[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DH vs. RSA use for symmetric key exchange

To: ipsec list <ipsec@lists.tislabs.com>
Subject: Re: DH vs. RSA use for symmetric key exchange
From: Patrick Lotti <Patrick.Lotti@gmx.net>
Date: Fri, 08 Dec 2000 17:24:45 +0100
References: <200012071909.eB7J9na115218@thunk.east.sun.com> <022c01c060ae$0e21b540$e4570f18@plstn1.sfba.home.com>
Reply-To: Patrick.Lotti@computer.org
Sender: owner-ipsec@lists.tislabs.com





"Khaja E. Ahmed" wrote:

> In reading the first half of para 3 on page 6 of RFC.2409 I arrived at the
> understanding that the ratio need _not_ be 1:1:1.
>
> The para is below:
>
>   "  With the use of ISAKMP phases, an implementation can accomplish very
>    fast keying when necessary.  A single phase 1 negotiation may be used
>
>    for more than one phase 2 negotiation.  Additionally a single phase 2
>
>    negotiation can request multiple Security Associations.  With these
>
>    optimizations, an implementation can see less than one round trip per
>
>    SA as well as less than one DH exponentiation per SA. "
>
> Did I misunderstand it?

You're right with: One DH can be used to establish multiple SAs.
But: The DH (ISAKMP SA) is valid for 8hours only, by default. Then
IKE will change the DH automatically for you, minimizing security risks.
As there's NO proof of DH/RSA to be un-breakable, i.e. 100%
safe, it is adviceable to change the used keys after a certain amout
of time (or data encrypted with).
For "hard" PFS, a new DH is used for each SA. But this is not really
practical as is it hardly improves your security (in many cases). Just
follow Andrew for the latest PFS definition:
---cut here---
As I pointed out in a thread a few months ago (see
http://www.vpnc.org/ietf-ipsec/mail-archive/msg01761.html), the meaning of
PFS has changed over the years.
---cut here

Patrick


>
>
> Khaja
>
> ----- Original Message -----
> From: "Bill Sommerfeld" <sommerfeld@East.Sun.COM>
> To: "Khaja E. Ahmed" <khaja.ahmed@home.com>
> Cc: "Hugo Krawczyk" <hugo@ee.technion.ac.il>; "ipsec list"
> <ipsec@lists.tislabs.com>
> Sent: Thursday, December 07, 2000 11:09 AM
> Subject: Re: DH vs. RSA use for symmetric key exchange
>
> > > Is PFS intended to cover the risk associated with an RSA private key
> being
> > > compromised?  If so, I assume it would apply to DH keys as well if they
> get
> > > reused.  An optimization in IKE ( I think ) is the ability to reuse DH
> keys
> > > to establish multiple SAs and generate multiple keys.  Is there any
> > > recommendation on how many SAs can be generated or for how long a DH key
> can
> > > be used?
> >
> > I've never previously seen a suggestion that IKE should use
> > non-ephemeral DH keys, so it's fair to say, "one DH key, one (phase 1)
> > SA" and "one DH key, one (phase 2 with pfs) SA".
> >
> > - Bill
> >

References:

Re: DH vs. RSA use for symmetric key exchange

From: Bill Sommerfeld <sommerfeld@East.Sun.COM>

Re: DH vs. RSA use for symmetric key exchange

From: "Khaja E. Ahmed" <khaja.ahmed@home.com>

Prev by Date: Re: IPv6 Neighbour Solicitation messages and IPsec
Next by Date: Re: DH vs. RSA use for symmetric key exchange
Prev by thread: Re: DH vs. RSA use for symmetric key exchange
Next by thread: RE: DH vs. RSA use for symmetric key exchange
Index(es):
- Main
- Thread