D-Link DFL-1600 User Manual page 240

220
Hashing for Integrity
To ensure the message integrity during the IKE negotiation, some hash
functions are used by D-Link firewalls to provide message digests for
different methods of authentication. The hashing mechanisms ensure that
the unchanged messages arrive at the other end after transmission.
D-Link firewalls feature the following two hash functions:
SHA-1 – 160-bit message digest.
MD5 – 128-bit message digest, faster than SHA-1 but less secure.
Pre-Shared Key (PSK)
Pre-Shared Keys is one the the two primary authentication methods
supported by D-Link VPNs. With pre-shared key authentication, an
identical symmetric key must be manually configured on both systems. The
shared key is a secret passphrase, normally a string of ASCII characters or
a set of random Hexadecimal numbers. In D-Link VPNs, the user can either
enter an ASCII password or use the automatic random key generation.
Both endpoints need to have the same key defined and the key must be
kept secret.
The pre-shared key is used only for the primary authentication; the two
negotiating entities then generate dynamic shared session keys for the IKE
SAs and IPsec SAs.
The advantages of using PSK are: first, pre-shared keys do not require a
central Certificate Authority(CA)or CAs for authentication tasks; second, it
provides a means of primary endpoints authentication, based on what, the
further IKE negotiation for dynamic session keys can be implemented. The
session keys will be used for a limited period of time, where after a new set
of session keys are used.
However, one thing that has to be considered when using PSK is the key
distribution. How are the pre-shared keys distributed to remote VPN
clients and gateways? This is a major issue, since the security of a PSK
system is based on the PSKs being secret. Should one PSK be compromised
in some way, the configuration will need to be changed to use a new PSK.
D-Link Firewalls User's Guide
Chapter 22. VPN Protocols & Tunnels