[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Definition of PFS...

To: ipsec@lists.tislabs.com
Subject: Re: Definition of PFS...
From: Ari Huttunen <Ari.Huttunen@F-Secure.com>
Date: Mon, 16 Oct 2000 13:22:26 +0300
Organization: F-Secure Corporation
References: <447A3F40A07FD211BA2700A0C99D759B789223@md-exchange1.nai.com>
Sender: owner-ipsec@lists.tislabs.com

Would it make any sense to do a low-security DH in phase I, followed
by a higher-security DH in phase II, after the peer has been authenticated,
to provide protection against some DoS attacks while also giving good
long-term traffic protection?

Similarly, would it make sense to use elliptic curves in phase I,
followed by MODP in phase II?

Also, what's the point in doing the one-QM-per-one-IKE-SA thing
to provide identity PFS? Knowing the identity used for the current
IKE SA does not give you the identity used for setting up any previous
or next IKE SAs? Anybody actually expect this identity to change?

Ari

"Mason, David" wrote:
> 
> Are you saying that a 768-bit MODP DH would be useful (and make sense
> security wise cryptographically) in QM even though the IPsec cipher
> negotiated has a large key?  Would using a 1536-bit (or larger) DH generally
> be a waste of computational resources for the QM DH (in what cases
> would/would not a 768-bit DH suffice)?  The way IPsec keys are currently
> generated in IKE I would think that you would want to either always do a QM
> DH or never do a QM DH (periodically doing them only helps that specific
> exchange - should son-of-ike consider folding the QM g^xy back into SKEYID_d
> somehow so that periodic QM DH has value beyond the specific exchange -
> although simultaneous QMs would make this problematic?).
> 
> -dave
> 
> -----Original Message-----
> From: Hilarie Orman [mailto:HORMAN@novell.com]
> Sent: Friday, October 13, 2000 2:04 PM
> To: andrew.krywaniuk@alcatel.com; ipsec@lists.tislabs.com
> Subject: Re: Definition of PFS...
> 
> The point of ephemeral Diffie-Hellman in QM is to get independent keying
> material (PFS) without repetition of authentication.  The assumption is that
> this will be done periodically and should be as inexpensive as possible.
> 
> Hilarie

-- 
Ari Huttunen                   phone: +358 9 859 900
Senior Software Engineer       fax  : +358 9 8599 0452

F-Secure Corporation       http://www.F-Secure.com 

F-Secure products: Integrated Solutions for Enterprise Security

References:

RE: Definition of PFS...

From: "Mason, David" <David_Mason@nai.com>

Prev by Date: Re: charter question re IKE changes
Next by Date: RE: charter question re IKE changes
Prev by thread: RE: Definition of PFS...
Next by thread: RE: Definition of PFS...
Index(es):
- Main
- Thread