Security Incidents mailing list archives
Re: isakmp before smtp?
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Tue, 12 Sep 2000 09:49:58 -0400
On Mon, 11 Sep 2000 18:04:29 CDT, Frank Knobbe <FKnobbe () KNOBBEITS COM> said:
Uhm... this maybe a stupid questions, but how is this supposed to work? Don't you need to have keys exchanged or both systems configured with a shared secret? How can an IPSec session be set up to someone who is not somehow listed in the configuration of that mail server? Is there some kind of free-for-all IPSec?
The basic trick here is "Diffie-Hellman key exchange". Bruce Schneier's "Applied Cryptography" gives a good explanation of Diffie-Hellman and how it works. Now, it turns out that Diffie-Hellman is very useful for setting up a "session key", so that any further exchanges (such as actual key exchange for authentication, or whatever) take place over a secured channel. If you're only worried about confidentiality (to prevent evesdropping) you can use Diffie-Hellman to exchange a session key to use for encrypting the session. If you're worried about authentication too, you STILL want to use DH first, to set up a secure connection for key exchange, so that a evesdropper can't even see the keys you exchange. Basic summary: For confidentiality, *no* pre-arranged keying is needed. For authentication, you need either a public/private key pair or a shared secret. See the following RFCs: 2025 The Simple Public-Key GSS-API Mechanism (SPKM). C. Adams. October 1996. (Format: TXT=101692 bytes) (Status: PROPOSED STANDARD) 2407 The Internet IP Security Domain of Interpretation for ISAKMP. D. Piper. November 1998. (Format: TXT=67878 bytes) (Status: PROPOSED STANDARD) 2408 Internet Security Association and Key Management Protocol (ISAKMP). D. Maughan, M. Schertler, M. Schneider, J. Turner. November 1998. (Format: TXT=209175 bytes) (Status: PROPOSED STANDARD) 2409 The Internet Key Exchange (IKE). D. Harkins, D. Carrel. November 1998. (Format: TXT=94949 bytes) (Status: PROPOSED STANDARD) 2412 The OAKLEY Key Determination Protocol. H. Orman. November 1998. (Format: TXT=118649 bytes) (Status: INFORMATIONAL) -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
Attachment:
_bin
Description:
Current thread:
- isakmp before smtp? Philipp Buehler (Sep 12)
- Re: isakmp before smtp? Mike Fratto (Sep 12)
- Message not available
- Re: isakmp before smtp? Mike Fratto (Sep 12)
- <Possible follow-ups>
- Re: isakmp before smtp? Frank Knobbe (Sep 12)
- Re: isakmp before smtp? Mike Fratto (Sep 12)
- Re: isakmp before smtp? Valdis Kletnieks (Sep 12)
- Re: isakmp before smtp? Steffen Dettmer (Sep 14)
- Re: isakmp before smtp? Valdis Kletnieks (Sep 14)
- Re: isakmp before smtp? Crist Clark (Sep 14)