From owner-freebsd-security Wed Jul 25 3: 0:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from web13308.mail.yahoo.com (web13308.mail.yahoo.com [216.136.175.44]) by hub.freebsd.org (Postfix) with SMTP id 03FF137B401 for ; Wed, 25 Jul 2001 03:00:14 -0700 (PDT) (envelope-from ewancarr@yahoo.com) Message-ID: <20010725100013.15001.qmail@web13308.mail.yahoo.com> Received: from [158.234.10.144] by web13308.mail.yahoo.com; Wed, 25 Jul 2001 11:00:13 BST Date: Wed, 25 Jul 2001 11:00:13 +0100 (BST) From: =?iso-8859-1?q?Ewan=20Carr?= Subject: IKE/Racoon To: FreeBSD-Security@FreeBSD.ORG MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Can anyone clear up an ambiguity (in my mind anyway) in RFC2409 (IKE). Say you are using a pre-shared key for authentication in Phase 1 negotiations. RFC 2409 says that the SKEYID value for authentication is calculated thus.. For signatures: SKEYID = prf(Ni_b | Nr_b, g^xy) ..... For pre-shared: SKEYID = prf(pre-shared, Ni_b | Nr_b) where g^xy is the DH-generated shared key. and N* are the nonce values The value SKEYID_A is then calculated from prf(SKEYID,SKEYID_d | g^xy | CKY-I | CKY-R | 1) (SKEYID_d is just anothe generated from SKEYID, the cookies and the diffe-hellman shared secret) What I dont understand is why for the pre-shared key method of authentication you need to generate this additional diffe hellman shared key. Does this actually happen or is the 'formula' above just confusing.. Ta, Ewan ____________________________________________________________ Do You Yahoo!? Get your free @yahoo.co.uk address at http://mail.yahoo.co.uk or your free @yahoo.ie address at http://mail.yahoo.ie To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message