Manualshelf

User Guide

ManualsBrandsAlcatel-Lucent ManualsOtherSPEDDTOUCH DSL ROUTERS
919293949596979899100
92 Chapter 4. Configuring Special Features
Diffie-Hellman Encryption
With Diffie-Hellman encryption, each router has an encryption file that is associated with a public key providing
768-bit security. The predefined keys can be replaced by the user. The key files have a suffix of “num” by
convention (e.g., dh96.num).
Configuration Notes
Simply add the encryption command to your standard configuration. For Diffie-Hellman, the encryption
command is:
remote setEncryption
DESE_1_KEY|DESE_2_KEY
[
<fileName>
]
|
<
remoteName
>
Observe the following guidelines:
DESE_1_KEY specifies that the same key is used in both directions, whereas DESE_2_KEY specifies
that the keys are different. Having the same keys in both directions can significantly reduce time needed
to compute the DES keys from the Diffie-Hellman exchange.
routers’
receive
key and
sender
Tx key don't match.
Different keys and key files may be used with different remote destinations.
For maximum security, as shown in these examples, Telnet and SNMP access should be disabled, and
PPP CHAP should be used. Use the console port to view error messages and progress.
Sample Configuration
The sample configuration is the same as the one provided in the preceding PPP DES encryption example, but
the Diffie-Hellman encryption command is used instead of the PPP DES encryption commands.
Sample:
login admin
remote setEncryption DESE_1_KEY dh96.num SOHO
save
reboot
File Format for the Diffie-Hellman Number File
The file consists of 192 bytes, in binary format. There are two 96-byte numbers stored, with the most
significant byte in the first position. For example, the number 0x12345678 would appear as
000000...0012345678.
The first 96 bytes form the modulus. In the equation
x' = g^x mod n
,
n
is the modulus. According to Diffie
and Hellman, the modulus should be prime, and
(n-1)/2
should also be prime.
The second 96 bytes form the generator, or g in the above equation. The generator should be a primitive root
mod
n
.
The remaining pieces of the encryption key (x and y) are randomly generated at connection time and will
change every time the device connects.
Contact an encryption expert to obtain cryptographically sound generator and modulus pairs if you wish to
change the default values.