session_09_vpn__ipsec__and_tls_101908

Ephemeral diffie hellman the diffie hellman

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: nd hash functions supported. • Compression_methods: This is a list of the compression methods supported by the client, sorted by client preference. • Session_ID: This is the ID of the session the client wishes to use for this connection. This field should be empty if no session_ID is available or if the client wishes to generate new security parameters. 40 VPN, IPSec and TLS Phase 2 Handshake Protocol Web Server Server Authentication and Key Exchange Client 1. Server sends its authentication certificate, using a X.509.v3 certificate. 2. Information about the type of key exchange the server is proposing. — — — — RSA: The secret key is encrypted with the server’s private key. Fixed Diffie-Hellman: The server’s certificate has the Diffie-Hellman parameters, signed by a Certificate Authority (CA). Ephemeral Diffie-Hellman: The Diffie-Hellman parameters are signed using the server’s RSA or DSA. Anonymous Diffie-Hellman: The Diffie-Hellman parameters are not signed. Key Exchange Parameters for RSA or Diffie-Hellman — — RSA: The modulo of the server's temporary RSA key and the public exponent of the server's temporary RSA key. Diffie-Helman: – The prime modulus p used for the Diffie-Hellman operation. – The generator g used for the Diffie-Hellman operation. – The server's Diffie-Hellman public value y (y = gx mod p). 3. A message requesting a client certification (optional); 4. A message indicating that the handshake of phase 2 is complete. Key Exchange Parameters Signing = ESPriv[Hash(ClientHello.random ║ ServerHello.random ║ ServerParams)] VPN IPsec IKE v2 TLS M. Mogollon – 01/08 - 41 • In Phase 2, immediately following the hello messages, the server sends (1) Its authentication certificate, using an X.509.v3 certificate (or a modified X.509 certificate, in the case of Fortezza); (2) The server key exchange; (3) A message requesting a client certification (optional); and (4) A message indicating that the handshake of phase 2 is complete. The certificate type must be appropriate for the selected cipher suite's key exchange algorithm; it is generally an X.509.v3 certificate. •...
View Full Document

This note was uploaded on 05/26/2010 for the course TECH 6350 taught by Professor Mogollon during the Spring '10 term at University of Arkansas for Medical Sciences.

Ask a homework question - tutors are online