You can then make your output strong by typing in two extra source keys that you can agree over on the phone, or any other insecure method. What is this tool? It is a piece of client side javascript (so you can download the web page, unplug your computer from the network, and still use it), that generates long and strong PSK's that rotate every 24 hours at GMT 00:00. I admit, its' not perfect, but better than using a TXT message or trying to recite the key over the phone. What to do? Well, I pondered the issue for a while, and then wrote a tool to make the problem simpler. Sometimes the key, once again, gets weakened so it can be read out over a phone. More often than not you spend an hour trying to type in the key, trying the VPN, have it fail, and repeat until it works. Other people try to actually recite them over the phone. What ends up happening is you usually weaken the key a lot to get it through the TXT system - but the whole point of a PSK is to provide initial security, so this really feels wrong to me. I would say 90% of the PSK's that people try to TXT me get mangled. Some people like to use TXT messages - but this is horrible. Some people are happy to exchange them over email, and others not (particularly because of ISO/IEC 27002). I build VPNs regularly, and one of the problems that comes up regularly is how to exchange PSK's.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |