Date: Sat, 09 Mar 2002 00:15:07 +0100 From: Dan Lukes <dan@obluda.cz> To: freebsd-security@freebsd.org Subject: Re: ESP + IPFW Message-ID: <3C8945FB.CD9CFC7D@obluda.cz> References: <20020305021845.510AE37B41C@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
"Dalin S. Owen" wrote: > I have IPsec running between two FreeBSD machines (over an 802.11b link), > they are manually keyed (not using an IKE daemon). First question, is it > more secure to use an IKE? I mean, doesn't it rotate keys, instead of just > using static ones? The vulnerability of any key is growing for every second the key is used and for every byte passed throught the key. Also note, the compromising of a key mean all data encrypted by the key during recent transmissions should be counted compromised. So, from paranoid point of view - yes, it is more secure to use IKE and rotate the keys. > And if I use an IKE, can those generated keys be sniffed, or > are they encrypted with the last key? The IKE's session is covered by (one-time) cipher-key established during Diffie-Hellman handshake and authenticated (for example) by preshared-key or X509 key/certificate. Preshared key nor X509 private key are never send over channel in clear nor encrypted form. It doesn't mean you should think the pre-shared key nor private key is secure forever (another word of paranoia) ... Dan -- Dan Lukes tel: +420 2 21914205, fax: +420 2 21914206 root of FIONet, KolejNET, webmaster of www.freebsd.cz AKA: dan@obluda.cz, dan@freebsd.cz, dan@kolej.mff.cuni.cz To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3C8945FB.CD9CFC7D>