[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DH vs. RSA use for symmetric key exchange

> I thought that using RSA to exchange keys would introduce a "simple" mode
> that would eliminate DH entirely.  Especially where an RSA key certificate
> is being used for authentication the initiator already has to implement path
> processing and other complex PKI logic.  In such a situation if we just drop
> DH and use RSA instead to exchange the keys _this_ _particular_ exchange
> becomes simpler.  

This is correct regarding the _particular_ exchange but not the general
complexity of the protocol (especially when there is so MUCH confusion around
about the cryptographic functionality and soundnes of these protocols).
I will not be surprised if one day in the future such a DH-less mode
be incorporated and used but now it is not the time.

> Also, I was under the impression that it would ensure PFS
> rather than detract from it.

It will completely destroy the PFS principle that states that 
"the exposure of long-term key material should not compromise
short-term keys". One thing to note, however, is that in the case of
IKE if you skip the DH exchange and derive keys from the
RSA encrypted key material then (contrary to what Sandy wrote)
an attacker that finds your RSA private key CANNOT read all your traffic.
It rather needs the private keys of BOTH sides to the exchange.
This is still not PFS but much better than the scenario described by

> I thought PFS has to do with not using material from (or related to) a
> previous key to generate each subsequent key.  Do we here use PFS to mean
> that the symmetric key should not only not be derived from a previous key
> but must not be encrypted with the same key as before?
> Is PFS intended to cover the risk associated with an RSA private key being
> compromised?  If so, I assume it would apply to DH keys as well if they get
> reused.  An optimization in IKE ( I think ) is the ability to reuse DH keys
> to establish multiple SAs and generate multiple keys.  Is there any
> recommendation on how many SAs can be generated or for how long a DH key can
> be used?

Reusing DH keys is not specified in IKE. But the ipsec-veterans may remember
that Photuris allowed for it. One interesting issue is that regardless
of the sepcification, an implementation can choose to do such re-use without
anything being discovered by the other party. IKE was designed to ensure
that even under such re-use the derived key material is different in each
session (as the derivation involves fresh per-session nonces).

You may find some further information and answers to some of your
questions in my SKEME paper (an on-line copy should still be available
from http://www.research.ibm.com/security/skeme.ps)


Follow-Ups: References: