Re: Will the real PFS please stand up?

[Bill Sommerfeld <sommerfeld@apollo.hp.com>]

On a related note, the skip-pfs draft does PFS in a different way from
how it's done in the other protocols.

Now, I don't consider myself a cryptographer, but something in
skip-pfs struck me as somewhat unconventional...

This is not the first time that I've raised this issue, but I don't
think it's been resolved..

As I read the draft, skip-pfs does not provide PFS protection of the
identity certificates of the communicating parties.

The exchange is:

I->J: { g^x, g, p, [Cert_I]g^xj, EMKID_J_I}Kij
J->I: { g^y, g, p, [Cert_J]g^xj, EMKID_J_I, EMKID_I_J}Kij

	(key: i,j: long term secrets of I and J
	      x,y: ephemeral secrets
              [encryption]
	      {integrity protection})

The resulting traffic is protected using a key derived from g^xy,
which seems to be OK.

What concerns me is the use of g^xj to protect the ephemeral
certificates; it appears to me as if subsequent compromise of j will
allow an eavesdropper to decrypt previously recorded [Cert_I]g^xj,
revealing the identities of everyone who has corresponded with j
during the period of interest.

Now, if I and J are just host identities, this isn't interesting
(because the same information is found in their IP addresses) but if
SKIP gets extended to do per-user keying I think we have a potential
problem.

It would be fairly simple to fix this by adding another round trip,
but the resulting protocol would would look a lot like OAKLEY or
Photuris.

						- Bill

---

Follow-Ups:

• Anonymity vs PFS (was: Will the real PFS please stand up?)
• From: Germano Caronni <caronni@tik.ee.ethz.ch>

References:

• Will the real PFS please stand up?
• From: "David M. Balenson" <balenson@TIS.COM>

---

• Prev by Date: Will the real PFS please stand up?
• Next by Date: Re: Will the real PFS please stand up?
• Prev by thread: Will the real PFS please stand up?
• Next by thread: Anonymity vs PFS (was: Will the real PFS please stand up?)
• Index(es):
  • Main
  • Thread