Use of signatures vs. encryption (to complement DH in Photuris)

[Amir Herzberg <amir@watson.ibm.com>]

Phil,

Hugo has proposed in many notes, some already from March, as well as in his
presentation in the last IETF, that there are advantages in changing the method
of authentication the DH flows in Photuris. The most radical suggestion is
that instead of using a signed exchange _after_ the DH messages, Photuris
would distribute a key before the DH phase based on public key encryption,
and use this key to authenticate the DH messages. I feel that we didn't get
a proper response to this (and other) suggestions. While I realise that time
is precious and rare, I still expect you to reply to such important suggestions
in a timely and reasoned manner. Please do so.

As a short reminder, the main advantage of using an encrypted key-exchange
before the DH step, instead of authenticating the DH exchange after it's done
(using signed messages), is the ability to use the same protocol while
skipping the DH exchange, for much higher efficiency. This is esp. relevant to
the
applications where the protocol is used mainly for authentication (not
encryption). Hugo provided a much more detailed discussion of advantages in
his notes (and presentation).

Please be responsive. We don't care so much for the outcome, as we care for
an open discussion and a clear resolution. We are moving rapidly on our
implementation, which we hope to ship very soon as a product compatible with
as much of the IPSEC standards as possible. While our plan is to later adjust
the product to the final standards, we do want to make it as close to the
standards as possible. We cannot do this if standards are developed in a closed
circle, without active discussion and responses.

Best, Amir Herzberg

---

• Prev by Date: Re: Keyless Integrity Check Values
• Next by Date: Status of Photuris
• Prev by thread: subscribe
• Next by thread: Status of Photuris
• Index(es):
  • Main
  • Thread