[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
an imperfection in skip-pfs.
-----BEGIN PGP SIGNED MESSAGE-----
content-type: text/plain; charset=us-ascii
There is a small, but significant, difference between perfect forward
secrecy as implemented by Photuris and ISAKMP/OAKLEY, and how it is
proposed to be implemented for SKIP in draft-ietf-ipsec-skip-pfs-00.txt.
The basic exchange in that draft is:
I->J: { g^x, g, p, [Cert_I]g^xj, EMKID_J_I}Kij
J->I: { g^y, g, p, [Cert_J]g^xj, EMKID_J_I, EMKID_I_J}Kij
While I believe this provides perfect forward secrecy for subsequent
traffic keys derived from g^xy, this does not appear to provide
perfect forward privacy protection for the identities enclosed in the
ephemeral certificates Cert_I and Cert_J.
The problem is that the certificate is encrypted with a key g^xj which
has an ephemeral public component and a long-term private component.
If the long-term DH secret key `j' is later compromised, an attacker
than then decrypt both [Cert_I] and [Cert_J] and figure out who the
parties to the exchange really are.
Photuris does not have this problem, since the identity exchange is
encrypted in a completely ephemeral key (g^xy in the terminology used in
skip-pft). A quick scan of the OAKLEY draft seems to indicate to me that
OAKLEY is essentially identical to Photuris in this regard.
- Bill
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMS4gbFpj/0M1dMJ/AQGeKwP7B1KeQp8anXJAQIKYs7ILArs5wynU3pRH
ohzWL5037YF0GVcLjxYXmXgMaPKNJUiEIUvMk8oKBR/jftn3pLKGs28Y5t3ZFZKX
P9i0HCEznnmFsFzO6aXyqTRFGcpDv1lOTIDgRtm/NaQqjOkWcFVaCowAp1MmOgys
ZrUZNfmjhdM=
=Amsi
-----END PGP SIGNATURE-----