[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Definition of PFS...

To: "'IP Security List'" <ipsec@lists.tislabs.com>
Subject: Definition of PFS...
From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>
Date: Wed, 11 Oct 2000 09:50:54 -0400
Importance: Normal
In-Reply-To: <Pine.BSI.3.91.1001010184357.22302G-100000@spsystems.net>
Reply-To: <andrew.krywaniuk@alcatel.com>
Sender: owner-ipsec@lists.tislabs.com

I recently decided to do some research on something that has bugged me for
quite awhile now: What is the point of doing PFS in phase 2?

The reason I wonder about this is that presumably you will use the same
group in phase 2 that you used in phase 1, so if an adversary can crack your
phase 1 DH then he can presumably expend the 1 bit of additional effort
required to crack the phase 2 DH. It seems like you would be better off
using a larger modulus for the initial DH rather than wasting your CPU
resources on subsequent DH's with small moduli.

In reading the archives, it appears that the meaning of PFS has changed over
the years. Originally, PFS referred to any mode of operation in which the
session key could not be derived directly from the long term credentials.
PGP, for example, was criticized for not having a PFS mode. The addition of
a single DH exchange to the KMP (SKIP/Photuris) was all that was necessary
for PFS.

So at what point did it become necessary to do a second DH exchange in order
to accomplish PFS? Is SKEYID_D now considered to be a "long term
credential?"

Using the original definition, why can't PFS be accomplished simply by
occasional phase 1 rekeying?

Could someone who has been following this WG since the time of SKIP please
explain how and why the meaning has changed?

(To avoid confusion, I'm going to refer to the mode of PFS used in IKE as QM
PFS.)

IKE w/ QM PFS appears to offer one advantage over IKE w/o QM PFS, which is
the consequence of SKEYID compromise. Without QM PFS, cracking SKEYID will
reveal all past and future traffic. With QM PFS, cracking SKEYID will only
allow the adversary to intercept future traffic (and impersonate both
parties).

But isn't this splitting hairs? Both of those situations are very serious
security breaches. In terms of the volume of data that is compromised, it
seems reasonable to believe that QM PFS will, on average, cut the
consequences of compromise in half. Since when is 1 bit significant?

I suppose it is possible that an implementation might think it is capable of
detecting a security breach in real time. If that is the case, a host would
be able to detect the attack and immediately tear down the phase 1 SA, thus
limiting the damage to a single IPsec session key.

Is that the scenerio that QM PFS is meant to guard against? Somehow I doubt
it.

Andrew
--------------------------------------
Beauty with out truth is insubstantial.
Truth without beauty is unbearable.

Follow-Ups:

Re: Definition of PFS...

From: Michael Richardson <mcr@solidum.com>

References:

Re: Reliable delete notifies

From: Henry Spencer <henry@spsystems.net>

Prev by Date: Simplifying IKE (was RE: Reliable delete notifies)
Next by Date: Re: ike and secure DNS
Prev by thread: Re: Reliable delete notifies
Next by thread: Re: Definition of PFS...
Index(es):
- Main
- Thread