On Fri, Aug 01, 2003 at 11:08:29AM -0700, Jeremy Junginger wrote: > In reading about Diffie Hellman Exchanges and Symmetric Encryption between > Cisco Routers, and studying Cisco IOS architecture white papers, I noticed > that the two large prime numbers used on Cisco Routers for the Diffie-Hellman > Key Exchange(s) (which generates keying material for symmetric encryption > algorithms such as DES and 3DES) are hard-coded on the devices. That got me > a little excited. But I'm not sure if this is possible mathematically, as > the modulus function truncates the original value prior to exchanging it over > the wire. > > Could somebody clarify if these large prime values differ from router to > router? Also, if it turns out that they are, in fact hard coded (and > accessible) wouldn't that give you access to the same mechanism (DH) that > generates the keying material for the encryption engine, and thereby decode > transmissions between devices using your locally generated key? Does the > modulus function eliminate this type of attack? And with SA lifetimes being > 86,400 seconds, that gives you 24 hours to crack sessions. Maybe I'm > thinking about this too much? You don't seem to understand how Diffie-Hellman actually works. If we're talkng about IKE, the primes are known not only by Cisco routers, but every IKE speaking device on the Internet. The values you see wouldn't happen to be the same group generators specified in RFC2409? See Section 6. Knowledge of these primes does not affect the security of the exchange. DH is designed with assumed that everyone, including potential attackers, knows these values. What Cisco white papers are you refering to, BTW? -- Crist J. Clark | cjclarkat_private | cjclarkat_private http://people.freebsd.org/~cjc/ | cjcat_private --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Aug 05 2003 - 09:39:49 PDT