[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Diffie-Hellman
Ref: Your note of 9 Dec 94 14:14:00 -0600 (attached)
Paul Lambert says:
>> Hugo,
>>
>> The requirement for "perfect forward secrecy" was discussed as one of many
>> criteria for IKMP. There was no agreement on the new criteria identified at
>> the meeting. Please do not push so hard on just one aspect of the overall
>> design before we prioritize the criteria. Most of the proposals at this week's
I am not pushing but just try to make progress in the evaluation of these
criteria. The particular criterium of perfect forward secrecy is a fundamental
one since, in my opinion, it has the practical consequence of requiring
Diffie-Hellman (see below). I see the performance issue as the only possible
obstacle to use of DH. Therefore, in order to (eventually, and the sooner
the better) decide on exact requirements and evaluation criteria the exact
cost of DH needs to be well understood. That was the motivation of my note.
I would like you, as the chair of this group, to explicitely support
the request for data as I did in my note. It will not push anybody, but
help us make progress.
>> meeting claimed support for perfect forward secrecy so this is not a
>> discriminating criteria. By the way, what did the "G" for good mean in our
>> comparison matrix for your MKMP proposal?
If the criterium is "forward secrecy" then you can achieve it with different
levels. 'Perfect" means that even the exposure of the private keys of
BOTH parties will NOT reveal the exchanged keys. "Good" means that the
exposure of ONLY ONE party's private key will NOT reveal the exchanged key
but the exposure of both private keys will reveal it.
NO forward secrecy at all means that with one party's private key exposed
then all the keys exchanged with that party are revealed.
The proposals based on DH have PERFECT fwd secrecy, MKMP has GOOD fwd
secrecy (here is where the 'G' comes from), and the original SKIP (w/o
DH exchange enhancements) has NO fwd secrecy.
BTW, as one of the authors of MKMP, the only reason we proposed good and not
perfect fwd secrecy was the feeling that authenticated DH can be too expensive
computationally as the universal algorithm for Internet, but if people
believe it is affordable (without introducing dangerous shortcuts)
we are fervent supporters of it.
Whether it is affordable or not, was the question that motivated my note.
>>
>>
>> I also do not agree with your conclusion that perfect forward secrecy implies a
>> requirement for Diffie-Hellman. Not being a cryptographer by trade it would be
>> useful if someone would provide a better description of this requirement and
>> it's implications.
The concept of perfect forward secrecy was introduced in a paper by
Diffie, Van OOrschot and Wiener:
W. Diffie, M. Wiener, P. Oorschot, "Authentication and Authenticated
Key Exchanges.", in Designs Codes and Cryptography, Vol 2, 107-125
(1992) (Kluwer Academic Publishers)
In principle it can be more general than my above "definition" but I believe
that in our context this is what we mean (i.e. exposure of private keys does
not imply exposure of exchanged keys - except for active attacks after the
exposure). I do not know of any practical, well established technique to do
this except for DH (and its variants, e.g. over elliptic curves).
There can be, in principle, more efficient algorithms to achieve
perfect fwd secrecy but to the best of my knowledge there are no such today.
(BTW, interested readers can check the Shamir's 3-pass protocol in Schneier
pg 376 or in Simmons pg. 33).
(Ashar, may be you can check with Diffie on this.)
>>
>> A Diffie-Hellman (D-H) key exchange is a leading contender for use as a
>> baseline algorithm within IKMP given the number of proposals that contained D-
>> H. Performance of D-H and any other proposed key exchange needs to be examined
>> as part of our groups evaluation of techniques.
absolutely agreed!
>>
>> Paul
>>
Follow-Ups: