[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SKIP insecure



> Date: 14 Nov 95 11:22:25 -0800
> From: "PALAMBER.US.ORACLE.COM" <PALAMBER@us.oracle.com>
> Subject: WG Last Call for SKIP I-D
>
SKIP exhibits several serious insecurities.

The SKIP master keys are extremely long term.  No matter how many
"reasonable safeguards", long term storage of keys carries a significant
security risk.  This problem has long been recognized for KDCs.

The SKIP master keys are maintained on multiple systems.  Although this
may be appealing for rapid "fail-over and load-balancing", and
"intermediate authentication", there is no IP Security requirement for
these features.  Every node that has the duplicate master keys is
another potential security risk.  This makes the security risk even
worse than KDCs.

The SKIP public-values are signed, but the generated session-keys are
not signed.  Current literature suggests that _both_ the public values
and resulting session-keys be signed to prevent attacks.  The signature
operation is not known to be associative or commutative.

These SKIP risks and vulnerabilities are unacceptable.

Bill.Simpson@um.cc.umich.edu
          Key fingerprint =  2E 07 23 03 C5 62 70 D3  59 B1 4F 5E 1D C2 C1 A2