Re: Key Managment Query/Comments...

[Russ_Housley.McLean_CSD@xerox.com]

Joe:

>2.  SNMP might be useful for 'publishing' certificates in
>    conjunction with some kind of in-line key exchange, but this
>    gets kludgy for datagrams, where it seems better to negotiate
>    a 'session' key for the appropriate algorithm. Separating
>    key distribution from the actual protocol makes sense for
>    the reasons you outline (but is somewhat offensive to some
>    'layer independence' architecture purists I know).  But why
>    would you need to use SNMP if you could contact a key management
>    daemon who could just tell you its certificate?

By saying "this gets kludgy for datagrams" are you trying to say that the
exchange of Diffie-Hellman vectors might require more space than a single
datagram?  When certificate-based key management is used, the exchange can
certainly be larger than a single Ethernet frame.  There are also sequencing
concerns.

I think that establishment of a security association is acomplished through two
steps.  First, the keying material is generated.  This could be through the
exchange  certificates (perhaps oones that include Diffie-Hellman vectors) or
through interaction with a key distribution center (perhaps a Kerberos server)
or through manual distribution.  Second, the attriutes for the security
association are negotiated.  This negotiation can be protected using the key
generated in the first step.  Also, by using the key to protect the
negotiation, keys generated using Diffie-Hellman can be tested to ensure that
both partied generated the same key.

Russ

---

References:

• Re: Key Managment Query/Comments...
• From: tardo@tardo.lkg.dec.com

---

• Prev by Date: Re: key distribution
• Next by Date: NLSP goes IS
• Prev by thread: Re: Key Managment Query/Comments...
• Next by thread: Re: Key Managment Query/Comments...
• Index(es):
  • Main
  • Thread