[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

On shared keys (was RE: SOI: identity protection and DOS)



Everyone agrees that public key is the ONLY way to a scalable
Internet-wide protocol. No question about it. In particular,
any key-exchange protocol for IPsec MUST provide a PK-based exchange.

This, however, does not mean that shared keys are bad. Nor it means that
shared-key techniques are less secure than PK ones.
(Actually, one can argue that in the context of ipsec that already
needs to trust shared key mechanisms to secure data, the addition of
PK at the level of key-exchange is just adding a possible weak link --
and for all we know PK may be a WEAK link...)

Anyway, we need PK techniques for scalability not for security.

And one more and important (in my view) observation:
The reason people distrust shared keys so much is that they
perceive shared-keys as synonyms for "manual installation"
and "passwords". They forget that there are MANY important and practical
scenarios where a STRONG securely shared key is easily available.
In these cases, not using them is a waste.

Hugo


On Mon, 26 Nov 2001, Paul Hoffman / VPNC wrote:

> At 5:06 PM -0500 11/26/01, Andrew Krywaniuk wrote:
> >  > Positive traits of IKEv1 pre-shared keys:
> >>  a) easy for each party to set up
> >>  b) not susceptible to CRL time lag or CA key compromise
> >>  c) fewer exponentiations on each side for IPsec key setup
> >>
> >>  Negative traits of IKEv1 pre-shared keys:
> >>  d) hard to scale
> >>  e) unless identity protection is not needed, the initiator must be at
> >>  known IP address, and there must be only one pre-shared key at that
> >>  address
> >  > f) out-of-band swapping of the key must be done privately
> >
> >
> >Some comments on this:
> >
> >(e) is only due to a flaw in IKEv1, and is unrelated to the use of preshared
> >keys in general.
> 
> Yup. Some people think that identity protection is absolutely needed 
> in every circumstance, but most people would agree that identity 
> protection isn't worth preventing pre-shared secrets from working 
> with mobile users.
> 
> >(f) is not really valid because you need an out-of-band mechanism either
> >way.
> 
> Not true. You only need a authenticated transport for the public key 
> hashes: you don't have to keep them private.
> 
> >(d) is the real reason for not using preshared keys.
> 
> ...for some people. In many environments, scaling is not an an issue. 
> It is easy to argue that setting up simple CA and keeping its key 
> secret and issuing CRLs and so on for a 5-gateway WAN is more 
> difficult that passing around five preshared secrets on the phone.
> 
> --Paul Hoffman, Director
> --VPN Consortium
> 



Follow-Ups: References: