Why are certificates preferred over pre-shared keys in an IPsec VPN?
A.
Weak scalability: PSKs need to be set on each and every Gateway
B.
Weak performance: PSK takes more time to encrypt than Drffie-Hellman
C.
Weak security: PSKs can only have 112 bit length.
D.
Weak Security. PSK are static and can be brute-forced
Right answer is A.(Scalability)
Explanation from http://technet.microsoft.com/en-us/library/cc512617.aspx
•
Preshared keys. Included only for RFC conformance, it’s a good idea to use preshared keys only when testing your IPsec policies. Every peer that participates in the same security policy will need the same preshared key. Shared secrets don’t remain secret for very long! Furthermore, they’re stored in the registry and clearly visible to anyone with administrative privileges on the computer.
•
Digital certificates. As long as each peer possesses an IPsec or computer certificate signed by an authority the other peer trusts, the peers will authenticate to each other. Note where the trust lies: in the signer of the certificate. The actual name on the certificate is unimportant in this case. Digital certificates are much preferred over preshared keys because each peer can have its own certificate, and a multilevel certificate hierarchy can help create more granular IPsec policies. For example, super-secure Machine A might accept only certificates signed by high-value Authority X, while sort-of-secure Machine B might accept certificates signed either by high-value Authority X or medium-value Authority Y.
0
0
I choose D
0
0