[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Questions about PFS and ISAKMP SAs
Michael,
> Questions:
>
> 1. Is is reasonable to have multiple end points that need IPsec PFS
> using the same ISAKMP SA? Is PFS compatible in concept with
> sharing the ISAKMP SA?
>
> 2. Does PFS extend to the ISAKMP SA? If we should be throwing away
> the ISAKMP SA's keys, and doing new exponentiations (and new
> authentications, since we can't use old keys to derive new keys when
> we need PFS), then how often do we do this for the ISAKMP SA?
2 points:
first I think this is a matter of trust in the systems that perform
the proxy exchange. Because they know the symmetric key material at
the end of a phase 2 exchange a malicious system could store it
somewhere for "message recovery"... No PFS or something else would
help there.
second: assuming trusted ISAKMP servers use of DH exponents in
phase II could significantly improve security:
1. If a PASSIVE attacker has cracked ISAKMP SA keys, he can't build
the key to be exchanged in phase 2 (if he didn't breaked DH
algorithm) because he only sees g^x and g^y, but can't derive g^xy.
So for preventing passive attacks the lifetime of ISAKMP SA isn't
very important. Other for the active attacker - under this
circumstands he can insert own exponents, impersonate endpoints and,
of course, by inserting the (own) exponents he can derive the key
material.
Same applies one level above - ISAKMP SA and keys to autheticated the
DH exponents exchanged during ISAKMP SA setup.
> In the absense of PFS for IPsec, we would use up the entropy of the
> original ISAKMP SA's DH pair. Since we use a different DH pair for
> IPsec, the only limit to the ISAKMP SA that we can see is the byte
> lifetime of the encryption algorithm. More important is probably the
> lifetime in seconds for a cracking attempt on that size of
> key. (i.e. change the key once an hour for DES)
>
> #2 really asks the question: how do we do PFS for identities?
Because some of the messages in phase 2 are not random it seems
possible for me to collect enough such messages to start attacks
against ISAKMP SA. But how much an attacker needs we should ask the
cryptographers...
However, if the ISAKMP SA keys are cracked - see above.
Greetings
Kai
# Kai Martius #
# Dpt. of Medical CS and Biometrics / Dresden University of Technology #
# PGP Fingerprint: to be compared after downloading my key #
# available at http://www.imib.med.tu-dresden.de/imib/personal/kai.html #
Follow-Ups:
References: