[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Comments from Paul Van Oorschot

To: ipsec@ans.net
Subject: Comments from Paul Van Oorschot
From: Phil Karn <karn@unix.ka9q.ampr.org>
Date: Tue, 14 Mar 1995 15:13:46 -0800
Reply-To: karn@qualcomm.com

I got this in email. I'm forwarding it to the list as it seems much
more relevant than so much of the discussion here recently. I'll follow up
with some responses. Phil

Date:  Thu, 9 Mar 1995 16:00:00 -0500 
Content-Identifier:  re:My photuri... 
From: "paul (p.c.) van oorschot" <paulv@bnr.ca>
Sender: "paul (p.c.) van oorschot" <paulv@bnr.ca>
To: karn
Cc: "marcus (m.d.) leech" <mleech@bnr.ca>, ashar@osmosys.incog.com,
        whitfield.diffie@eng.sun.com
Subject:  re:My photuris protocol 

>Hi. Marcus Leech tells me you're interested in reviewing my photuris key
>exchange protocol. It's out as an Internet draft in the usual places,
>e.g.,
>
>ftp://ds.internic.net/internet-drafts/draft-karn-photuris-00.txt.
>
>I'd like to hear your comments, especially on the advisability of signing
>just the DH public component so it can be done in advance to save delay.
>This is a hot topic of discussion on the ipsec mailing list.
>
>Phil

Phil,

I have looked over your Photuris I-D of December 1994, and offer
the following comments.  As I don't participate in the mailing list
regularly, it would seem inappropriate for me to post to the list and
not be available for responses, so I respond to you directly.  
Please feel free to forward/discuss in the list if you think appropriate.

1. (section 1) The first discussion of "perfect forward secrecy" I 
   am aware of is by Gunther in his Eurocrypt'89 paper, 
   ``An identity-based key exchange protocol", pp.29-37,
   though it is possible this term was defined earlier.
   BTW, this paper is quite relevant background reading. 

2. (section 3.3, Cookie Generation) If I understand correctly, it appears
   the cookie party A creates to use with party B is time-invariant.
   Does this imply that if B is a malicious party, then any party A which
   ever gives to B a cookie is subject to a flooding attack by B?
   If so, it would seem prudent to recommend cookies be time-variant.

3. (section 4.5, Moduli) It is only fair to list disadvantages
   as well as advantages, of a fixed prime, including:
   1) a fixed prime is a much more rewarding cryptanalytic target
   2) the security of the whole system rests on this prime being good
   3) changing this prime may lead to difficulties

4. (section 5.1, Signature Transmission) The authenticated key exchange 
   protocol seems very similar to the the Station-to-Station (STS) 
   protocol described by Diffie, van Oorschot and Wiener
   ("Authentication and authenticated key exchanges",
   Designs, Codes and Cryptography vol.2 pp.107-125 (1992)),
   including allowing identities to remain hidden from eavesdroppers, and 
   encrypting a subset of the protocol data messages exchanged themselves.

   I have sent a hard copy of this paper to you by post today,
   presuming you do not have access to it.

5. I strongly recommend against signing only a single exponential. 
   Attacks are known against similar protocols which do so, and there
   are general concerns (e.g. see pp.116-117 of STS paper). Signing both
   exponentials provides entity authentication guarantees, which prevent 
   one class of replay attacks; signing only one does not, and in general 
   is vulnerable to a wide array of possible "interleaving" attacks.

6. Due to the incredibly embarrassing track record of newly proposed
   authentication and authenticated key exchange proposals, I hesitate
   to support any brand new protocol, and recommend the group consider 
   choosing one (from the literature or elsewhere) which has already 
   been well-studied by a large number of experts, or which can be 
   proven to be cryptographically equivalent to such a protocol.

Kindest regards,
Paul.

P.S. I have also recently looked at Perry Metzger's "Troublemakers DRAFT"
     draft-metzger-ah-md5-01.txt.  Am I correct in concluding it is 
     indeed a joke? As has been discussed in the literature,
     the secret-prefix method proposed therein is insecure. 

------------------------------------------------------------------------------
Paul Van Oorschot           Bell-Northern Research     | EMAIL: paulv@bnr.ca |
MAIL TO:                    SHIP TO:                   | VOICE: 613-763-4199 | 
BNR, Box 3511, Station C,   BNR, 2 Constellation Cr.   | FAX:   613-765-3520 |
Ottawa, Canada K1Y 4H7      Nepean, ON, Canada K2G 5J9 |                     |
------------------------------------------------------------------------------

Follow-Ups:

Re: Comments from Paul Van Oorschot

From: Phil Karn <karn@unix.ka9q.ampr.org>

Prev by Date: I-D ACTION:draft-metzger-ah-01.txt
Next by Date: Re: (IPng) Proposed message on perfect forward security
Prev by thread: I-D ACTION:draft-metzger-ah-01.txt
Next by thread: Re: Comments from Paul Van Oorschot
Index(es):
- Main
- Thread