[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

a comment/question on perfect forward secrecy

To: ipsec@ans.net
Subject: a comment/question on perfect forward secrecy
From: meadows@itd.nrl.navy.mil (Catherine A. Meadows)
Date: Tue, 13 Dec 94 20:46:13 EST
Cc: meadows@itd.nrl.navy.mil

Hi:

I have been following ipsec for some time, and now that perfect forward
secrecy has become a topic of conversation, I'd like to make some comments
that express some concerns about it that I've had for a while.

The goal of perfect forward secrecy, as I see it, is to ensure that
there is no single secret whose compromise would compromise the secrecy
of past message traffic.  Perfect forward secrecy does this by ensuring
that compromise of a master key does not compromise secrecy of old
session keys.  Authenticated Diffie-Hellman guarantees perfect
forward secrecy because master keys are used only to provide authentication,
not secrecy.

However, master keys may not be the only secrets whose compromise
can compromise old message traffic. Suppose that a pseudo-random
number generator is used to generate the key agreement keys.
Such pseudo-random number generators produce a sequence R1, R2, .....
where Rn is produced by running the algorithm on a secret seed and Rn-1.
Thus, if the seed and one old key were compromised, all keys generated after
that would be compromised.
In many cases, it also possible to run the algorithm in reverse,
that is, produce Rn-1 from Rn and the secret seed.  In that case, if the
seed and one key were compromised, then all previous keys would be
compromised, thus apparently wiping out many of
the advantages of perfect forward secrecy.

One possible way of solving this problem would be to use a genuine
random source instead of a pseudo-random number generator.  If that's
not practical, then you could eliminate some of the problem by using
a pseudo-random number generator that's irreversible.  One such is
Blum, Blum, and Shub, which is also based on exponentiation,
and would thus add to the cost of the protocol, although this could
be mitigated by having keys generated ahead of time.

Does anyone know if this problem has been considered at all when looking
at perfect forward secrecy? 


Cathy Meadows
Center for High Assurance Computer Systems
Naval Research Laboratory

Follow-Ups:

Re: a comment/question on perfect forward secrecy

From: Phil Karn <karn@qualcomm.com>

Prev by Date: Re: Diffie-Hellman (note by Hugo)
Next by Date: Re: key management
Prev by thread: Modular Exponentiation Times
Next by thread: Re: a comment/question on perfect forward secrecy
Index(es):
- Main
- Thread