Which of the following actions take place in IKE Phase 2 with Perfect Forward Secrecy disabled?

Which of the following actions take place in IKE Phase 2 with Perfect Forward Secrecy disabled?

Which of the following actions take place in IKE Phase 2 with Perfect Forward Secrecy disabled?

A.
Peers authenticate using certificates or preshared secrets.

B.
The DH public keys are exchanged.

C.
Each Security Gateway generates a private Diffie-Hellman (DH) key from random pools.

D.
Symmetric IPsec keys are generated.

Explanation:



Leave a Reply 1

Your email address will not be published. Required fields are marked *


imran

imran

Perfect Forward Secrecy
The keys created by peers during IKE phase II and used for IPSec are based on a sequence of random binary digits exchanged between peers, and on the DH key computed during IKE phase I.
The DH key is computed once, then used a number of times during IKE phase II. Since the keys used during IKE phase II are based on the DH key computed during IKE phase I, there exists a mathematical relationship between them. For this reason, the use of a single DH key may weaken the strength of subsequent keys. If one key is compromised, subsequent keys can be compromised with less effort.
In cryptography, Perfect Forward Secrecy (PFS) refers to the condition in which the compromise of a current session key or long-term private key does not cause the compromise of earlier or subsequent keys.
Security Gateways meet this requirement with a PFS mode. When PFS is enabled, a fresh DH key is generated during IKE phase II, and renewed for each key exchange.
However, because a new DH key is generated during each IKE phase I, no dependency exists between these keys and those produced in subsequent IKE Phase I negotiations. Enable PFS in IKE phase II only in situations where extreme security is required.
The DH group used during PFS mode is configurable between groups 1, 2, 5 and 14, with group 2 (1042 bits) being the default.
Note – PFS mode is supported only between gateways, not between Security Gateways and remote access clients.