![]() ![]() The following Modular Exponential (MODP) and Elliptic Curve (EC2N) Diffie-Hellman (also known as "Oakley") Groups are supported: PFS adds this expensive operation also to each phase 2 exchange.ĭiffie-Hellman (DH) key exchange protocol allows two parties without any initial shared secret to create one securely. It usually takes place once per phase 1 exchange, which happens only once between any host pair and then is kept for long time. Exempli gratia, the use of modp8192 group can take several seconds even on very fast computer. Generation of keying material is computationally very expensive. ![]() It means an additional keying material is generated for each phase 2. IKE can optionally provide a Perfect Forward Secrecy (PFS), which is a property of key exchanges, that, in turn, means for IKE that compromising the long term phase 1 key will not allow to easily gain access to all IPsec data that is protected by SAs established through this phase 1. General recommendation is to avoid using PSK authentication method. Warning: PSK authentication was known to be vulnerable against Offline attacks in "aggressive" mode, however recent discoveries indicate that offline attack is possible also in case of "main" and "ike2" exchange modes. This phase should match following settings: All SAs established by IKE daemon will have lifetime values (either limiting time, after which SA will become invalid, or amount of data that can be encrypted by this SA, or both).
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |