From owner-freebsd-security  Fri Dec 22 13:40:39 2000
From owner-freebsd-security@FreeBSD.ORG  Fri Dec 22 13:40:37 2000
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from 147-89.waldenweb.com (147-89.waldenweb.com [209.163.147.89])
	by hub.freebsd.org (Postfix) with ESMTP id 222BD37B6A4
	for <freebsd-security@freebsd.org>; Fri, 22 Dec 2000 13:40:27 -0800 (PST)
Received: (from nobody@localhost)
	by 147-89.waldenweb.com (8.11.1/8.11.1) id eBMLeGC16853
	for freebsd-security@freebsd.org; Fri, 22 Dec 2000 15:40:16 -0600 (CST)
	(envelope-from aphex@nullify.org)
X-Authentication-Warning: 147-89.waldenweb.com: nobody set sender to aphex@nullify.org using -f
To: freebsd-security@freebsd.org
Subject: IPSec + Racoon: pre-shared key length
Message-ID: <977521215.3a43ca3fea068@nullify.org>
Date: Fri, 22 Dec 2000 15:40:15 -0600 (CST)
From: Keith Ray <aphex@nullify.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
User-Agent: IMP/PHP IMAP webmail program 2.2.3
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

I have finally been able to get Windows 2000 and FreeBSD to talk using IPSec + 
ISAKMP.  However, I am not sure what the appropriate length of the pre-shared 
key should be.  The best I could come up with is as follows:

Use a password generator that creates passwords with upper/lower case letters 
and numbers.  This gives me 62 possible combinations.  3DES uses 192-bit keys 
for a keyspace of 2^192.  So the problem is 62^x = 2^192.  Take the log of both 
sides and divide to get: 32.2.  Therefor, a 33 length password should provide a 
slightly greater keyspace to search than the 3DES keyspace.

Am I doing this correctly?  Also, if neither machine is compromised, is there 
any reason to change keys periodically since I am using IKE?

--------------------------------------------------------------------
Keith Ray                                          aphex@nullify.org
                                              http://www.nullify.org
PGP - 0xAE1B3529 - 8227 60E5 BAA5 9461 CAB3 A6F2 4DFE F573 AE1B 3529


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message