[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Proposal: Perfect forward SECURITY
From: " " <amir@watson.ibm.com>
> > However, if you would like to use the last round's key components
> > to authenticate the next round, I suggest a better way might be
> > to simply include the last round's ephemeral public DH values in the
> > authenticated/encrypted SKIP message that is used to communicate the
> > current round's ephemeral DH components. This serves to authenticate the
> > messages (and thereby the key), as opposed to simply authenticating the
> > key.
>
> No, this is not as secure. I don't want to base the security on any long-lived
> secret key. Your proposal above requires that the SKIP keys would be secure
> `forever'. I'm saying, let's not make a distinction between ephemeral DH
> keys and long-lived, SKIPish DH keys. The DH keys we use may change
> periodically, period :-) Thereby, we achieve the stronger security property
> which I called above `perfect forward SECURITY'.
While I await clarification on Amir's suggestion, I think a clarification
on this response would probably be useful. While the security of the
scheme does indeed rest on the secrecy of the long term DH secrets, in the
sense that authentication failure will result by compromise of these long
term keys, perfect forward secrecy is achieved by the protocol I suggested.
That is, compromise of the long-term keys does not compromise past
session (or master) keys, because the long term keys are only used
to authenticate the ephemeral key exchange. I don't think Amir implied
that perfect forward secrecy was not achieved, but I thought a
clarification of this point may be useful for those not following this
thread in great depth.
I'll also observe that any scheme that uses long term keying material
to authenticate key exchanges (and all the proposals that are fully
spelled out and currently on the table fall in this category) would
have the same failure mode.
Regards,
Ashar.