[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Questions about PFS and ISAKMP SAs



Michael,

> Questions:
> 
> 1. Is is reasonable to have multiple end points that need IPsec PFS
> using the same ISAKMP SA? Is PFS compatible in concept with
> sharing the ISAKMP SA?
>
> 2. Does PFS extend to the ISAKMP SA? If we should be throwing away
> the ISAKMP SA's keys, and doing new exponentiations (and new
> authentications, since we can't use old keys to derive new keys when
> we need PFS), then how often do we do this for the ISAKMP SA?

2 points: 

first I think this is a matter of trust in the systems that perform 
the proxy exchange. Because they know the symmetric key material at 
the end of a phase 2 exchange a malicious system could store it 
somewhere for "message recovery"... No PFS or something else would 
help there.

second: assuming trusted ISAKMP servers use of DH exponents in 
phase II could significantly improve security:
1. If a PASSIVE attacker has cracked ISAKMP SA keys, he can't build 
the key to be exchanged in phase 2 (if he didn't breaked DH 
algorithm) because he only sees g^x and g^y, but can't derive g^xy. 
So for preventing passive attacks the lifetime of ISAKMP SA isn't 
very important. Other for the active attacker - under this 
circumstands he can insert own exponents, impersonate endpoints and, 
of course, by inserting the (own) exponents he can derive the key 
material. 

Same applies one level above - ISAKMP SA and keys to autheticated the 
DH exponents exchanged during ISAKMP SA setup. 

>   In the absense of PFS for IPsec, we would use up the entropy of the
> original ISAKMP SA's DH pair. Since we use a different DH pair for
> IPsec, the only limit to the ISAKMP SA that we can see is the byte
> lifetime of the encryption algorithm. More important is probably the
> lifetime in seconds for a cracking attempt on that size of
> key. (i.e. change the key once an hour for DES)
> 
>   #2 really asks the question: how do we do PFS for identities?

Because some of the messages in phase 2 are not random it seems 
possible for me to collect enough such messages to start attacks 
against ISAKMP SA. But how much an attacker needs we should ask the 
cryptographers... 
However, if the ISAKMP SA keys are cracked - see above.

Greetings
Kai 
# Kai Martius                                                           #
# Dpt. of Medical CS and Biometrics / Dresden University of Technology  #
# PGP Fingerprint:  to be compared after downloading my key             #
# available at http://www.imib.med.tu-dresden.de/imib/personal/kai.html #


Follow-Ups: References: