[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: forward secrecy

To: ashar@osmosys.incog.com
Subject: Re: forward secrecy
From: Phil Karn <karn@qualcomm.com>
Date: Tue, 19 Dec 1995 00:09:15 -0800 (PST)
Cc: ipsec@ans.net
In-Reply-To: <199512142316.AA17027@interlock.ans.net> (ashar@osmosys.incog.com)

Ashar,

You make some good points, mainly (to rephrase) that a single really
good DH exchange is better than a bunch of bad DH exchanges. True, but
Photuris still gives you the option of 'turning a knob' to make the DH
exchanges as good (and as infrequent, if that's necessary) as you
like.

While you're probably right that the NSA performs mostly passive
vacuum-cleaner attacks, this doesn't apply in all cases. In
particular, the recent revelations about cracking Soviet WWII and Cold
War-era spy communications (see "Dark Sun" by Richard Rhodes) really
describe active attacks: during WWII the Finns discovered a Soviet
code book and sold it to the OSS, who copied it before returning it to
their nominal allies. This is a classic active attack, as were the
"black bag jobs" (covert break ins) also performed by the US against
the Russians. Since the Russians were (and probably still are) very
fond of one-time pads, this sort of thing was pretty much required to
get any measure of success.

Clearly, ephemeral DH exchanges would thwart these attacks. My
philosophy: do DH with big enough exponents to thwart NSA for a very
long time, AND redo it often enough to limit your exposure.  And if
that's too much of a CPU burden, either tune up your exponentiation
code or buy a bigger CPU.

Phil

References:

forward secrecy

From: ashar@osmosys.incog.com (Ashar Aziz)

Prev by Date: Re: ICMP Security Failures
Next by Date: Re: forward secrecy
Prev by thread: Re: forward secrecy
Next by thread: Re: forward secrecy
Index(es):
- Main
- Thread