[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Will the real PFS please stand up?
On a related note, the skip-pfs draft does PFS in a different way from
how it's done in the other protocols.
Now, I don't consider myself a cryptographer, but something in
skip-pfs struck me as somewhat unconventional...
This is not the first time that I've raised this issue, but I don't
think it's been resolved..
As I read the draft, skip-pfs does not provide PFS protection of the
identity certificates of the communicating parties.
The exchange is:
I->J: { g^x, g, p, [Cert_I]g^xj, EMKID_J_I}Kij
J->I: { g^y, g, p, [Cert_J]g^xj, EMKID_J_I, EMKID_I_J}Kij
(key: i,j: long term secrets of I and J
x,y: ephemeral secrets
[encryption]
{integrity protection})
The resulting traffic is protected using a key derived from g^xy,
which seems to be OK.
What concerns me is the use of g^xj to protect the ephemeral
certificates; it appears to me as if subsequent compromise of j will
allow an eavesdropper to decrypt previously recorded [Cert_I]g^xj,
revealing the identities of everyone who has corresponded with j
during the period of interest.
Now, if I and J are just host identities, this isn't interesting
(because the same information is found in their IP addresses) but if
SKIP gets extended to do per-user keying I think we have a potential
problem.
It would be fairly simple to fix this by adding another round trip,
but the resulting protocol would would look a lot like OAKLEY or
Photuris.
- Bill
Follow-Ups:
References: