[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: DH vs. RSA use for symmetric key exchange
Khaja, you make some valid points below.
IKE could have accomodated a non-PFS (perfect forward secrecy) mode that
would dispense of the cost of a DH exchange. A suggestion like that
appeared once as an internet draft that is now expired. Such a mode would
be useful in some situations. Particularly those that do not require
confidentiality but just authentication. However, the current
high-priority goal is to streamline IKE such that implementation
complexity is lowered and inter-operability improved. In this
state of affairs adding new modes is not productive.
> Thanks again Sandy for the very useful pointers.
> I do wonder though...
> In a situation where one or both parties of a key exchange session has
> (have) an RSA public key certificate what is the advantage of using DH to
> exchange keys and then using RSA to authenticate the party? Why not do what
> happens in SSL / TLS? Use the RSA public key to exchange the symmetric key.
> Is one approach computationally more efficient than the other? Clearly IKE
> does not support use of RSA to do key exchange today. Is there a reason why
> this was not implemented / supported in IKE? Is this a useful thing to
> explore? Would there be any advantage to allowing / supporting both methods
> of exchanging keys?