From: bscott_at_ntisys.com
Date: Tue Oct 01 2002 - 14:56:23 CEST
On Mon, 30 Sep 2002, at 2:02pm, cmiddour_at_amplifynet.com wrote:
> When generating keys from FreeSwan using "ipsec rsasigkey ...." I noticed
> that the generated output includes this comment: "for signatures only,
> UNSAFE FOR ENCRYPTION."
My understanding of this is as follows:
Keys are used for two purposes in FreeS/WAN: Authentication and privacy.
The authentication aspect uses digital signatures to allow each IPsec node
to authenticate its peer. The privacy aspect uses encryption to guard
against snooping. That message is a warning that the key output by that
command should be used only for authentication, not encryption. Which is
just fine; "rsasigkey" is, as the name implies, a signature key. FreeS/WAN
generates the encryption keys dynamically for each IPsec session (or, more
accurately, for each SA (Security Association)).
-- Ben Scott <bscott_at_ntisys.com> | The opinions expressed in this message are those of the author and do not | | necessarily represent the views or policy of any other person, entity or | | organization. All information is provided without warranty of any kind. | _______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Wed Oct 02 2002 - 05:20:21 CEST