Re: Human I&A, IPsec, and their non-relationship

[Phil Karn <karn@unix.ka9q.ampr.org>]

>> The motivation for per-user keying based on chosen plaintext seems
>> unconvincing to me.  The amount of data sent per key can be controlled
>> by the OS, and adjusted to a conservative value based on the algorithm
>> in use.  Wouldn't it be cheaper and safer to rekey host-host
>> connections than to negotiate and rekey many user/host keys?

>Oh yes! Not only cheaper, but *simpler*! And I think, KISS ideology
>saved more than one life (:-).

Well, nothing says you have to do DH for each user. Inspired by Jeff
Schiller's comments about 802.10, in Photuris I will use DH to
establish some shared secret material between the hosts and then hash
that to generate distinct session keys for each SAID.

The session key will probably be generated along the lines of

key = MD5(DH shared secret, cookie1, cookie2, SAID)

where cookie1 and cookie2 are the Photuris cookies in sort order.

This clearly makes session key establishment cheap enough to permit
frequent session rekeying. E.g., each SAID could be given an
administrative lifetime in seconds and/or packets, after which a new
one is created with a new key, the old one is destroyed, and traffic
rerouted to use the new SAID.

The new SAID's key would use the current DH shared secret. This itself
may be periodically regenerated by placing a maximum lifetime on a
particular DH public/private part, or if perfect forward secrecy is
not desired it may be static.

Phil

---

Follow-Ups:

• Re: Human I&A, IPsec, and their non-relationship
• From: " " <amir@watson.ibm.com>

References:

• Re: Human I&A, IPsec, and their non-relationship
• From: uri@watson.ibm.com

---

• Prev by Date: Re: Human I&A, IPsec, and their non-relationship
• Next by Date: Re: randomness & perfect forward (or proactive?) secrecy
• Next by thread: Re: IPSEC at Dec IETF
• Index(es):
  • Main
  • Thread