Re: Comment on the ISAKMP/Oakley resolution draft (pre-shared)

[smamros@newoak.com (Shawn Mamros)]

HUGO@watson.ibm.com wrote:
> Having the pre-shared key in SKEYID and the derived keys increases security.
> It was my recommendation to do so. As just one example consider two
> parties that use DH with a public prime p. If at some point enough
> cryptanalysis and pre-computation is done on p then every exchange using
that
> prime may be compromised. This is a not-impossible scenario where you
> lose (in a hard way) all the advantages of perfect forward secrecy
> (your traffic of the last few years may be compromised!).
> If, however, you derived your key depending
> on both g^xy and your pre-shared key the attacker will need to find the
> value of that pre-shared key (which will probably not exist at that point
> of time) to find the actual keys used to protect the session traffic.

OK, but if that's the case, is there then a problem with the
derivation of SKEYID in the case where signatures are used for
authentication, where only the nonces (passeed across the wire in
plaintext) and g^xy are used?

Regarding the other comments and suggestions that have been made,
I may have more to say in the next day or two - need to do some
more thinking on the subject...

-Shawn Mamros
E-mail to: smamros@newoak.com

---

References:

• Comment on the ISAKMP/Oakley resolution draft (pre-shared)
• From: HUGO@watson.ibm.com

---

• Prev by Date: Comment on the ISAKMP/Oakley resolution draft (pre-shared)
• Next by Date: Comment on the ISAKMP/Oakley resolution draft (pre-shared)
• Prev by thread: Comment on the ISAKMP/Oakley resolution draft (pre-shared)
• Next by thread: Re: Comment on the ISAKMP/Oakley resolution draft (pre-shared)
• Index(es):
  • Main
  • Thread