[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A Photuris variant

>This is an important issue. Whatever is your public-key based way
>of sharing keys, a secure and efficient (MD5-like complexity) mechanism
>for re-keying is required. There are several ways to do it.
>I'd like to  hear exact details on how you propose to do it.
>In the meantime, my preferred method is the one we propose in our
>MKMP draft.

I propose that the session key be derived from the following:

MD5 { local cookie, remote cookie, shared DH secret, SAID }

Use as many bits as you need from the front of the hash result. E.g.,
for single-key DES, take the first 64 bits and overwrite every 8th bit
to have the proper parity. For IDEA, just use the entire MD5 result

The cookies are included mainly so that different keys are generated
for each direction of transmission. They're handy enough.

Including the SAID in the hash is how I generate distinct keys for
each new SAID between a given host pair without requiring a new DH
exchange each time. This does imply a new SAID everytime you rekey,
which I consider reasonable given the size of the field. It also keeps
the protocol simple.

Creating a new SAID without a new DH computation doesn't necessarily
require adding new message types, although it could be done that way.
It could simply follow the same Photuris exchange, possibly with a new
set of cookies if they are time-varying. In the DH step, though, the
previous public values would be exchanged. The DH module in the
implementation could compare the new values to the ones previously
received.  If they're the same, and if we haven't generated a new
public value on our end, we'd simply bypass the DH exponentiation
and keep the old shared secret.

And since all of these Photuris messages could be easily sent
encrypted in an existing SAID, you'd gain an extra measure against
passive eavesdropping. An eavesdropper wouldn't even know that a new
SAID had been created until he saw IPSP packets using it. Even
then he wouldn't know its parameters (encryption algorithm, etc).