[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Diffie-Hellman
Dear IPSEC-ers, (see questions at the bottom)
It seems that if there was something agreed about key management in
this IETF is that we require perfect forward secrecy (in particular,
the exposure of two parties private keys should not expose past or future
traffic between these two parties to passive attacks).
The practical significance of this decision is that we are going to build
the key exchange mechanism based on Diffie-Hellman. Since I believe that
nobody wants to leave this key exchange vulnerable to active
(man-in-the-middle) attacks it actually means that we are going to implement
authenticated DH exchange.
This is a crucial decision of this group. It means that we want to provide
very high security (which is great considering that key management is the
foundation of any security mechanism) and we are willing to pay
the computational price. The later involves six long exponentiations, at least
for parties that exchange their first key.
Some careful optimizations are possible (e.g., some of the exponentiations
performed off-line) but the overall computation cost is not negligible.
It would be nice to close this issue over this list such that we can say
that this is the IPSEC group DECISION and not just the opinion of several
IETF attendees.
The questions are:
1) is there any opposition to this agreement? For example, well-identified
scenarios where this is infeasible?
2) if you have experimental data on the performance of DH exponentiation
please share it with the group. It may help tune the protocol decisions.
PLEASE SPECIFY: h/w and s/w platform, length of modulus (and length of
exponent if different than modulus size) and, if possible, the
software implementation used (RSAREF, PGP, etc.).
Please give numbers for a SINGLE exponentiation (or otherwise specify
what are the numbers for)
(I heard, from people in the IETF, performance numbers that on similar
platforms varied up to 10 times!)
Thanks, Hugo