having and eating cake? agressive mode with identity hiding

[Radia Perlman - Boston Center for Networking <Radia.Perlman@sun.com>]

After the IPsec meeting, some people mentioned to me that if we'd
get rid of one mode, they'd prefer getting rid of main mode and
keeping aggressive mode.

As it turns out, in the paper from which the internet draft presented
at the meeting was based:
http://sec.femto.org/wetice-2001/papers/radia-paper.pdf
it mentions that we can get identity hiding with the public signature key
variant.

It would be nice to have a single IKE protocol. Perhaps this slightly
modified aggressive mode/identity hiding/public signature keys would
be a good choice.

The basic idea is:

message 1:
Alice--->Bob
    g^a mod p

message 2:
Bob---->Alice
    g^b mod p, {"Bob", proof I'm Bob} encrypted with g^ab mod p
        ;the proof he's Bob consists of a signature on messages 1 and 2, e.g.

message 3:
Alice---->Bob
    {"Alice", proof I'm Alice}g^ab mod p
    

I might want to add the OAKLEY-style trick where Bob can respond in message
2 with "I am going to want a stateless cookie, so try again, but this
time send cookie c" That way if Bob isn't under attack, he can do the 3 message
exchange, and if he is, he responds to cookie-less message 1's with a cookie,
and responds to valid cookie-containing message 2's with the rest
of the protocol.

Radia

---

Follow-Ups:

• Re: having and eating cake? agressive mode with identity hiding
• From: Sheila Frankel <sheila.frankel@nist.gov>
• Re: having and eating cake? agressive mode with identity hiding
• From: Henry Spencer <henry@spsystems.net>
• Re: having and eating cake? agressive mode with identity hiding
• From: Ari Huttunen <Ari.Huttunen@F-Secure.com>

---

• Prev by Date: Re: Simplifying IKE
• Next by Date: Re: Wes Hardaker: opportunistic encryption deployment problems
• Prev by thread: RE: Traffic handling and key management "divide and coquer"
• Next by thread: Re: having and eating cake? agressive mode with identity hiding
• Index(es):
  • Main
  • Thread