VPN Technology question



In IKEv1 Phase1, since Diffie-Hellman is the actual algorithm that peers are using to securely negotiate the actuall encryption and decryption keys and as known in order for DH to work, there must be an agreed Shared key between peers so based on this agreed shared key, peers can negotiate and come up with the final secret key.

My question is: Is the DH agreed shared key used initally by peers is the same key as IKEv1 Phase1 Authentication PSK, since this is the only Shared key configured locally in both peers? And if it's not the PSK used for Authentication, how DH works to create a secure channel so encryption and decryption key can be negotiated?

I actually said that "it is known that in order for DH to work, there must be an agreed Shared key between peers" is based on what I understood from this figure that shows how DH key exchange is calculated.





  • Hi,


      I' m not sure what "agreed shared key" you speak about, as there are many of these, give mode details. To keep it simple, if you use PSK authentication, it is being used by both sides to derive the SKEYID using formula "SKEYID = prf(pre-shared-key, Ni_b | Nr_b)" , where Ni and Nr are the nonces exchanged in clear-text by the two peers and SKEYID is further used to derive the encryption/authentication keys.

     For the DH exchange, based on the negotiated DH group, both sides will end up using the same prime "p" and generator "g" numbers, which are per the RFC, no need to negotiate it; read section 6.1 in IKEv1 RFC for first 2 DH groups https://tools.ietf.org/html/rfc2409#page-37 and RFC3526 for the remaining DH groups https://www.ietf.org/rfc/rfc3526.txt.



Sign In or Register to comment.