Which purpose of configuring perfect Forward secret is true?

Which purpose of configuring perfect Forward secret is true?
A. For every negotiation of a new phase 1 SA, the two gateways generate a new set of phase 2 keys.
B. For every negotiation of a new phase 2 SA, the two gateways generate a new set of phase 1 keys.
C. For every negotiation of a new phase 1 SA, the two gateways generate a new set of phase 1 keys.
D. For every negotiation of a new phase 2 SA, the two gateways generate a new set of phase 2 keys.

cisco-exams

4 thoughts on “Which purpose of configuring perfect Forward secret is true?

  1. Perfect Forward Secrecy (B is correct)

    Perfect Forward Secrecy (PFS) ensures that a given key of an IPSec security association (SA, phase 2) is not derived from any other secret, such as some other keys. In other words, if someone broke a key, PFS would ensure that the attacker would not be able to derive any other key. If PFS is not enabled, someone can hypothetically break the IKE SA secret key, copy all the IPSec-protected data, and use knowledge of the IKE SA (Phase 1) secret to compromise the IPSec SAs set up by this IKE SA. With PFS, breaking IKE does not give an attacker immediate access to IPSec. The attacker needs to break each IPSec SA individually.
    https://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r4-1/security/configuration/guide/syssec_cg41crs_chapter3.html#con_1011576

  2. Correct Answer is B

    Instead of making use of the DH Keys Calculated during Phase-1, PFS forces DH-Key calculation during Phase-2 Setup as well as Phase-2 periodic Rekey. The PFS ensures that the same key will not be generated and used again.

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.