[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A fix for main mode with preshared keys

To: francisco_corella@hp.com
Subject: Re: A fix for main mode with preshared keys
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Sun, 12 Dec 1999 18:33:09 +0200 (IST)
cc: ipsec@lists.tislabs.com
In-Reply-To: <H00013960da093bc@MHS>
Reply-To: Hugo Krawczyk <hugo@ee.technion.ac.il>
Sender: owner-ipsec@lists.tislabs.com

On Tue, 7 Dec 1999 francisco_corella@hp.com wrote:

[........]

> But there is no reason why the keying material should be derived from 
> these two sources.  In other protocols that use ephemeral 
> Diffie-Hellman, the keying material is derived only from the 
> Diffie-Hellman secret.

Mixing both g^xy and the pre-shared key provides additional strength
to the protocol: even if the DH group is eventually cryptanalyzed
you still need to know what the pre-shared key was in order to 
find the keys that protect(ed) the ipsec traffic (this may seem as
a surrealistic improvement for whoever believes that no DH group
in use today will ever be cryptanalyzed -- but I prefer to be in the 
safe side when the improvement costs nothing).

For the problem at hand, I prefer the solution (as described by Dan
Harkins) via ID_KEY_ID. 

If for whatever reasons (e.g., to avoid tracing attacks via repeated
ID_KEY_ID values, though Dan's solution refers to that too)
one still wants a solution of the type outlined by Francisco in the next
paragraph:

> 
> So I'd like to propose that we derive the keying material exclusively 
> from the Diffie-Hellman secret.  One way of doing this with minimal 
> change to the existing protocol is simply to change
> 
>       SKEYID_d = prf(SKEYID, g^xy | CKY-I | CKY-R | 0)
>       SKEYID_a = prf(SKEYID, SKEYID_d | g^xy | CKY-I | CKY-R | 1)
>       SKEYID_e = prf(SKEYID, SKEYID_a | g^xy | CKY-I | CKY-R | 2)
> 
> to
> 
>       SKEYID_d = hash(g^xy | CKY-I | CKY-R | 0)
>       SKEYID_a = hash(SKEYID_d | g^xy | CKY-I | CKY-R | 1)
>       SKEYID_e = hash(SKEYID_a | g^xy | CKY-I | CKY-R | 2)
> 
> I believe this solves the problem.
>   

then I suggest a different change:

leave the definition of SKEYID_d and SKEYID_a unchanged (why weaken
unnecessarily the really important keys?), and change SKEYID_e to:

   SKEYID_e = prf(hash(Ni_b | Nr_b), g^xy | CKY-I | CKY-R | 2)

this preserves the general design in IKE by which the prf "hashes" the
value g^xy in order to extract the "computational entropy" from the DH
key.
It weakens a bit SKEYID_e but this only impacts the security of 
identity protection. It leaves SKEYID_d and SKEYID_a (and thus
the main security of IKE) unchanged.

Hugo

Follow-Ups:

Re: A fix for main mode with preshared keys

From: francisco_corella@hp.com

References:

A fix for main mode with preshared keys

From: francisco_corella@hp.com

Prev by Date: RE: IKE and tunneling
Next by Date: Re: IKE and tunneling
Prev by thread: Re: A fix for main mode with preshared keys
Next by thread: Re: A fix for main mode with preshared keys
Index(es):
- Main
- Thread