[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Dangling phase 2 SAs (was RE: issues from the bakeoff)

To: "'Tim Jenkins'" <tjenkins@TimeStep.com>, "Heyman, Michael" <Michael_Heyman@nai.com>
Subject: RE: Dangling phase 2 SAs (was RE: issues from the bakeoff)
From: "Heyman, Michael" <Michael_Heyman@nai.com>
Date: Fri, 18 Jun 1999 07:19:37 -0700
Cc: ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> > >[SNIP]
> > > Let me ask you this: What is wrong with the requirement that 
> > > a phase 1 SA always exist?
> > >
> > For secrecy, if a machine is compromised and the phase 1 SA 
> > is there, all the traffic between phase 2 SAs created under 
> > the phase 1 SA prior to the compromise is vulnerable. If the 
> > phase 1 SA is not there, the earlier phase 2 SA's traffic is 
> > secure.
>
> Why is there a difference in what is compromised? Is it because 
> the phase 1 SA keys are still on the compromised machine?
>
Yes. Possible scenario: 

Eve records the traffic between Alice and Bob (the traffic is
protected by IPsec).

Eve, at some later time, compromises Alice's host and retrieves the
phase 1 SAs (includes key material and key derivation material).

Eve can recreate even old phase 2 SAs that used the phase 1 SA and,
thus, decrypt all the old traffic.

- -Michael Heyman

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1b23

iQA/AwUBN2pUV7XbkJfuXzRQEQI7MACg/hjijEXnsQNMmaREu8TCCvhA5wQAoMgE
aREG1Gav9WT+QXzpWyFk5oOw
=TaIF
-----END PGP SIGNATURE-----

Prev by Date: RE: Dangling phase 2 SAs (was RE: issues from the bakeoff)
Next by Date: FW: Dangling phase 2 SAs (was RE: issues from the bakeoff)
Prev by thread: RE: Dangling phase 2 SAs (was RE: issues from the bakeoff)
Next by thread: RE: Dangling phase 2 SAs (was RE: issues from the bakeoff)
Index(es):
- Main
- Thread