[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DH vs. RSA use for symmetric key exchange

At 10:01 AM 12/4/00 , Khaja E. Ahmed wrote:
>Thanks again Sandy for the very useful pointers.
>I do wonder though...
>In a situation where one or both parties of a key exchange session has
>(have) an RSA public key certificate what is the advantage of using DH to
>exchange keys and then using RSA to authenticate the party?  Why not do what
>happens in SSL / TLS?  Use the RSA public key to exchange the symmetric key.
>Is one approach computationally more efficient than the other?  Clearly IKE
>does not support use of RSA to do key exchange today.  Is there a reason why
>this was not implemented / supported in IKE?
Well, one problem with using RSA to do key exchange is if the RSA private
key is compromised sometime in the future.  With that, the attacker can go
through his archives of recorded IKE/IPSec sessions, and decrypt all those
sessions that used that key to exchange the symmetric keys.  In other
words, a session is secure if the private key is not compromised *and* if
it will never be compromised in the future.  With DH, that attack is not
possible; the attacker can impersonate/do MITM attacks from that point on,
but he is no closer to decrypting archived messages.

>Is this a useful thing to explore?  Would there be any advantage to
>allowing / supporting both methods of exchanging keys?
You really want to make IKE *more* complex???