[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Perfect fwd secrecy and authentication

To: IPSEC@ans.net
Subject: Perfect fwd secrecy and authentication
From: hugo@watson.ibm.com
Date: Thu, 15 Dec 94 12:36:41 EST

Ashar and others,

In several mails from Ashar, and supported by other people,
it is observed that perfect fwd secrecy (PFS) is irrelevant to
(packet) authentication.
In the strict academic sense of PFS this is true.
But in the more specific (and less academically precise)
setting in which we discuss these issues (we are essentially concerned
with what does an adversary gain by finding one party's private key)
the performance of an authenticated key exchange as Diffie-Hellman
IS relevant ALSO to the issue of packet authentication (and
not only secrecy).

SKIP is a good illustration of that.
If you do "plain" SKIP (as appears in Ashar's draft)
then by knowing the private key of one party, say A, you can send authenticated
packets from this party to anybody you choose. (In the case of SKIP you
also can send authentciated packets to A from anybody else).

However, if you do perform an authenticated DH for key exchange,
then the way to use the knowledge of A's private key is to
actively impersonate A in the key exchange protocol with, say, B.
Once an adversary does that it can start injecting authenticated packets
from A to B.

The are several important differences between the later and the plain SKIP case:

*It is generally easier to inject packets in a "one-way" form than
actively imposing an interaction (in the later the adversary has
to solve the problem of routing the DH response to itself instead of to the
legal IP target).

*It is easier to detect an adversary that exchanges DH keys with you
(especially when the real party A tries also to exchange a key with you
after a while) than one that just injects traffic (especially if the legal
party A is currently inactive or you may maintain more than one session
with A).
One can even enhance the DH exchange to improve detection (e.g.
using some form of chaining between consecutive exchanges)
and even build special system control mechanisms to deal with this detection
(of course the later should NOT be part of standard IKMP!)

*The adversary needs to run a DH exchange with EACH party with which it
wants to impersonate A (in SKIP once he knows A's key he can do it with
everyone)

*The adversary cannot impersonate B to A by knowing A's key only (while
in SKIP it could).

Hugo

Prev by Date: Proposal: Perfect forward (proactive) SECURITY a MUST
Next by Date: Re: Clogging attacks on SKIP
Prev by thread: Ephemeral RSA
Next by thread: Known Key attack references (note from Yacov Yacobi)
Index(es):
- Main
- Thread