blob: a1045acf10d40848d87d8d5979ce258edb419653 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
|
How to use Photuris with IPsec ?
What is IPsec ?
IP Security is a framework providing authentication/integrity and
privacy to network traffic. Authenticated data can not be modified by
third parties and encryption conceals the content of packets.
What has Photuris to do with IPsec ?
In order to transmit encrypted or authenticated data between two
hosts, those two hosts have to agree on session keys which are used
as input for the encryption and authentication functions.
The Photuris protocol exchanges keys in such a way that no
eavesdropper will have knowledge of the session keys. It also allows
for frequent changes of the session keys, forward secrecy and party
privacy protection.
How to get it working ?
Compiling the daemon
Get the Photuris sources and also the following libraries:
gmp-2.0.2 and libdes-4.01. Put those libraries in one dir and if
you like you can do the following steps afterwards:
1. tar -xvzf Photuris-src.tar.gz
2. tar -xvzf gmp-2.0.2.tar.gz; cd gmp-2.0.2; ./configure; make
3. mkdir des; cd des; tar -xvzf ../libdes-4.01.tar.gz; make
4. cd Photuris
5. make (edit the Makefile and remove -DDEBUG, if you dont want to see what
happens, or remove -DIPSEC if you dont want to actually setup encrypted
and authenticated connections within the kernel)
6. start ./photurid on two hosts.
7. ./startkey dst=host1 (for example ./startkey dst=134.100.33.22)
If you compiled the photuris daemon with -DDEBUG you should see an
exchange of values now and finally the shared secret from which the
session keys are derived.
If you compiled the photuris daemon with -DIPSEC and also have a kernel
with IPsec compiled into it, you could start for example
8. tcpdump proto 51 &
9. telnet host1
and see the authenticated packets flowing between the two hosts. Look
at the output of
10. cat /kern/ipsec
11. netstat -rn
will show you some information also.
Enabling IPsec in the OpenBSD kernel
Add the following two lines into your kernel config file:
config IPSEC
pseudo-device enc 1
Possible configuration
There are three files which can be configured locally.
* photuris.conf - contains the moduli for the Diffie-Hellmann
Keyexchange, the offered schemes and various timeouts.
* attributes.conf - the attributes which are offered to different
parties
* secrets.conf - the preconfigured symmetric secrets which should
hopefully soon be replaced by public keys.
_________________________________________________________________
If you have any questions write mail to
provos@physnet.uni-hamburg.de
|