[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

WG last call for IPv4 AH and ESP

To: atkinson@itd.nrl.navy.mil, ipsec@ans.net
Subject: WG last call for IPv4 AH and ESP
From: hugo@watson.ibm.com
Date: Wed, 22 Feb 95 11:00:56 EST

Ref:  Your note of Wed, 22 Feb 1995 10:27:01 -0500 (attached)

Ran, please read this.

When you say that

 > Perfect forward secrecy can be achieved without having either
 > in-band key mgmt or structured SAIDs.

you mean achieving it via Diffie-Hellman. Agreed.

Also agreed by all (?) is that DH is not cheap.
For example, Photuris, which you claim to have rough consensus,
chooses to have "shortcuts" (replayable signatures,
short exponents) only to alleviate that complexity.

The meaning of DH being expensive is that you will do key refreshments
less frequently. Let say each 12 hours.
It means that stealing a key allows the adversary to  decrypt 12 hours
of communication (just by eavesdropping, no need for active impersonation).
Wouldn't it be nice if you can somehow limit the damage to less time.
Well, yes, depends on the cost.

A very cheap way to achieve this is that each, say 2 hours (or 5 minutes if you
want), both parties refresh their current key by applying to it a one-way
function (i.e., with negligible computational cost). This requires no
interaction. Now let say that the adversary breaks at 6:30 PM and the
last DH was at 12 noon.The adversary will be able to decrypt information
exchanged from 6pm to midnight, but not from before 6pm.

Moreover, for algorithms that are weak or not well-proven to be secure
(very efficient algorithms may be such) a frequent key exchange is a
great idea.

Now, if I change my key non-interactively from time to time I want a means to
tell that to the other party to guarantee synchronization; a minimally
structured SAID will do.

Truth is that I prefer even these frequent changes to be done interactively,
since these interactions can be very efficient (see MKMP). In that
case no need for structured SAIDs, and security is even better
(the above eavesdropper will learn only information from 6 to 8, and will have
to mount an active attack if he wants to learn information transmitted from
8 to 12).

But if some people will want to do the non-interactive refreshment, then why
to prevent that from them?
In a more general note, if one can add significant flexibility by "paying"
with only 1 bit of SAID, why not to provide that?

Do you see any "hidden cost" in requiring unstructured SAID to have one
fixed bit?

Hugo

Prev by Date: Re: WG last call for IPv4 AH and ESP
Next by Date: Re: WG last call for IPv4 AH and ESP
Prev by thread: Re: WG last call for IPv4 AH and ESP
Next by thread: Re: WG last call for IPv4 AH and ESP
Index(es):
- Main
- Thread