[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Revised Pre-Shared and Public Key Sig modes??
>
>
> The Main Mode exchanges for Pre-Shared keys (HASH_x) or Public Key
> Signatures (SIG_x) are:
Matt,
IMHO :
I have not considered if the proposed xchg has any security holes.
But I think it has one drawback :
It breaks the ISAKMP framework by introduce yet another new
exchange types and saves only one msg.
I am not sure if it is worthwhile at this stage of standarization.
Pau-Chen
> Initiator Responder
>
> HDR, SA -->
> <-- HDR, SA
> HDR, KE, Ni -->
> <-- HDR, KE, Nr
> HDR*, IDii, [HASH_I | SIG_I] -->
> <-- HDR*, IDir, [HASH_R | SIG_R]
>
> Is there any reason why 1/2 a round trip could be not eliminated by
> having Revised versions of these modes such that):
>
> HDR, SA -->
> <-- HDR, SA, KE, Nr
> HDR, KE, Ni -->
> <-- HDR*, IDir, [HASH_R | SIG_R]
> HDR*, IDii, [HASH_I | SIG_I] -->
>
> Since the responder has selected a single proposal, he knows what
> Diffie-Hellman group is being used so he can generate the correct
> Diffie-Hellman payload and it does cut out 1/2 a round trip.
>
> I'll write up a draft add these as new authentication methods
> unless someone convinces me this would be a bad idea.
> --
> Matt Thomas Internet: matt@ljo.dec.com
> AltaVista Internet Software WWW URL: <coming eventually>
> Digital Equipment Corporation Disclaimer: This message reflects my own
> Littleton, MA warped views, etc.
>