[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Small subgroups and ISAKMP/Oakley



A feature of isakmp/oakley's public key encryption mode,
 which I do not think is enjoyed by any of the other mentioned standards, 
is that even if an attacker derives g^xy (by means of preprocessing
against a "universal" prime p, or by degenarate choices of one of the
parties in the exchange) it still cannot decrypt the traffic since
the key also depends on an ephemeral key exchanged under RSA.
(That is, both the RSA AND DH exchanges need to be broken 
simultaneously).

The current drawback of this mode in isakmp-oakley is that it
requires an additional exponentiation for protecting id's.
Unfortunately, the simple correction of this problem will need 
to wait until the next draft revision...

Hugo