[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Status of IPSEC Key Management

To: Stuart Jacobs <sjj0@gte.com>
Subject: Re: Status of IPSEC Key Management
From: Germano Caronni <caronni@tik.ee.ethz.ch>
Date: Wed, 11 Sep 1996 00:17:34 +0200 (MET DST)
Cc: kent@bbn.com, perry@piermont.com, ipsec@TIS.COM
In-Reply-To: <2.2.32.19960910175517.0034cff0@pophost.gte.com> from "Stuart Jacobs" at Sep 10, 96 01:55:17 pm
Sender: ipsec-approval@neptune.tis.com

Stuart Jacobs wrote:
> I also believe that the current mobile IP approaches, using a shared secret
> keyed MD5 authentication, just will not scale up to 1000s of mobile hosts
> and mobile routers.  I am looking into using an RSA digital signature
> approach for authentication with caching of public keys by HAs, FAs and MHs.
> I know that MD5 is much faster to compute and verify than RSA digital
> signatures but when you weigh the fewer network exchanges of fetching certs
> from CAs against the DH exchanges I think the time difference will diminish.
> I've yet to construct a simulation to verify this point.

Asymmetric authentication (for non repudiation purposes etc.) really would
be a good thing to have. But doing RSA for each packet (or a small bunch of 
packets) is IMHO too costly. I expect each RSA computation to take e.g. 1/10 
of a second, and produce AH headers ~ 40-50 Bytes which is a bit on the 
heavy side. Size is (as we have recently read :-) considered an issue in 
certain instances, but the computation time is much to high. 

The proceedings of Crypto'96 (Springer 1109) contain an article where
asymmetric signatures with a size in the order of 64 bits are done.
(pg. 45, Jaques Patarin, asymmetric cryptography using a hidden monomial). 
If this scheme could be made efficient, it would be very interesting for 
asymmetric sigantures - I think.

I would like to raise a related issue. Current cryptographic mechanisms tend
to go towards perfection. This is very well for privacy, and authentication
of long lived storage, but do we really need a cryptographically strong 
hashing algorithm for TCP packets? Wouldn't it be sufficent to have have a
keyed hashing algorithm which e.g. 'just' needs 100000 CPU years to be 
reversed? Or even just a few hundred CPU years? The strength of the
algorithm should be appropriate to the lifetime of the data.
I really would not care for the authentication session key to be retrieved
by the NSA one week after the TCP connection has been closed. Or for
somebody to be able to forge packets under a certain key if I already have
changed to a new session key.

Perhaps finding a *fast* hashing algorithm with reasonable security would 
be a good first step to make authentication overhead attractive to people
too?

Comments on this issue would be greatly appreciated...

Germano

Germano Caronni

References:

Re: Status of IPSEC Key Management

From: Stuart Jacobs <sjj0@gte.com>

Prev by Date: Re: bandwidth in the Internet
Next by Date: Re: Status of IPSEC Key Management
Prev by thread: Re: Status of IPSEC Key Management
Next by thread: Re: Status of IPSEC Key Management
Index(es):
- Main
- Thread