Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Diffie-Hellman shared secret key - ISAKMP

I have been working through the process of Diffie-Hellman key creation on cisco routers and am confused on where some of the integers for the initial "public key" come from: Xa=g^a modulo p where Xa is the public key generated, g is the generator, a is a private key/number(?) and p is a large prime number. The confusion comes is this form:

some texts say that g & p are exchanged between the routers prior to creating public key, others say they are well known numbers. Looking at the packet exchange of IKE messages from Saadat Malik's book shows there is no part of any packet that contains these values at all. Thus my confusion.

My only in roads into this question has been looking at the Oakley RFC 2412, where it stipulates that for Group 1(768 bits) or 2(1024 bits) the values "g" & "p" are specifically specified. So, where in fact does the router get these integers from? Are they exchanged in IKE setup (if so, at what point) or are they the integers specified in the Oakley RFC? or if none of these where/what/how/why? To add more to this fire, is "a" just randomly created? If not, where does it come from.

Thanks for any help.

4 REPLIES
Silver

Re: Diffie-Hellman shared secret key - ISAKMP

As far as my knowledge goes, they are exchanged. I mean g & p are exchanged between the two peers taking part in DH exchange.

New Member

Re: Diffie-Hellman shared secret key - ISAKMP

So, if that is the case they must be sent in the first two IKE packets??? If so, I can't find any reference to where these numbers are located within these packet structures at all, any ideas?

New Member

Re: Diffie-Hellman shared secret key - ISAKMP

Because g and p are not exchanged as numbers. Your first assumption was right. Look into RFC 2409, page 21. There is some confusion about this, because there is an indirect negotiation of g and p. This is the "group" number, sometimes called Oakley or Diffie-Hellman group that is negotiated between both parties. In fact only the groups 1, 2, and 5 use the Diffie-Hellman algorithm and the values for g and p for each group are defined in the RFC.

The other question about the value "a": a is a private key/number which is randomly generated on each party.

New Member

Re: Diffie-Hellman shared secret key - ISAKMP

Thank you so very much. I really appreciate the reply. What you say above confirms my understanding of how it all works. The sad thing is this simple little process is so misrepresented in many books and indeed even on some Cisco courses on the subject that it leaves people with a misguided and incorrect understanding of the process.

Thanks again.

507
Views
0
Helpful
4
Replies
CreatePlease to create content