expiration, generation, management of pre-shared keys

Christopher Gripp cgripp at AXCELERANT.COM
Mon Apr 30 13:13:20 EDT 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I would expire the preshared keys every 30 days.  Make sure you use a
good bit length, something more than the standard 8 character
password.  As for number of sites, assuming it is a fully meshed VPN
and that most techies don't like keeping an Excel spreadsheet full of
their security information, I would say 10.  Each key should be
different for each sites SA.
 
My question is why not use digital certs?!?
 
Christopher S. Gripp
Systems Engineer
Axcelerant
Connecting Everyone In Your Business World
Visit us @ http://www.axcelerant.com <http://www.axcelerant.com/>  

- -----Original Message-----
From: Slaby, James [mailto:JSlaby at GIGAWEB.COM]
Sent: Sunday, April 29, 2001 1:02 PM
To: VPN at SECURITYFOCUS.COM
Subject: expiration, generation, management of pre-shared keys



I'm considering using pre-shared keys (instead of digital
certificates) to 
authenticate remote site gateways in my site-to-site Internet VPN. Is
there 
a best practice for how often such pre-shared keys should be expired?

Assuming I have distributed my original pre-shared keys securely
(e.g., on 
CD-ROM via bonded courier), can I generate new keys from expired
ones? What 
methods are commonly used to do so? 

At what number of remote sites does the management of pre-shared keys
become 
such a burden that digital certificates become preferable? 

Thanks, 
Jim Slaby 
Senior Industry Analyst 
Giga Information Group 
+1 617 577 4767 
jslaby at gigaweb.com 

VPN is sponsored by SecurityFocus.COM 


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBOu2cbWLRPLnfp/zREQIyaQCfXIQq1uGb2pdNjwKdl19qHBvJ3pQAnRN0
Kfnz0Eg/KB00/SStqwH777JC
=ZpdQ
-----END PGP SIGNATURE-----

VPN is sponsored by SecurityFocus.COM




More information about the VPN mailing list