[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Safety of pre-shared keys? (Re: Reliable delete notifies)




Each party still has to protect the secrecy and integrity of
its own secret key in the signature mode.

I fail to see any big difference in protecting the secret key
and the pre-shared key.

Pau-Chen

> From owner-ipsec@lists.tislabs.com Tue Oct 24 13:08:30 2000
> Message-Id: <1FD60AE4DB6CD2118C420008C74C27B854AB6D@hhdata3.cdsemea.baltimore.com>
> From: Chris Trobridge <CTrobridge@baltimore.com>
> To: ipsec <ipsec@lists.tislabs.com>
> Subject: RE: Safety of pre-shared keys? (Re: Reliable delete notifies)
> Date: Tue, 24 Oct 2000 17:33:18 +0100
> Mime-Version: 1.0
> X-Mailer: Internet Mail Service (5.5.2650.21)
> Content-Type: text/plain;
	charset="iso-8859-1"
> Sender: owner-ipsec@lists.tislabs.com
> Precedence: bulk
> Content-Length: 1095
> Status: RO
> 
> Isn't the biggest difference that whilst you need to ensure that the peer
> receives the correct self-signed public key out-of-band (authenticity
> requirement), if a secret key is used then there is an additional
> confidentiality requirement.
> 
> A self-signed certicate also includes an implicit integrity check which is
> also important.
> 
> This all means that handling of self-signed certificates is much less
> onerous than pre-shared secert keys.
> 
> Chris
> 
> > Note that the vulnerabilities of pre-shared key that you refer to
> > only apply to the case of a WEAK KEY (such as a password-derived key).
> > It says nothing about the security of the pre-shared mode (main
> > or agressive) when using a strong key.
> > In such a case there is no security problem!
> > (There is always a security problem if you do not choose your keys
> > correctly or you do not know how to manage them securely).
> > 
> > In any case preshared mode (main or aggressive) was NOT designed to be
> > used with passwords. A password-based protocol needs a 
> > specialized design
> > (either a new mode for IKE or the proposals of ipsra).
> > 
> > Hugo
>