[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Perfect forward SECURITY (uni- vs bi-directional impersonation)'

To: amir@watson.ibm.com
Subject: Re: Perfect forward SECURITY (uni- vs bi-directional impersonation)'
From: ashar@osmosys.incog.com (Ashar Aziz)
Date: Wed, 11 Jan 1995 15:38:03 -0800
Cc: hugo@watson.ibm.com, ipsec@ans.net


> From amir@watson.ibm.com Wed Jan 11 07:38 PST 1995
> > I disagree. In virtually any circumstance that IPSP is likely to be
> > used in, E having A's long term authentication key will mean that
> > to the network E *is* A, and therefore E can access any information
> > that A can access.
> 
> But E cannot impersonate as B!! For example, if A is a file server, E cannot
> continue reading/modifying B's files!!

But... B's files are on A. And it is A's keys that have been compromised.

In my view, if the file-server's (A's) keys have been compromised then the
security of any data on that file server is pretty suspect.

Two example scenarios. 

One, connect to A as A, and then since B's files are on A, and 
presumably A can do anything with them (since they reside on A), B's 
files still get compromised.

Second. Assume A performs periodic archival backups to another online
server (say C). That is, all of A's data is also on C. (Not an
uncommon mode of operation). Obviously, since it is A's data,
(which also contains B's files) then A can access that data on
C. Therefore B's files still get compromised by compromise
of A's signature keys.

The point I am making is that there are so many failure scenarios
that can occur in case of compromise of a principal's authentication
key, especially to data that *belongs* to that principal, that the
distinction between  uni and bi-directional authentication doesn't 
seem worthwhile.

> Of course, the fact that neither my fix nor the signatures as Hugo explained
> apply to non-interactive SKIP is not terrible. But, when this feature is easy
> to obtain, why not.

I dont think this is terrible either. However, I dont consider adding two 
real-time signatures to the protocol as a small additional overhead. 

This adds potentially on the order of minutes to the key setup times 
on underpowered platforms, particularly if we use secure (1024 bit) RSA 
keys. And the gain in security is marginal, at best.

Regards,
Ashar.

Prev by Date: Re; (bypass channels)?
Next by Date: Re: weak devices
Prev by thread: Re: Perfect forward SECURITY (bypass channel?)
Next by thread: Re: (bypass channel?)
Index(es):
- Main
- Thread