[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: DH vs. RSA use for symmetric key exchange
----- Original Message -----
From: "Hugo Krawczyk" <firstname.lastname@example.org>
To: "Khaja E. Ahmed" <email@example.com>
Cc: "ipsec list" <firstname.lastname@example.org>
Sent: Friday, December 08, 2000 5:31 AM
Subject: Re: DH vs. RSA use for symmetric key exchange
> > I thought that using RSA to exchange keys would introduce a "simple"
> > that would eliminate DH entirely. Especially where an RSA key
> > is being used for authentication the initiator already has to implement
> > processing and other complex PKI logic. In such a situation if we just
> > DH and use RSA instead to exchange the keys _this_ _particular_ exchange
> > becomes simpler.
> This is correct regarding the _particular_ exchange but not the general
> complexity of the protocol (especially when there is so MUCH confusion
> about the cryptographic functionality and soundnes of these protocols).
> I will not be surprised if one day in the future such a DH-less mode
> be incorporated and used but now it is not the time.
> > Also, I was under the impression that it would ensure PFS
> > rather than detract from it.
> It will completely destroy the PFS principle that states that
> "the exposure of long-term key material should not compromise
> short-term keys". One thing to note, however, is that in the case of
> IKE if you skip the DH exchange and derive keys from the
> RSA encrypted key material then (contrary to what Sandy wrote)
> an attacker that finds your RSA private key CANNOT read all your traffic.
> It rather needs the private keys of BOTH sides to the exchange.
> This is still not PFS but much better than the scenario described by
> > I thought PFS has to do with not using material from (or related to) a
> > previous key to generate each subsequent key. Do we here use PFS to
> > that the symmetric key should not only not be derived from a previous
> > but must not be encrypted with the same key as before?
> > Is PFS intended to cover the risk associated with an RSA private key
> > compromised? If so, I assume it would apply to DH keys as well if they
> > reused. An optimization in IKE ( I think ) is the ability to reuse DH
> > to establish multiple SAs and generate multiple keys. Is there any
> > recommendation on how many SAs can be generated or for how long a DH key
> > be used?
> Reusing DH keys is not specified in IKE. But the ipsec-veterans may
> that Photuris allowed for it. One interesting issue is that regardless
> of the sepcification, an implementation can choose to do such re-use
> anything being discovered by the other party. IKE was designed to ensure
> that even under such re-use the derived key material is different in each
> session (as the derivation involves fresh per-session nonces).
> You may find some further information and answers to some of your
> questions in my SKEME paper (an on-line copy should still be available
> from http://www.research.ibm.com/security/skeme.ps)