[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SOI: identity protection and DOS
In message <p0510100cb8283edaf5fa@[165.227.249.20]>, Paul Hoffman / VPNC writes
:
>At 9:20 AM -0800 11/26/01, Michael Thomas wrote:
>> If you allow for pre-shared keys, then it clearly
>> requires an extra message or two. Which is why we
>> should determine what the actual requirement is
>> re pre-shared keys. If it's a requirement, then
>> we need to confront the time/protection tradeoff.
>> If it's not a requirement, this mostly vanishes.
>
>Positive traits of IKEv1 pre-shared keys:
>a) easy for each party to set up
>b) not susceptible to CRL time lag or CA key compromise
>c) fewer exponentiations on each side for IPsec key setup
>
>Negative traits of IKEv1 pre-shared keys:
>d) hard to scale
>e) unless identity protection is not needed, the initiator must be at
>known IP address, and there must be only one pre-shared key at that
>address
>f) out-of-band swapping of the key must be done privately
>
>If what is most important is (a) and (b), and the problem of (d) is
>not important, both the JFK and IKEv2 implementations can be
>trivially set up for this by allowing one or both sides to use
>self-signed certificates, where the other side has trusted the public
>key in the certificate using some out-of-band mechanism. In JFK and
>IKEv2 using this method, you don't get advantage (c), but you don't
>have disadvantage (e) or (f).
Or even IKEv1 -- and that's precisely the point. Using certificates
does *not* require existence of a PKI, or even a pki. (That's the
great lesson of ssh, btw -- it's very easy to deploy something based on
exchanging public keys, without dragging any central authority into the
picture.) You do have the exponentiations; what that buys you (apart
from simplicity of the protocol) is protection of authentication
material in event of peer compromise. That is, I can hand Alice and
Bob the same public key for me. If Bob is compromised, that does not
allow the attacker to impersonate me when talking to Alice. To do that
with pre-shared symmetric keys, I'd have to have a separate key for
each correspondent, and (depending on just how those keys were
employed) I might have to worry about MITM attacks.
--Steve Bellovin, http://www.research.att.com/~smb
Full text of "Firewalls" book now at http://www.wilyhacker.com
Follow-Ups: