotiation, public DH key values are exchanged to derive the shared secret DH value.  These public and private DH values are used to generate the session key used to encrypt the 5th and 6th main mode exchanges.  If you do not specify PFS, the same public and private DH values dervied in Phase 1 are used to generate the subsequent keying material that protects IPSEC traffic.

When PFS is used, there is an additional DH key exchanged performed in IKE Phase 2.  These new public/private DH values are then used to generate the keying material for the encrypted IPSEC traffic.

Ver solução na publicação original

9 RESPOSTAS 9

Ir para a Solução
andrew.prince
Level 10
Level 10

em ‎11-17-2009 05:17 AM

Read the below link:-

http://en.wikipedia.org/wiki/Perfect_forward_secrecy

HTH>

0 Útil

Ir para a Solução
ribin.jones
Level 1
Level 1
Em resposta a andrew.prince

em ‎11-17-2009 05:20 AM

I did read that link. Any simple/easily understanding explanation is appreciated.

Regards,

Ribin

0 Útil

Ir para a Solução
andrew.prince
Level 10
Level 10
Em resposta a ribin.jones

em ‎11-17-2009 05:26 AM

Do you know what the Diffie-Hellman key exchange is?

0 Útil

Ir para a Solução
ribin.jones
Level 1
Level 1
Em resposta a andrew.prince

em ‎11-17-2009 05:35 AM

Yea, I got some basic idea from http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange.

- Ribin

0 Útil

Ir para a Solução
andrew.prince
Level 10
Level 10
Em resposta a ribin.jones

em ‎11-17-2009 05:38 AM

OK - so PFS does NOT use any of the information from the previously negotiated key.

They negotiate and generate a completly new key for the session when the previous key expires.

0 Útil

Ir para a Solução
ribin.jones
Level 1
Level 1
Em resposta a andrew.prince

em ‎11-17-2009 05:45 AM

OK. So, during the configuration, we need to specify a key once (which will be used for the first negotiation only) and thereafter both the peers will use another key generated using Diffie-Helman?

0 Útil

Ir para a Solução
andrew.prince
Level 10
Level 10
Em resposta a ribin.jones

em ‎11-17-2009 05:55 AM

No - You need to read the wikipedia on Diffie-Hellman again.

http://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange

Once you understand that - you will understand PFS.

0 Útil

Ir para a Solução
Patrick0711
Level 3
Level 3

em ‎11-19-2009 06:54 PM

During the initial IKE Phase 1 negotiation, public DH key values are exchanged to derive the shared secret DH value.  These public and private DH values are used to generate the session key used to encrypt the 5th and 6th main mode exchanges.  If you do not specify PFS, the same public and private DH values dervied in Phase 1 are used to generate the subsequent keying material that protects IPSEC traffic.

When PFS is used, there is an additional DH key exchanged performed in IKE Phase 2.  These new public/private DH values are then used to generate the keying material for the encrypted IPSEC traffic.

Ir para a Solução
ribin.jones
Level 1
Level 1

em ‎11-19-2009 07:02 PM

Thanks Patrick for being more specific on the explanation.

- Ribin

0 Útil
Customers Also Viewed These Support Documents