Technical Blog Post
Abstract
This technote describes the relative benefits of pre-shared keys versus certificates when used with IPsec on AIX.
Body
IPsec has two ways of authenticating a peer--via a pre-shared key or a certificate. While pre-shared keys are easier to work with, they are generally considered less secure than a certificate.
Pre-shared keys
Pros:
- Convenience--no need to go through the complicated process of obtaining a certificate
Cons:
- If a key is compromised, unauthorized access to the network may be obtained
- There are more opportunities to get the key because the it is stored on all the IPsec peer systems
- There is no way to automatically notify the IPsec peers the pre-shared key has been compromised
- Replacing the pre-shared key requires updating it on all systems, which can be tedious
- Pre-shared keys are limited to a maximum size of 64 bytes (512 bits)
Certificates
Pros:
- The key used to generate certificates is stored in a single location, separate from the systems using the certificates
- All systems may be notified of a certificate's compromise via a certificate revocation list (CRL)
- A compromised certificate only needs to be replaced on the system to which the certificate belongs
- The public key embedded in a certificate may be larger than a pre-shared key (1024, 2048, 4096, or more)
Cons:
- Creating/obtaining a certificate is more complicated, time consuming and potentially expensive than using a pre-shared key
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"Component":"IPsec","Platform":[{"code":"PF002","label":"AIX"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]
UID
ibm10872928