[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SOI: identity protection and DOS
At 03:09 PM 11/26/2001 -0500, Steven M. Bellovin wrote:
...
>
>Or even IKEv1 -- and that's precisely the point. Using certificates
>does *not* require existence of a PKI, or even a pki. (That's the
>great lesson of ssh, btw -- it's very easy to deploy something based on
>exchanging public keys, without dragging any central authority into the
>picture.) You do have the exponentiations; what that buys you (apart
>from simplicity of the protocol) is protection of authentication
>material in event of peer compromise. That is, I can hand Alice and
>Bob the same public key for me. If Bob is compromised, that does not
>allow the attacker to impersonate me when talking to Alice. To do that
>with pre-shared symmetric keys, I'd have to have a separate key for
>each correspondent, and (depending on just how those keys were
>employed) I might have to worry about MITM attacks.
>
Steve, you have hit the nail right on the head as usual! I came to
the conclusion about 6 months ago that the *only* feature that makes
PK crypto worth having in establishing secure network communications
is the ability to make a "leap of faith" about the other side's
identity without having to worry about private key exposure. Otherwise,
why bother with it? Especially if you need a central trusted 3rd party.
Then a symmetric based system just blows away a PK based system in terms
of price/performance and ease of implementation.
BTW, once you allow "leap of faith" trust to be established at will
within the system by peers then the scalability issue is no longer a
problem. Of course access control or policy enforcement will need to
be (re)designed with this type of trust model in mind.
Maybe we should call this a Pretty Good Internet Key Exchange?
(Hopefully this time I won't be accused of being anti-IKE or a Taliban
sympathizer.)
- Alex
--
Alex Alten
Alten@Home.Com
References: