[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DH vs. RSA use for symmetric key exchange

To: "Hugo Krawczyk" <hugo@ee.technion.ac.il>
Subject: Re: DH vs. RSA use for symmetric key exchange
From: "Khaja E. Ahmed" <khaja.ahmed@home.com>
Date: Fri, 8 Dec 2000 09:46:31 -0800
Cc: "ipsec list" <ipsec@lists.tislabs.com>
References: <Pine.GSO.4.21.0012081429100.3708-100000@ee.technion.ac.il>
Sender: owner-ipsec@lists.tislabs.com

Thank you.

Khaja

----- Original Message -----
From: "Hugo Krawczyk" <hugo@ee.technion.ac.il>
To: "Khaja E. Ahmed" <khaja.ahmed@home.com>
Cc: "ipsec list" <ipsec@lists.tislabs.com>
Sent: Friday, December 08, 2000 5:31 AM
Subject: Re: DH vs. RSA use for symmetric key exchange


> >
> > I thought that using RSA to exchange keys would introduce a "simple"
mode
> > that would eliminate DH entirely.  Especially where an RSA key
certificate
> > is being used for authentication the initiator already has to implement
path
> > processing and other complex PKI logic.  In such a situation if we just
drop
> > DH and use RSA instead to exchange the keys _this_ _particular_ exchange
> > becomes simpler.
>
> This is correct regarding the _particular_ exchange but not the general
> complexity of the protocol (especially when there is so MUCH confusion
around
> about the cryptographic functionality and soundnes of these protocols).
> I will not be surprised if one day in the future such a DH-less mode
> be incorporated and used but now it is not the time.
>
> > Also, I was under the impression that it would ensure PFS
> > rather than detract from it.
>
> It will completely destroy the PFS principle that states that
> "the exposure of long-term key material should not compromise
> short-term keys". One thing to note, however, is that in the case of
> IKE if you skip the DH exchange and derive keys from the
> RSA encrypted key material then (contrary to what Sandy wrote)
> an attacker that finds your RSA private key CANNOT read all your traffic.
> It rather needs the private keys of BOTH sides to the exchange.
> This is still not PFS but much better than the scenario described by
> Sandy.
>
> >
> > I thought PFS has to do with not using material from (or related to) a
> > previous key to generate each subsequent key.  Do we here use PFS to
mean
> > that the symmetric key should not only not be derived from a previous
key
> > but must not be encrypted with the same key as before?
> >
> > Is PFS intended to cover the risk associated with an RSA private key
being
> > compromised?  If so, I assume it would apply to DH keys as well if they
get
> > reused.  An optimization in IKE ( I think ) is the ability to reuse DH
keys
> > to establish multiple SAs and generate multiple keys.  Is there any
> > recommendation on how many SAs can be generated or for how long a DH key
can
> > be used?
>
> Reusing DH keys is not specified in IKE. But the ipsec-veterans may
remember
> that Photuris allowed for it. One interesting issue is that regardless
> of the sepcification, an implementation can choose to do such re-use
without
> anything being discovered by the other party. IKE was designed to ensure
> that even under such re-use the derived key material is different in each
> session (as the derivation involves fresh per-session nonces).
>
> You may find some further information and answers to some of your
> questions in my SKEME paper (an on-line copy should still be available
> from http://www.research.ibm.com/security/skeme.ps)
>
> Hugo
>
>
>
>

References:

Re: DH vs. RSA use for symmetric key exchange

From: Hugo Krawczyk <hugo@ee.technion.ac.il>

Prev by Date: Re: DH vs. RSA use for symmetric key exchange
Next by Date: MAC on ISAKMP Proposals
Prev by thread: Re: DH vs. RSA use for symmetric key exchange
Next by thread: Next IPsec & L2TP Bakeoff
Index(es):
- Main
- Thread