IPsec Pre-Shared Key Generator
How It Works
What makes this process secure?
When relaying a shared secret over the phone, copying a long complicated key is more prone to errors. This often results in security administrators compromising security for convenience, using a shorter and less secure shared secret that is less prone to errors in relaying.
The PSK Generator provides a method for both parties to compute a complex shared secret by relaying two passwords used in the calculation. The first password is a long complicated string sent by email, and the second password is shorter and relayed by phone. These two passwords are used by both parties to create the same pseudo-random shared secret using a high-quality algorithm. The resulting shared secret bears no resemblance to the original passwords.
What is the high-quality algorithm used?
The randomness comes from the use of a cryptographic hash function. Hash functions are normally used to verify message integrity by creating a fingerprint of the message. The hash function is a non-reversible form of encryption. You cannot calculate the original message from its hash. A key aspect of cryptographic hash functions is their collision resistance; nobody should be able to find two different input values that result in the same hash output. The hash function used in our process is the HMAC SHA-384 algorithm. HMAC is a keyed-hash algorithm that includes a secret key as part of the calculation to further reduce collisions.
The first password is the message that will be hashed by the PSK Generator and the second password will be used as the HMAC key.
It sounds like the hash would not be strictly alphanumeric. How is the hash turned into a shared secret?
The output of the our hash calculator is Base64 encoded. Base64 uses only the 62 alphanumeric characters (a-z, A-Z, 0-9) and two symbols (/ and +). Since Base64 uses a 6-bit grouping per byte, the 384-bit hash produces a 64-byte string. In our hash calculator, the two symbols are replaced with "a" and "z", respectively, to avoid potential compatibility issues with these symbols on some VPN devices.
What are best practices that should be followed when using the PSK Generator?
- Use a good password generator to create a password of at least 64-bytes and consisting of a good random mix of upper and lower characters, digits, and special characters.
- When emailing the long password, if possible use a secure messaging delivery system. If this is not available, then make sure that you DO NOT include anything in the subject or body of the message to indicate the purpose of the password.
- For the short password shared over the phone, a 16-byte password using mostly numbers and a few lowercase letters is sufficient. This is the hash key and it is not necessary to make a long complicated key for a secure outcome. Remember: the purpose of the PSK Generator is to avoid relaying long complicated strings over the phone.
- Always make sure to verify by phone the first and last 2 or 3 bytes of the generated shared secret to ensure they are the same.
- Alternate method: Each party use a random password generator to create a list of 10 or more long passwords and email them to each other. On the phone, decide which password from one of the lists to use as Password 1 and which password from the other list for Password 2.