summaryrefslogtreecommitdiff
path: root/sbin/photurisd/README.howtouse
blob: a1045acf10d40848d87d8d5979ce258edb419653 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76

                       How to use Photuris with IPsec ?

What is IPsec ?

   IP Security is a framework providing authentication/integrity and
   privacy to network traffic. Authenticated data can not be modified by
   third parties and encryption conceals the content of packets.

What has Photuris to do with IPsec ?

   In order to transmit encrypted or authenticated data between two
   hosts, those two hosts have to agree on session keys which are used
   as input for the encryption and authentication functions.

   The Photuris protocol exchanges keys in such a way that no
   eavesdropper will have knowledge of the session keys. It also allows
   for frequent changes of the session keys, forward secrecy and party
   privacy protection.

How to get it working ?

  Compiling the daemon

   Get the Photuris sources and also the following libraries:
   gmp-2.0.2 and libdes-4.01. Put those libraries in one dir and if
   you like you can do the following steps afterwards:

1. tar -xvzf Photuris-src.tar.gz
2. tar -xvzf gmp-2.0.2.tar.gz; cd gmp-2.0.2; ./configure; make
3. mkdir des; cd des; tar -xvzf ../libdes-4.01.tar.gz; make
4. cd Photuris
5. make (edit the Makefile and remove -DDEBUG, if you dont want to see what
   happens, or remove -DIPSEC if you dont want to actually setup encrypted
   and authenticated connections within the kernel)
6. start ./photurid on two hosts.
7. ./startkey dst=host1 (for example ./startkey dst=134.100.33.22)

   If you compiled the photuris daemon with -DDEBUG you should see an
   exchange of values now and finally the shared secret from which the
   session keys are derived.

   If you compiled the photuris daemon with -DIPSEC and also have a kernel
   with IPsec compiled into it, you could start for example

8. tcpdump proto 51 &
9. telnet host1

   and see the authenticated packets flowing between the two hosts. Look
   at the output of

10. cat /kern/ipsec
11. netstat -rn

   will show you some information also.

  Enabling IPsec in the OpenBSD kernel

   Add the following two lines into your kernel config file:
config IPSEC
pseudo-device enc 1

  Possible configuration

   There are three files which can be configured locally.
     * photuris.conf - contains the moduli for the Diffie-Hellmann
       Keyexchange, the offered schemes and various timeouts.
     * attributes.conf - the attributes which are offered to different
       parties
     * secrets.conf - the preconfigured symmetric secrets which should
       hopefully soon be replaced by public keys.

     _________________________________________________________________

   If you have any questions write mail to
   provos@physnet.uni-hamburg.de