How is the Diffie Hellman key exchange referred to when it is used in IKE phase 2?
A.
PFA
B.
PFS
C.
SCS
D.
SFS
Explanation:
A Diffie-Hellman exchange allows the participants to produce a shared secret value. The strength of the technique is that it allows the participants to create the secret value over an unsecured medium without passing the secret value through the wire. There are five Diffie-Hellman (DH) groups (NetScreen supports groups 1, 2, and 5). The size of the prime modulus used in each group’s calculation differs as follows:
DH Group 1: 768-bit modulus4
DH Group 2: 1024-bit modulus
DH Group 5: 1536-bit modulus
The larger the modulus, the more secure the generated key is considered to be; however, the larger the modulus,
the longer the key-generation process takes. Because the modulus for each DH group is a different size, the
participants must agree to use the same group5.
After the participants have established a secure and authenticated channel, they proceed through Phase 2, in which they negotiate the SAs to secure the data to be transmitted through the IPSec tunnel.
Like the process for Phase 1, the participants exchange proposals to determine which security parameters to
employ in the S
A. A Phase 2 proposal also includes a security protocol-either Encapsulating Security Payload
(ESP) or Authentication Header (AH), and selected encryption and authentication algorithms. The proposal can also specify a Diffie-Hellman group, if Perfect Forward Secrecy (PFS) is desired.
Perfect Forward Secrecy (PFS) is a method for deriving Phase 2 keys independent from and unrelated to the
preceding keys. Alternatively, the Phase 1 proposal creates the key (the SKEYID_d key) from which all Phase 2
keys are derived. The SKEYID_d key can generate Phase 2 keys with a minimum of CPU processing.
Unfortunately, if an unauthorized party gains access to the SKEYID_d key, all your encryption keys are
compromised. PFS addresses this security risk by forcing a new Diffie-Hellman key exchange to occur for each Phase 2 tunnel. Using PFS is thus more secure, although the rekeying procedure in Phase 2 might take slightly longer with PFS enabled.