[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: comments on Photuris

To: ipsec@ans.net
Subject: Re: comments on Photuris
From: ashar@osmosys.incog.com (Ashar Aziz)
Date: Tue, 21 Feb 1995 13:17:54 -0800


> From karn@unix.ka9q.ampr.org Tue Feb 21 02:09 PST 1995
> You said that you could sign the DH public key in your protocol with,
> say, PGP. But how does this really differ from Photuris, where I also
> sign a DH public part with RSA? The main difference is that I
> regularly generate new DH public/private pairs while you consider them
> to be fairly static. This may admittedly be a *practical* advantage in
> that your DH public keys can be signed offline in a presumably more
> secure fashion than my ephemeral DH keys, which have to be signed
> online because they change frequently. This may make the signature
> function somewhat more vulnerable to compromise.

Yes, I think the practical issues are substantial. The SKIP use
of long-term DH is significantly different that the signing of
ephemeral DH values. It is one single DH value you have to be sure
about. As such, its integrity check is a bootstrap issue. This
bootstrap operation can be augmented with whatever level of 
security one wishes to associate with bootstrapping in general.

For example, just like one publishes (and communicates) the
MD5 hash of one's long-term RSA key, one can publish and
communicate (out-of-band) the MD5 hash of one's long-term DH key. 
Also, just like one can have multiple signers of people's long-term
RSA keys (e.g. as in PGP's web-of-trust), one can have multiple
signers of people's long-term DH keys. It is significantly harder
to subvert all these mechanisms.

Naturally, one cannot do all of this for the sake of every
signed ephemeral DH key.

Furthermore, when used with a conventional CA hierarchy,
the CAs (who sign the DH values) can be offline. This is a 
significant level of protection for the private key of a CA, 
since it is never required to be in a machine that can be 
penetrated using network intrusion techniques. By contrast, the
signing of ephemeral DH values (as e.g. in Photuris) is
necessarily online and hence easier to subvert; especially
since the subversion does not have to happen in real time
and only needs to happen once to indefinitely spoof the
protocol.

I think the practicality of what an attacker has to do
in both cases is a very significant consideration, beyond just 
the seeming equivalence of some mathematical operations.

Regards,
Ashar.

Prev by Date: Re: WG last call for IPv4 AH and ESP
Next by Date: Re: WG last call for IPv4 AH and ESP
Prev by thread: Re: comments on Photuris
Next by thread: comments on Photuris
Index(es):
- Main
- Thread