[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Perfect forward SECURITY (uni- vs bi-directional impersonation)'

To: ashar@osmosys.incog.com, IPSEC@ans.net
Subject: Perfect forward SECURITY (uni- vs bi-directional impersonation)'
From: hugo@watson.ibm.com
Date: Mon, 9 Jan 95 15:28:23 EST

Ref:  Your note of Sat, 7 Jan 1995 16:28:42 -0800 (attached)


An important issue about requirements:

 >
 > I'll also observe that any scheme that uses long term keying material
 > to authenticate key exchanges (and all the proposals that are fully
 > spelled out and currently on the table fall in this category) would
 > have the same failure mode.
 >
 > Regards,
 > Ashar.

Ashar means that if we rely on the private key of a machine A to
authenticate A's key exchanges with B (for example A signs, using its
own private key, its value g^x in a DH exchange) then an adversary E
that learns A's private key will be able to impersonate A in the key
exchanges between A and B (and any other party).

RIGHT! BUT...

Is impersonation in the other direction possible? That is:
Will the adversary E be able to impersonate B when exchanging a key with A
(by just knowing A's private key but not B's private key)? Two answers:

1) In the case of DH authenticated with RSA (or any other digital) signature
the answer is: NO! (When B sends g^y he authenticates it with B's private
key).
2) In the case of DH authenticated with the SKIP master key a^ij the answer is:
YES!

No doubt that the first case has a (significant) advantage over the second.
For example, if A's private key was exposed it does not mean that I
want the adversary E to be able to impersonate myself to A. By doing that
E could have A giving her information that A is supposed to release ONLY
if I authenticated myself to A.
(Notice that the knowledge of A's private key does not mean necessarily
that the adversary has access to all information kept by A).

Whether this is just an advantage or a requirement can be discussed.
However, the cost of achieving this property is moderate enough to require
it any way.

Indeed number (1) above achieves that.
Moreover, even using only SKIP keys there is a moderate-cost solution;
actually a very elegant one that Amir proposed in a few notes ago.
It uses a variant on Diffie-Hellman that requires only SKIP-like keys
but ensure a-symmetric authentication in the sense of the above requirement.
The price is only a semi-off-line exponentiation (comparable to the cost
of an RSA signature).

I'll let Amir further explain the technique.

Hugo

PS: there is another issue related to the damage of exposing a private key
related to "chaining techniques" for key exchange. This is also the matter
for a separate note.

Prev by Date: Re: Clogging attacks on SKIP
Next by Date: Re: weak devices
Prev by thread: Re: weak devices
Next by thread: Re: Perfect forward SECURITY (uni- vs bi-directional impersonation)'
Index(es):
- Main
- Thread