There are two kinds of keys, DEKs (data encryption keys - used for encrypting traffic on the VPN) and KEKs (key encryption keys - used for securing IKE phase 2).

Have a look at the RFC for IKEv2, it is explained in detail there and does a better job of it than I can :-)

The certificates and PSKs are used for securing authentication, not traffic privacy.

"Diffie–Hellman establishes a shared secret that can be used for secret communications by exchanging data over a public network."

yah well i know in broader sense how it all works.

like it says 'establishes a shared secre' we mean session key right? orrrr the pre-shared key? orrr the pre-shared key encrypted with symentric algorithm?

well.... thank you

Internetwork Expert - The Industry Leader in CCIE Preparation

The shared secret is generated in MM3 and MM4. The following is mathematical algorithm that DH uses to calculate the DH shared secret key.

The DH algorithm relies on the following property:

There exists a DH public value = X_{a}

such that

X_{a} = g^{a} mod p

where

g is the generator

p is a large prime number

a is a private secret known only to the initiator

And there exists another DH public value = X_{b}

such that

X_{b} = g^{b} mod p

where

g is the generator

p is a large prime number

b is a private secret known only to the responder

Then the initiator and the responder can generate a shared secret known only to the two of them by simply exchanging the values X_{a} and X_{b} with each other. This is true because initiator secret = (X_{b})^{a} mod p = (X_{a})^{b} mod p = responder secret

This value is the shared secret between the two parties and is also equal to g^{ab}.

Using the above shared secret following three keys are generated. These three keys are used for IPSec encrption, IKE message integrity/authentication i.e.,

for hashing and for IKE message encryption

SKEYID_d- This key is used to calculate subsequent IPsec keying material.

SKEYID_a- This key is used to provide data integrity and authentication to subsequent IKE messages.

SKEYID_e- This key is used to encrypt subsequent IKE messages.

## Comments

zzz

On 12 Sep 2010, at 08:52, ashtrayba <[email protected]> wrote:

The shared secret is generated in MM3 and MM4. The following is

mathematical algorithm that DH uses to calculate the DH shared secret key.

The DH algorithm relies on the following property:

There exists a DH public value = X

_{a}such that

X

_{a}= g^{a}mod pwhere

g is the generator

p is a large prime number

a is a private secret known only to the initiator

And there exists another DH public value = X

_{b}such that

X

_{b}= g^{b}mod pwhere

g is the generator

p is a large prime number

b is a private secret known only to the responder

Then the initiator and the responder can generate a shared

secret known only to the two of them by simply exchanging the values

X

_{a}and X_{b}with each other. This is true because initiatorsecret = (X

_{b})^{a}mod p = (X_{a})^{b}mod p =responder secret

This value is the shared secret between the two parties and is

also equal to g

^{ab}.Using the above shared secret following three keys are generated. These three

keys are used for IPSec encrption, IKE message integrity/authentication

i.e.,

for hashing and for IKE message encryption

SKEYID_d- This key is used to

calculate subsequent IPsec keying material.

SKEYID_a- This key is used to

provide data integrity and authentication to subsequent IKE messages.

SKEYID_e- This key is used to

encrypt subsequent IKE messages.

Given below is a nice link:

http://book.soundonair.ru/cisco/ch13lev1sec4.html

With regards

Kings

zzz

zzz

Hi Kingsley,

Unable to access that link anymore..anyother way to access that information?

Unable to find it anywhere online.

Regards,

Geet