[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: an imperfection in skip-pfs
> From: Bill Sommerfeld <sommerfeld@apollo.hp.com>
> While I believe this provides perfect forward secrecy for
subsequent
> traffic keys derived from g^xy, this does not appear to provide
> perfect forward privacy protection for the identities enclosed in
the
> ephemeral certificates Cert_I and Cert_J.
Bill,
You are correct that the SKIP PFS draft does not provide
equal protection for identity information as it does
for traffic.
However, the same is true of OAKLEY (and I believe Photuris,
though I dont have a draft at hand to check), albeit in a
different manner.
With, e.g., OAKLEY, the identity information is revealed
in the unauthenticated phase, meaning that identity information
would be disclosed under an active (intruder-in-the-middle)
attack. Of course, traffic is secure against active forms of
attack, since it is transmitted in the authenticated phase.
An intruder-in-the-middle attack on SKIP PFS does not
disclose identity information.
There are some additional points to consider. The most common
usage of the anonymity feature is likely to be for mobile users,
making secured access to corporate information across the
Internet. In this scenario, J is an organizational
firewall, and I is the mobile user. Compromise of the
mobile user's long-term keys does not disclose identity
information. Only compromise of the firewall's long term
keys discloses identity information.
>From a practical point of view, a mobile user's long-term
keys are more likely to be compromised than the long-term
keys of a physically protected organizational firewall.
Therefore, considering only identity protection, one has to
ask oneself what is a greater threat: a) The possibility of
a compromise of a firewall's long-term keys or b) the possibility
of an intruder-in-the-middle attack on the key exchange.
If a) is a greater threat then the identity protection provided by
Photuris/Oakley is better. If b) is a greater threat then
the identity protection provided by SKIP PFS is better.
In favor of the identity protection provided by Photuris/Oakley,
it is worth noting that identity disclosure requires an attack
on each key exchange, wherease with SKIP PFS compromise of a
firewall's long-term keys discloses identity information for a
large number of exchanges. However, in principle if one can
perform an active attack on one key exchange, one could perform
active attacks on many key exchanges.
Given these different tradeoffs, my own view is that the
anonymity protection of SKIP PFS is adequate, however I
am open to modifying this if the WG believes a) to be
a greater threat than b). (It is possible for the anonymity
protection for SKIP PFS to be more like Oakley/Photuris, at
the cost of some additional complexity.)
Regards,
Ashar.
-------------- Enclosure number 1 ----------------
>From ashar Sat, 24 Feb 1996 12:12:54 PST +0500 remote from sunpak
Received: from ashar@sunpak by sunpak.sdnpk.undp.org
(PMail+UDG PegWaf v0.26 93.04.04) id 3761 for ipsec@ans.net;
Sat, 24 Feb 1996 12:12:54 PST +0500
From: ashar@sunpak.sdnpk.undp.org (Ashar Aziz)
To: ipsec@ans.net
Date: Sat, 24 Feb 1996 12:12:53 +0000
Subject: Re: an imperfection in skip-pfs. (fwd)
Priority: normal
X-mailer: Pegasus Mail for Windows (v2.01)
> From: Bill Sommerfeld <sommerfeld@apollo.hp.com>
> While I believe this provides perfect forward secrecy for subsequent
> traffic keys derived from g^xy, this does not appear to provide
> perfect forward privacy protection for the identities enclosed in the
> ephemeral certificates Cert_I and Cert_J.
Bill,
You are correct that the SKIP PFS draft does not provide
equal protection to identity information as it does
to traffic.
However, the same is true of OAKLEY (and I believe Photuris,
though I dont have a draft at hand to check), albeit in a
different manner.
With, e.g., OAKLEY, the identity information is revealed
in the unauthenticated phase, meaning that identity information
would be disclosed under an active (intruder-in-the-middle)
attack. Of course, traffic is secure against active forms of
attack, since it is transmitted in the authenticated phase.
An intruder-in-the-middle attack on SKIP PFS does not
disclose identity information.
There are some additional points to consider. The most common
usage of the anonymity feature is likely to be for mobile users,
making secured access to corporate information across the
Internet. In this scenario, J is an organizational
firewall, and I is the mobile user. Compromise of the
mobile user's long-term keys does not disclose identity
information. Only compromise of the firewall's long term
keys discloses identity information.
>From a practical point of view, a mobile user's long-term
keys are more likely to be compromised than the long-term
keys of a physically protected organizational firewall.
This is why the identities are protected with g^xj and
not g^ij.
Therefore, considering only identity protection, one has to
ask oneself what is a greater threat: a) The possibility of
a compromise of a firewall's long-term keys or b) the possibility
of an intruder-in-the-middle attack on the key exchange.
If a) is a greater threat then the identity protection provided by
Photuris/Oakley is better. If b) is a greater threat then
the identity protection provided by SKIP PFS is better.
In favor of the identity protection provided by Photuris/Oakley,
it is worth noting that identity disclosure requires an attack
on each key exchange, wherease with SKIP PFS compromise of a
firewall's long-term keys discloses identity information for a
large number of exchanges. However, in principle if one can
perform an active attack on one key exchange, one could perform
active attacks on many key exchanges.
Given these different tradeoffs, my own view is that the
anonymity protection of SKIP PFS is adequate, however I
am open to modifying this if the WG believes a) to be
a greater threat than b). (It is possible for the anonymity
protection for SKIP PFS to be more like Oakley/Photuris, at
the cost of some additional complexity.)
Regards,
Ashar.