[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Diffie-Hellman (note by Hugo)

To: Hilarie Orman <ho@cs.arizona.edu>
Subject: Re: Diffie-Hellman (note by Hugo)
From: "Perry E. Metzger" <perry@imsi.com>
Date: Wed, 14 Dec 1994 09:16:49 -0500
Cc: karn@qualcomm.com, ipsec@ans.net
In-Reply-To: Your message of "Tue, 13 Dec 1994 18:25:31 MST." <199412140125.SAA03833@umbra.CS.Arizona.EDU>
Reply-To: perry@imsi.com


Hilarie Orman says:
> >  I don't really think the cost of Diffie-Hellman is all that
> >  intolerable.  I used it all last week on my not-blazingly-fast laptop.
> >  It took a few seconds each time, not so long to tempt me to bypass it.
> 
> I'm concerned that this might cease to be true for hosts running applications
> that require connections to lots of different hosts.  Distributed system
> maintenance actions, for example.

The question is not so much the number of connections you have as how
often you get a connection, since that is when SAIDs are
negotiated. Given Phil's methods, most of the calculation can be done
in background and only two exponentiations need be done in "real
time". Even fairly loaded mail servers that I have run have received
connections on a fairly evenly distributed basis, so this does not
seem overly onerous even on today's hardware.

What I am more concerned about is that we are tying our negotiations
to a particular algorithm rather than a particular protocol. If next
week Diffie Hellman were somehow broken (and remember that no complete
proof of the equivalence of D-H and the discrete log problem has ever
been produced, although proofs with "holes" have been achieved), we
would all be up the creek -- ditto for all our other algorithms. More
realistically, there are likely to be better algorithms developed
someday.

I'd prefer if we had a format that contained "Hi there; I'm a key
negotiation packet. I'd like to use D-H to negotiate with you (and to
speed things up if you accept I've got a D-H component embedded so
that if you accept I don't have to send it in another packet) but if
you don't want to use D-H I also deal with Kerberos and Foobar-97."

In other words, I'd like to have a baseline requirement that you use
D-H, and the ability to optimise whatever we use so that we don't send
a dozen packets, but it would be very nice if we could build our
protocol such that we are not out of luck should we find in five years
that fast gazorknoplant key negotiation (developed the previous month)
is far better than D-H.

Perry

Follow-Ups:

Re: Diffie-Hellman (note by Hugo) GOOD PROPOSAL

From: efb@suned1.Nswses.Navy.Mil (Everett F Batey)

References:

Re: Diffie-Hellman (note by Hugo)

From: Hilarie Orman <ho@cs.arizona.edu>

Prev by Date: Re: Clogging attacks on SKIP: can we assume Kij is precomputed
Next by Date: Re: key management
Prev by thread: Re: Diffie-Hellman (note by Hugo)
Next by thread: Re: Diffie-Hellman (note by Hugo) GOOD PROPOSAL
Index(es):
- Main
- Thread