How to use Photuris with IPSec ?
What is IPSec ?
IP Security
is a framework providing authentication/integrity
and privacy to network traffic. Authenticated data can not be modified by
third parties and encryption conceals the content of packets.
What has Photuris to do with IPSec ?
In order to transmit encrypted or authenticated data between two hosts,
those two hosts have to aggree on session keys which are used as input
for the encryption and authenication functions.
The Photuris protocol
exchanges keys in such a way that no eavesdropper
will have knowledge of the session keys. It also allows for frequent
changes of the session keys, forward secrecy and party privacy protection.
How to get it working ?
This information does not apply to OpenBSD Version 2.2 and later, since
Photuris is being shipped with the operating system. You can use the
following information as guideline for other systems though.
Compiling the daemon
Get the Photuris sources and also the following
libraries: gmp-2.0.2 and libdes-4.01. Put those libraries in one dir and if you like you can
do the following steps afterwards:
1. tar -xvzf Photuris-src.tar.gz
2. tar -xvzf gmp-2.0.2.tar.gz; cd gmp-2.0.2; ./configure; make
3. mkdir des; cd des; tar -xvzf ../libdes-4.01.tar.gz; make
4. cd Photuris
Edit the Makefile and remove -DDEBUG, if you dont want to see what happens.
Remove -DIPSEC if you dont want to actually setup encrypted
and authenticated connections within the kernel, the daemon will also
bind to a non privileged port then.
5. make
6. start ./photurid on two hosts.
7. ./startkey host1 (for example ./startkey 134.100.33.22)
If you compiled the photuris daemon with -DDEBUG you should see an exchange
of values now and finally the shared secret from which the session keys
are derived.
If you compiled the photuris daemon with -IPSEC and also have a kernel
with IPSEC compiled into it, you could start for example
8. tcpdump proto 51 &
9. telnet host1
and see the authenticated packets flowing between the two hosts.
The output of
10. cat /kern/ipsec
11. netstat -rn
will show you some information also.
Enabling IPSEC in the OpenBSD kernel
Add the following two lines into your kernel config file:
config IPSEC
pseudo-device enc 1
Possible configuration
There are three files which can be configured locally.
- photuris.conf - contains the moduli for the Diffie-Hellmann Keyexchange,
the offered schemes and various timeouts.
- attributes.conf - the attributes which are offered to different parties
- secrets.conf - the preconfigured symmetric secrets which should hopefully
soon be replaced by public keys.
You might also need an additional entry in /etc/services:
photuris 468/udp # photuris keymangement daemon
If you have any questions write mail to provos@physnet.uni-hamburg.de