Key Exchange

Internet Key Exchange establishes a premaster secret that is used to generate symmetric keys for bulk data encryption and authentication. Section F.1.1 of RFC 2246 defines TLS authentication and key exchange methods. The two key exchange methods are:

• RSA—An RSA key exchange method uses an RSA SecurID external authentication server. SecurID is an authentication method that allows you to enter either static or dynamic passwords as your credentials. A dynamic password is a combination of your PIN and a randomly generated token that is valid for a short period of time, approximately one minute. A static password is preset on the SecurID server.
• Diffie-Hellman—A Diffie-Hellman (DH) key exchange method allows the participants to produce a shared secret value. The strength of the technique is that it allows the participants to create the secret value over an unsecured medium without passing the secret value through the wire.

Both RSA and Diffie-Hellman key exchange methods can use either a fixed or a temporary server key. IDP can successfully retrieve the premaster secret only if a fixed server key is used. JUNOS software supports only the RSA key exchange method. For more information on Internet Key Exchange, see Understanding Public Key Cryptography.

Note: Juniper IDP does not decrypt SSL sessions that use Diffie-Hellman key exchange.

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.