[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Problem+fix in Zero Message Master Key update

To: ashar@osmosys.incog.com, amir@watson.ibm.com
Subject: Re: Problem+fix in Zero Message Master Key update
From: ashar@osmosys.incog.com (Ashar Aziz)
Date: Tue, 3 Jan 1995 14:30:40 -0800
Cc: ipsec@ans.net


> From amir@watson.ibm.com Tue Jan  3 13:47 PST 1995
> A problem with this is that Kijn may sometimes be deduced from Kijl, where
> l<n, e.g. Kij2=(kij1)^2.

Actually, knowledge of g^ij reveals knowledge of all Kijn as follows

Kijn is derivable from g^ij^n

The intent of this proposal was to prevent playback of traffic
keys (Kp), under the assumption that traffic keys could be broken
but not master keys. (Observing that if master keys were broken,
then even the master key update protocols like the one in your MKMP
protocol could also suffer authentication failure.) Solving
forward secrecy issues was not a goal of this proposal.

> It is simple to solve this (also more efficiently) by
> 
> Kijn=h(g^ij,n)

I dont have any serious objections to using a one-way hash function
like MD5 as specified above. However, the same thing applies. Knowledge
of g^ij, reveals all Kijn. It's principal advantage is that this is
more efficient

Ashar.

Follow-Ups:

Re: Problem+fix in Zero Message Master Key update

From: " " <amir@watson.ibm.com>

Prev by Date: Re: Proposal: Perfect forward SECURITY
Next by Date: Re: Problem+fix in Zero Message Master Key update
Prev by thread: Problem+fix in Zero Message Master Key update
Next by thread: Re: Problem+fix in Zero Message Master Key update
Index(es):
- Main
- Thread