A pre-shared secret, or pre-shared key (PSK), is a method of authentication. The secret, or key, is a character string agreed upon beforehand by both parties as the key for authenticating the session. It generates a hash such that each VPN endpoint can authenticate the other.
Note that the pre-shared secret, although an ordinary character string, is not a “password.” It actually generates a hashed key to form a fingerprint that proves the identity of each endpoint. This means that long, complex character strings are more secure than short strings. Choose complex pre-shared secrets and avoid short ones, which can be more easily compromised by an attack.
The pre-shared secret is not passed during IKE negotiation. It is configured on both sides, and must match on both sides.
A pre-shared secret is an example of symmetric cryptography: the key is the same on both sides. Symmetric encryption algorithms are less computationally intensive than asymmetric algorithms, and are, therefore, faster. However, in symmetric cryptography, the two communicating parties must exchange keys in advance. Doing this securely can be a problem.
A pre-shared secret and a digital signature are the most common methods of IKE authentication. A pre-shared secret is an easy and effective way to quickly set up authentication with little administrative overhead. However, it has several drawbacks.
- If a pre-shared key is captured and no one is aware of it, the attacker has access to your network as long as that key is in use.
- A pre-shared secret is manually configured, so it should be regularly changed. However, this task often falls off the list of busy network administrators. Using pre-shared key values with remote users is equivalent to giving them a password to your network.