How to learn dynamic token and key agreement techniques?

The technology that combines "dynamic token" and "key agreement" is virtual private network (VPN) technology. So what is a dynamic token? What is key agreement technology? The so-called dynamic token, the English token, can be understood as a "one-time password", expressed in English as "One Time Password", abbreviated as OTP. Because the number displayed on the token in real time changes every minute, it is dynamic, which is also the origin of the one-time password. First let's see what a dynamic token looks like:

These colorful tokens on the picture, although not only work in the same way, but the working principle is very similar. The principles are not expanded in the popular science article, and only how are they used to authenticate users?

User Identity / Server Identity

When users work remotely, they usually dial a VPN client.

Here comes the question, how do you make sure that the server your users access is a real server? The server has the same problem. How to ensure that the user who is using the VPN client (Wang Xiaoming) is the real Wang Xiaoming?

Assume that Wang Xiaoming now starts dialing and uses the control protocol IKE (Internet Key Exchange) to start negotiating with the server for authentication algorithms, control channel encryption algorithms, control channel verification algorithms, data traffic encryption algorithms, data traffic verification algorithms, and so on.

The two-way DH public key exchange has been completed, and the two parties have been able to derive the key of the control channel encryption algorithm. It is still not possible to verify the identity of the other party.

So the server began to say to Xiaoming on the encrypted control channel: Please show me your token number!

Xiaoming enters: "159759", the client uses "159759" + "Please show me your token number!" To do a secure Keyed hash operation to generate a random string "49efjoiweu9u2343jdwjd @ 94% s" and transmits it to the server.

The server backend also has exactly the same one-time password "159759" as Xiaoming, and performs a secure Keyed hash operation with "Please show me your token number!" To generate a random string "49efjoiweu9u2343jdwjd @ 94% s", exactly the same as Xiaoming , Xiaoming authentication is successful.

Xiaoming also needs to verify the identity of the server. The principle is similar to the above, so it will not be expanded.

When both parties authenticate each other's identities, they can then independently derive the encryption / decryption key for encrypting data traffic, the verification key for data traffic, and then assign private IP and other parameters to the client.

The VPN client can transmit all the traffic that accesses the company's internal network to the server through the VPN encrypted tunnel. The server completes decryption and verification, and then strips the outer tunnel header to reveal the user's private IP traffic and reach the real The server completes two-way communication.

How to ensure that the number (OTP) displayed by the token in the user's hand is the same as the OTP calculated by the server background? DH itself cannot defend against man-in-the-middle attacks. How does VPN technology effectively defend against man-in-the-middle attacks?

The above is the news sharing from the PASSHOT. I hope it can be inspired you. If you think today' s content is not too bad, you are welcome to share it with other friends. There are more latest Linux dumps, CCNA 200-301 dumps and CCNP Written dumps waiting for you.