[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DH vs. RSA use for symmetric key exchange

Khaja, you make some valid points below.
IKE could have accomodated a non-PFS (perfect forward secrecy) mode that
would dispense of the cost of a DH exchange. A suggestion like that
appeared once as an internet draft that is now expired. Such a mode would
be useful in some situations. Particularly those that do not require
confidentiality but just authentication. However, the current
high-priority goal is to streamline IKE such that implementation
complexity is lowered and inter-operability improved. In this
state of affairs adding new modes is not productive.



> Thanks again Sandy for the very useful pointers.
> I do wonder though...
> In a situation where one or both parties of a key exchange session has
> (have) an RSA public key certificate what is the advantage of using DH to
> exchange keys and then using RSA to authenticate the party?  Why not do what
> happens in SSL / TLS?  Use the RSA public key to exchange the symmetric key.
> Is one approach computationally more efficient than the other?  Clearly IKE
> does not support use of RSA to do key exchange today.  Is there a reason why
> this was not implemented / supported in IKE?   Is this a useful thing to
> explore?  Would there be any advantage to allowing / supporting both methods
> of exchanging keys?
> Khaja

Follow-Ups: References: