What makes this process secure?
When relaying a shared secret over the phone, copying a long complicated key is more prone to errors. This often results in security administrators compromising security for convenience, using a shorter and less secure shared secret that is less prone to errors in relaying.
The PSK Generator provides a method for both parties to compute a complex shared secret by relaying two passwords used in the calculation. The first password is a long complicated string sent by email, and the second password is shorter and relayed by phone. These two passwords are used by both parties to create the same pseudo-random shared secret using a high-quality algorithm. The resulting shared secret bears no resemblance to the original passwords.
What is the high-quality algorithm used?
The randomness comes from the use of a cryptographic hash function. Hash functions are normally used to verify message integrity by creating a fingerprint of the message. The hash function is a non-reversible form of encryption. You cannot calculate the original message from its hash. A key aspect of cryptographic hash functions is their collision resistance; nobody should be able to find two different input values that result in the same hash output. The hash function used in our process is the HMAC SHA-384 algorithm. HMAC is a keyed-hash algorithm that includes a secret key as part of the calculation to further reduce collisions.
The first password, the longer string shared by email, is the message that will be hashed by the PSK Generator. The second password, the shorter string shared by phone, will be used as the HMAC key.
It sounds like the hash would not be strictly alphanumeric. How is the hash turned into a shared secret?
The output of the our hash calculator is Base64 encoded. Base64 uses only the 62 alphanumeric characters (a-z, A-Z, 0-9) and two symbols (/ and +). Since Base64 uses a 6-bit grouping per byte, the 384-bit hash produces a 64-byte string. In our hash calculator, the two symbols are replaced with "a" and "z", respectively, to avoid potential compatibility issues with these symbols on some VPN devices.
What are best practices that should be followed when using the PSK Generator?