[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Comment on the ISAKMP/Oakley resolution draft (pre-shared)

To: smamros@newoak.com
Subject: Comment on the ISAKMP/Oakley resolution draft (pre-shared)
From: HUGO@watson.ibm.com
Date: Mon, 17 Mar 97 18:53:17 EST
cc: dharkins@cisco.com, PAU@watson.ibm.com, piper@cisco.com, ipsec@tis.com, smamros@newoak.com
Sender: owner-ipsec@ex.tis.com

See response below.

 > HUGO@watson.ibm.com wrote:
 > > Having the pre-shared key in SKEYID and the derived keys increases security.
 > > It was my recommendation to do so. As just one example consider two
 > > parties that use DH with a public prime p. If at some point enough
 > > cryptanalysis and pre-computation is done on p then every exchange using that
 > > prime may be compromised. This is a not-impossible scenario where you
 > > lose (in a hard way) all the advantages of perfect forward secrecy
 > > (your traffic of the last few years may be compromised!).
 > > If, however, you derived your key depending
 > > on both g^xy and your pre-shared key the attacker will need to find the
 > > value of that pre-shared key (which will probably not exist at that point
 > > of time) to find the actual keys used to protect the session traffic.
 >
 > OK, but if that's the case, is there then a problem with the
 > derivation of SKEYID in the case where signatures are used for
 > authentication, where only the nonces (passeed across the wire in
 > plaintext) and g^xy are used?

You are right.
In this sense the signature mode is the weakest of all three modes.
In particular, in the case the public key encryption mode of authentication
the attacker needs to break the TWO private keys of the parties AND
the DH prime to find the keys (i.e. you get the MAXIMAL security of both
DH and RSA).  This is one of the important reasons why I have been
"promoting" this mode for long time.

BTW, this not only protects against a broken DH, but also against
a partner to the communciation that implements poorly the DH exchange,
e.g. by choosing short exponents or by not destroying the exponents
immediately after use.

In addition, the signature mode has several privacy weaknesses: it
provides proofs of communication between the communicating  parties,
does not protects identities against active attacker (on the other
hand it protects idenities with PFS), and does not provide identity-protection
at all in aggressive mode.

 >
 > Regarding the other comments and suggestions that have been made,
 > I may have more to say in the next day or two - need to do some
 > more thinking on the subject...

Hope it will be ok with you and others. Using pre-shared key in this way
(with a key identifier) seems to be the best solution in many cases,
e.g. for mobile users and dynamic IP addrsses.

Hugo

 >
 > -Shawn Mamros
 > E-mail to: smamros@newoak.com

Prev by Date: Re: Comment on the ISAKMP/Oakley resolution draft (pre-shared)
Next by Date: I-D ACTION:draft-ietf-ipsec-vpn-00.txt
Prev by thread: Re: Comment on the ISAKMP/Oakley resolution draft (pre-shared)
Next by thread: I-D ACTION:draft-ietf-ipsec-vpn-00.txt
Index(es):
- Main
- Thread