From owner-freebsd-security Wed Jan 10 18:34: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from coconut.itojun.org (coconut.itojun.org [210.160.95.97]) by hub.freebsd.org (Postfix) with ESMTP id 3CA6137B404 for ; Wed, 10 Jan 2001 18:33:47 -0800 (PST) Received: from kiwi.itojun.org (localhost.itojun.org [127.0.0.1]) by coconut.itojun.org (8.9.3+3.2W/3.7W) with ESMTP id LAA21709; Thu, 11 Jan 2001 11:32:03 +0900 (JST) To: Erwan Arzur Cc: Roman Shterenzon , Keith Ray , freebsd-security@FreeBSD.ORG In-reply-to: erwan's message of Thu, 11 Jan 2001 10:22:03 +0800. <3A5D18CB.5DE21EDA@netvalue.com> X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 Subject: Re: IPSec + Racoon: pre-shared key length From: itojun@iijlab.net Date: Thu, 11 Jan 2001 11:32:03 +0900 Message-ID: <21707.979180323@coconut.itojun.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> > Use a password generator that creates passwords with upper/lower case letters >> > and numbers. This gives me 62 possible combinations. 3DES uses 192-bit keys >> > for a keyspace of 2^192. So the problem is 62^x = 2^192. Take the log of both >> > sides and divide to get: 32.2. Therefor, a 33 length password should provide a >> > slightly greater keyspace to search than the 3DES keyspace. >> > >> > Am I doing this correctly? Also, if neither machine is compromised, is there >> > any reason to change keys periodically since I am using IKE? preshared keys are not directly related to IPsec key length, preshared keys are just for authenticating IKE daemon at the other end. so key length argument (above) may not be 100% right... itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message