"Dalin S. Owen" wrote:
 
> I have IPsec running between two FreeBSD machines (over an 802.11b link),
> they are manually keyed (not using an IKE daemon). First question, is it
> more secure to use an IKE? I mean, doesn't it rotate keys, instead of just
> using static ones?

        The vulnerability of any key is growing for every second the key is
used and for every byte passed throught the key. Also note, the
compromising of a key mean all data encrypted by the key during recent
transmissions should be counted compromised.

        So, from paranoid point of view - yes, it is more secure to use IKE and
rotate the keys.

> And if I use an IKE, can those generated keys be sniffed, or
> are they encrypted with the last key?

        The IKE's session is covered by (one-time) cipher-key established
during Diffie-Hellman handshake and authenticated (for example) by
preshared-key or X509 key/certificate. Preshared key nor X509 private
key are never send over channel in clear nor encrypted form. It doesn't
mean you should think the pre-shared key nor private key is secure
forever (another word of paranoia) ...

                                                Dan

-- 
Dan Lukes      tel: +420 2 21914205, fax: +420 2 21914206
root  of FIONet,  KolejNET,  webmaster  of www.freebsd.cz
AKA: danobluda.cz, danfreebsd.cz, dankolej.mff.cuni.cz
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]