Re: DH vs. RSA use for symmetric key exchange

[Hugo Krawczyk <hugo@ee.technion.ac.il>]

Khaja, you make some valid points below.
IKE could have accomodated a non-PFS (perfect forward secrecy) mode that
would dispense of the cost of a DH exchange. A suggestion like that
appeared once as an internet draft that is now expired. Such a mode would
be useful in some situations. Particularly those that do not require
confidentiality but just authentication. However, the current
high-priority goal is to streamline IKE such that implementation
complexity is lowered and inter-operability improved. In this
state of affairs adding new modes is not productive.

Hugo

 

> Thanks again Sandy for the very useful pointers.
> 
> I do wonder though...
> 
> In a situation where one or both parties of a key exchange session has
> (have) an RSA public key certificate what is the advantage of using DH to
> exchange keys and then using RSA to authenticate the party?  Why not do what
> happens in SSL / TLS?  Use the RSA public key to exchange the symmetric key.
> Is one approach computationally more efficient than the other?  Clearly IKE
> does not support use of RSA to do key exchange today.  Is there a reason why
> this was not implemented / supported in IKE?   Is this a useful thing to
> explore?  Would there be any advantage to allowing / supporting both methods
> of exchanging keys?
> 
> Khaja
> 
>

---

Follow-Ups:

• Re: DH vs. RSA use for symmetric key exchange
• From: "Khaja E. Ahmed" <khaja.ahmed@home.com>

References:

• Re: DH vs. RSA use for symmetric key exchange
• From: "Khaja E. Ahmed" <khaja.ahmed@home.com>

---

• Prev by Date: RE: On transport-level policy enforcement (was Re: RFC 2401...)
• Next by Date: Re: DH vs. RSA use for symmetric key exchange
• Prev by thread: Re: DH vs. RSA use for symmetric key exchange
• Next by thread: Re: DH vs. RSA use for symmetric key exchange
• Index(es):
  • Main
  • Thread