From owner-freebsd-security Wed Jan 10 18:22:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from netvalue-gw.netvalue.fr (netvalue-gw.netvalue.fr [195.115.44.161]) by hub.freebsd.org (Postfix) with ESMTP id 6ED0737B400 for ; Wed, 10 Jan 2001 18:22:33 -0800 (PST) Received: (from bin@localhost) by netvalue-gw.netvalue.fr (8.9.3/8.8.8) id DAA28276 for ; Thu, 11 Jan 2001 03:22:31 +0100 (CET) (envelope-from erwan@netvalue.com) X-Authentication-Warning: netvalue-gw.netvalue.fr: bin set sender to using -f Received: from (dauphine.netvalue.fr [192.168.1.13]) by netvalue-gw.netvalue.fr via smap (V2.1) id xma028267; Thu, 11 Jan 01 03:22:09 +0100 Received: from mail-hk.netvalue.fr ([192.168.100.13]) by mail.netvalue.fr (Netscape Messaging Server 3.6) with ESMTP id AAA1C45 for ; Thu, 11 Jan 2001 03:22:08 +0100 Received: from erwan.netvalue.fr ([192.168.100.100]) by mail-hk.netvalue.fr (Netscape Messaging Server 4.15) with ESMTP id G6Z7WT00.BE5; Thu, 11 Jan 2001 10:22:05 +0800 Received: from netvalue.com (localhost [127.0.0.1]) by erwan.netvalue.fr (Postfix) with ESMTP id C42D21A53; Thu, 11 Jan 2001 10:22:03 +0800 (HKT) Message-ID: <3A5D18CB.5DE21EDA@netvalue.com> Date: Thu, 11 Jan 2001 10:22:03 +0800 From: Erwan Arzur Organization: NetValue Ltd. X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en, fr-FR MIME-Version: 1.0 To: Roman Shterenzon Cc: Keith Ray , freebsd-security@FreeBSD.ORG Subject: Re: IPSec + Racoon: pre-shared key length References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Roman Shterenzon wrote: > > Could you post to the list or on the web the complete procedure? > Otherwise people will have to reinvent the wheel next time... > > On Fri, 22 Dec 2000, Keith Ray wrote: > > > I have finally been able to get Windows 2000 and FreeBSD to talk using IPSec + > > ISAKMP. However, I am not sure what the appropriate length of the pre-shared > > key should be. The best I could come up with is as follows: > > > > Use a password generator that creates passwords with upper/lower case letters > > and numbers. This gives me 62 possible combinations. 3DES uses 192-bit keys > > for a keyspace of 2^192. So the problem is 62^x = 2^192. Take the log of both > > sides and divide to get: 32.2. Therefor, a 33 length password should provide a > > slightly greater keyspace to search than the 3DES keyspace. > > > > Am I doing this correctly? Also, if neither machine is compromised, is there > > any reason to change keys periodically since I am using IKE? > > jot ? $ jot -r -w %.2x -s "" 24 3d5e13031a1b3f3f05216158381e5b5e151f550f5637110c -- Erwan Arzur NetValue ltd. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message