[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPsec manual keying



On Wed, 17 Jan 2001, J. Davis wrote:

> 
> Ok, I was assuming that the auth algorithm you planned to use dictated
> what you used to make this fingerprint. e.g. in the following example if
> you used "-enc blf", the value for "-key ENC_KEY" had to be generated
> with blf.

No. This is not so. You can use any key with any encryption algo.

> What your saying is that I can use any alg for "-enc" but the value of
> "ENC_KEY" and "AUTH_KEY" will always be generated with sha1? (because
> the value of "-auth" is sha1?) 

Yes, you can always make your keys with the sha1 fingerprint (as described
in the last mail). This has still nothing todo with "the value of "-auth"
is sha1". It simply only gives you random ascii characters. Nothing more.

> 
> According to the faq to use "-enc des3" the fingerprint I generate must
> be 168 bit, correct? How do I get 168 bit's when "dd if=/dev/urandom
> bs=1024 count=1 | sha1" will only give me 160?

WIth 3DES you want a 168bit **key**. So simply add some (2 is OK :)
characters of your choice to the 40byte sha1 output  and you are done.

Please refer to:
http://www.openbsd.org/faq/faq13.html


--Armin