Understanding IDP Internet Key Exchange

Internet Key Exchange establishes a premaster secret that is used to generate symmetric keys for bulk data encryption and authentication. Section F.1.1 of RFC 2246 defines Transport Layer Security (TLS) authentication and key exchange methods. The two key exchange methods are:

• RSA—A key exchange algorithm that governs the way participants create symmetric keys or a secret that is used during an SSL session. RSA key exchange algorithm is the most commonly used method.
• Diffie-Hellman—A Diffie-Hellman (DH) key exchange method allows the participants to produce a shared secret value. The strength of the technique is that it allows the participants to create the secret value over an unsecured medium without passing the secret value through the wire.

Both RSA and Diffie-Hellman key exchange methods can use either a fixed or a temporary server key. IDP can successfully retrieve the premaster secret only if a fixed server key is used. Junos OS supports only the RSA key exchange method. For more information on Internet Key Exchange, see Understanding Certificates.

Note: Juniper IDP does not decrypt SSL sessions that use Diffie-Hellman key exchange.

Related Topics

• Junos OS Feature Support Reference for SRX Series and J Series Devices
• IDP SSL Overview
• Supported IDP SSL Ciphers
• Understanding IDP SSL Server Key Management and Policy Configuration
• Configuring an IDP SSL Inspection (CLI Procedure)