[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SOI: identity protection and DOS



Michael,

I don't understand what pre-shared keys have to do with my comment 
as you cite. Let me repeat and clarify my previous comment:

in a signature-based authentication mode it is CHEAPER 
(in term of number of messages in the protocol) to protect the 
initiator's identity than the responder's against active attacks.  
Protecting the initiator can be done in 3 messages (as in SIGMA), 
protecting the responder takes at least 4 (as in IKEv2).

How many messages it takes to protect BOTH identities against active attacks?
The answer is: it is IMPOSSIBLE to do so in a signature-based protocol.

And since you mention shared-keys, an advantage they have over a signature
mode is that you can achieve protection of BOTH identities against active
attackers and at the price of just three messages (see P-SIGMA).

Hugo


On Mon, 26 Nov 2001, Michael Thomas wrote:

> Hugo Krawczyk writes:
>  > On 20 Nov 2001, Derek Atkins wrote:
>  > [...]
>  > > 
>  > > I happen to agree with Radia's point that you should try to protect
>  > > the initiator's identity before the responder's identity (which
>  > > implies the responder should authenticate to the initiator first).
>  > > Yes, this implies an extra round trip, but if the initiator wants to
>  > > protect their identity they should have the choice to do so.
>  > > 
>  > 
>  > No, it does NOT imply an extra round trip. It is the other way around.  
>  > Protecting the initiator from active attacker takes just 3 messages.
>  > Protecting the responder takes 4.
>  > See the SIGMA draft
>  > (http://www.ee.technion.ac.il/~hugo/draft-krawczyk-ipsec-ike-sigma-00.txt)
> 
>    If you allow for pre-shared keys, then it clearly 
>    requires an extra message or two. Which is why we
>    should determine what the actual requirement is
>    re pre-shared keys. If it's a requirement, then
>    we need to confront the time/protection tradeoff.
>    If it's not a requirement, this mostly vanishes.
> 
> 	   Mike
> 




References: