How to use Photuris with IPSec ?

What is IPSec ?

IP Security is a framework providing authentication/integrity and privacy to network traffic. Authenticated data can not be modified by third parties and encryption conceals the content of packets.

What has Photuris to do with IPSec ?

In order to transmit encrypted or authenticated data between two hosts, those two hosts have to aggree on session keys which are used as input for the encryption and authenication functions.

The Photuris protocol exchanges keys in such a way that no eavesdropper will have knowledge of the session keys. It also allows for frequent changes of the session keys, forward secrecy and party privacy protection.

How to get it working ?

This information does not apply to OpenBSD Version 2.2 and later, since Photuris is being shipped with the operating system. You can use the following information as guideline for other systems though.

Compiling the daemon

Get the Photuris sources and also the following libraries: gmp-2.0.2 and libdes-4.01. Put those libraries in one dir and if you like you can do the following steps afterwards:

1. tar -xvzf Photuris-src.tar.gz
2. tar -xvzf gmp-2.0.2.tar.gz; cd gmp-2.0.2; ./configure; make
3. mkdir des; cd des; tar -xvzf ../libdes-4.01.tar.gz; make
4. cd Photuris

Edit the Makefile and remove -DDEBUG, if you dont want to see what happens. Remove -DIPSEC if you dont want to actually setup encrypted and authenticated connections within the kernel, the daemon will also bind to a non privileged port then.

5. make
6. start ./photurid on two hosts.
7. ./startkey host1 (for example ./startkey 134.100.33.22)

If you compiled the photuris daemon with -DDEBUG you should see an exchange of values now and finally the shared secret from which the session keys are derived.

If you compiled the photuris daemon with -IPSEC and also have a kernel with IPSEC compiled into it, you could start for example

8. tcpdump proto 51 &
9. telnet host1

and see the authenticated packets flowing between the two hosts. The output of

10. cat /kern/ipsec
11. netstat -rn

will show you some information also.

Enabling IPSEC in the OpenBSD kernel

Add the following two lines into your kernel config file:

config IPSEC
pseudo-device enc 1

Possible configuration

There are three files which can be configured locally.

photuris.conf - contains the moduli for the Diffie-Hellmann Keyexchange, the offered schemes and various timeouts.
attributes.conf - the attributes which are offered to different parties
secrets.conf - the preconfigured symmetric secrets which should hopefully soon be replaced by public keys.

You might also need an additional entry in /etc/services:

photuris        468/udp         # photuris keymangement daemon

If you have any questions write mail to provos@physnet.uni-hamburg.de