[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DH vs. RSA use for symmetric key exchange

"Khaja E. Ahmed" wrote:

> In reading the first half of para 3 on page 6 of RFC.2409 I arrived at the
> understanding that the ratio need _not_ be 1:1:1.
> The para is below:
>   "  With the use of ISAKMP phases, an implementation can accomplish very
>    fast keying when necessary.  A single phase 1 negotiation may be used
>    for more than one phase 2 negotiation.  Additionally a single phase 2
>    negotiation can request multiple Security Associations.  With these
>    optimizations, an implementation can see less than one round trip per
>    SA as well as less than one DH exponentiation per SA. "
> Did I misunderstand it?

You're right with: One DH can be used to establish multiple SAs.
But: The DH (ISAKMP SA) is valid for 8hours only, by default. Then
IKE will change the DH automatically for you, minimizing security risks.
As there's NO proof of DH/RSA to be un-breakable, i.e. 100%
safe, it is adviceable to change the used keys after a certain amout
of time (or data encrypted with).
For "hard" PFS, a new DH is used for each SA. But this is not really
practical as is it hardly improves your security (in many cases). Just
follow Andrew for the latest PFS definition:
---cut here---
As I pointed out in a thread a few months ago (see
http://www.vpnc.org/ietf-ipsec/mail-archive/msg01761.html), the meaning of
PFS has changed over the years.
---cut here


> Khaja
> ----- Original Message -----
> From: "Bill Sommerfeld" <sommerfeld@East.Sun.COM>
> To: "Khaja E. Ahmed" <khaja.ahmed@home.com>
> Cc: "Hugo Krawczyk" <hugo@ee.technion.ac.il>; "ipsec list"
> <ipsec@lists.tislabs.com>
> Sent: Thursday, December 07, 2000 11:09 AM
> Subject: Re: DH vs. RSA use for symmetric key exchange
> > > Is PFS intended to cover the risk associated with an RSA private key
> being
> > > compromised?  If so, I assume it would apply to DH keys as well if they
> get
> > > reused.  An optimization in IKE ( I think ) is the ability to reuse DH
> keys
> > > to establish multiple SAs and generate multiple keys.  Is there any
> > > recommendation on how many SAs can be generated or for how long a DH key
> can
> > > be used?
> >
> > I've never previously seen a suggestion that IKE should use
> > non-ephemeral DH keys, so it's fair to say, "one DH key, one (phase 1)
> > SA" and "one DH key, one (phase 2 with pfs) SA".
> >
> > - Bill
> >