Security Incidents mailing list archives

Re: isakmp before smtp?

From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Tue, 12 Sep 2000 09:49:58 -0400

On Mon, 11 Sep 2000 18:04:29 CDT, Frank Knobbe <FKnobbe () KNOBBEITS COM>  said:

Uhm... this maybe a stupid questions, but how is this supposed to
work? Don't you need to have keys exchanged or both systems
configured with a shared secret? How can an IPSec session be set up
to someone who is not somehow listed in the configuration of that
mail server? Is there some kind of free-for-all IPSec?


The basic trick here is "Diffie-Hellman key exchange".

Bruce Schneier's "Applied Cryptography" gives a good explanation of
Diffie-Hellman and how it works.  Now, it turns out that Diffie-Hellman is
very useful for setting up a "session key", so that any further exchanges
(such as actual key exchange for authentication, or whatever) take place
over a secured channel.  If you're only worried about confidentiality
(to prevent evesdropping) you can use Diffie-Hellman to exchange a session
key to use for encrypting the session.  If you're worried about authentication
too, you STILL want to use DH first, to set up a secure connection for
key exchange, so that a evesdropper can't even see the keys you exchange.

Basic summary:  For confidentiality, *no* pre-arranged keying is needed.
For authentication, you need either a public/private key pair or a shared
secret.

See the following RFCs:

2025 The Simple Public-Key GSS-API Mechanism (SPKM). C. Adams. October
     1996. (Format: TXT=101692 bytes) (Status: PROPOSED STANDARD)

2407 The Internet IP Security Domain of Interpretation for ISAKMP. D.
     Piper. November 1998. (Format: TXT=67878 bytes) (Status: PROPOSED
     STANDARD)

2408 Internet Security Association and Key Management Protocol
     (ISAKMP). D. Maughan, M. Schertler, M. Schneider, J. Turner. November
     1998. (Format: TXT=209175 bytes) (Status: PROPOSED STANDARD)

2409 The Internet Key Exchange (IKE). D. Harkins, D. Carrel. November
     1998. (Format: TXT=94949 bytes) (Status: PROPOSED STANDARD)

2412 The OAKLEY Key Determination Protocol. H. Orman. November 1998.
     (Format: TXT=118649 bytes) (Status: INFORMATIONAL)

--
                                Valdis Kletnieks
                                Operating Systems Analyst
                                Virginia Tech

Attachment: _bin
Description:

Current thread:

isakmp before smtp? Philipp Buehler (Sep 12)
- Re: isakmp before smtp? Mike Fratto (Sep 12)
- Message not available
  - Re: isakmp before smtp? Mike Fratto (Sep 12)
- <Possible follow-ups>
- Re: isakmp before smtp? Frank Knobbe (Sep 12)
  - Re: isakmp before smtp? Mike Fratto (Sep 12)
  - Re: isakmp before smtp? Valdis Kletnieks (Sep 12)
    - Re: isakmp before smtp? Steffen Dettmer (Sep 14)
    - Re: isakmp before smtp? Valdis Kletnieks (Sep 14)
    - Re: isakmp before smtp? Crist Clark (Sep 14)