[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: SOI: identity protection and DOS

To: "'Paul Hoffman / VPNC'" <paul.hoffman@vpnc.org>, <ipsec@lists.tislabs.com>
Subject: RE: SOI: identity protection and DOS
From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>
Date: Tue, 27 Nov 2001 21:39:15 -0500
Importance: Normal
In-Reply-To: <p05101019b828735e44df@[165.227.249.20]>
Reply-To: <andrew.krywaniuk@alcatel.com>
Sender: owner-ipsec@lists.tislabs.com

> >(e) is only due to a flaw in IKEv1, and is unrelated to the
> use of preshared
> >keys in general.
>
> Yup. Some people think that identity protection is absolutely needed
> in every circumstance, but most people would agree that identity
> protection isn't worth preventing pre-shared secrets from working
> with mobile users.

Well, my point was more that there isn't a conflict between preshared keys
and identity protection (of the passive variety). If the PSK & PKsig SKEYID
derivations in IKEv1 had been the same (as they could have been), this
argument would have never come up.

As some may recall, Hugo originally argued that the PKsig authentication
method was inadequately secure because its strength was based solely on the
strength of the DH algorithm. The SKEYID for PSK was based on the DH value +
a secret value. Therefore, the decision to define the SKEYID this way was
merely a design tradeoff of identity protection for increased security. As
we noted in draft-improveike (and elsewhere), this tradeoff was not
necessary since an alternate SKEYID derivation could have given us both
properties.

> >(f) is not really valid because you need an out-of-band
> mechanism either
> >way.
>
> Not true. You only need a authenticated transport for the public key
> hashes: you don't have to keep them private.

I thought about this, but the distinction is mostly moot because there
aren't that many circumstances where you can get authentication without
secrecy. Maybe if you phoned the person and you thought the phone might be
tapped but you could recognize their voice... Other popular key distribution
techniques, such as e-mail, finger, websites, voice-mail from an
administrator are unlikely to have that property where they are
(meaningfully) authenticated but not secret.

> >(d) is the real reason for not using preshared keys.
>
> ...for some people. In many environments, scaling is not an an issue.
> It is easy to argue that setting up simple CA and keeping its key
> secret and issuing CRLs and so on for a 5-gateway WAN is more
> difficult that passing around five preshared secrets on the phone.

Actually, I forgot to mention the point that PK crypto only scales well when
you have a CA. Sharing your self-signed cert with 500 people is no easier
than sharing 500 different preshared keys.

Andrew
-------------------------------------------
There are no rules, only regulations. Luckily,
history has shown that with time, hard work,
and lots of love, anyone can be a technocrat.

> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com
> [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Paul Hoffman / VPNC
> Sent: Monday, November 26, 2001 5:40 PM
> To: ipsec@lists.tislabs.com
> Subject: RE: SOI: identity protection and DOS
>
>
> At 5:06 PM -0500 11/26/01, Andrew Krywaniuk wrote:
> >  > Positive traits of IKEv1 pre-shared keys:
> >>  a) easy for each party to set up
> >>  b) not susceptible to CRL time lag or CA key compromise
> >>  c) fewer exponentiations on each side for IPsec key setup
> >>
> >>  Negative traits of IKEv1 pre-shared keys:
> >>  d) hard to scale
> >>  e) unless identity protection is not needed, the
> initiator must be at
> >>  known IP address, and there must be only one pre-shared
> key at that
> >>  address
> >  > f) out-of-band swapping of the key must be done privately
> >
> >
> >Some comments on this:
> >
> >(e) is only due to a flaw in IKEv1, and is unrelated to the
> use of preshared
> >keys in general.
>
> Yup. Some people think that identity protection is absolutely needed
> in every circumstance, but most people would agree that identity
> protection isn't worth preventing pre-shared secrets from working
> with mobile users.
>
> >(f) is not really valid because you need an out-of-band
> mechanism either
> >way.
>
> Not true. You only need a authenticated transport for the public key
> hashes: you don't have to keep them private.
>
> >(d) is the real reason for not using preshared keys.
>
> ...for some people. In many environments, scaling is not an an issue.
> It is easy to argue that setting up simple CA and keeping its key
> secret and issuing CRLs and so on for a 5-gateway WAN is more
> difficult that passing around five preshared secrets on the phone.
>
> --Paul Hoffman, Director
> --VPN Consortium
>

Follow-Ups:

Re: SOI: identity protection and DOS

From: Derek Atkins <warlord@mit.edu>

RE: SOI: identity protection and DOS

From: Paul Koning <ni1d@arrl.net>

RE: SOI: identity protection and DOS

From: Hugo Krawczyk <hugo@ee.technion.ac.il>

References:

RE: SOI: identity protection and DOS

From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>

Prev by Date: RE: On shared keys (was RE: SOI: identity protection and DOS)
Next by Date: Re: IP Storage and IPsec encapsulation
Prev by thread: Re: SOI: identity protection and DOS
Next by thread: Re: SOI: identity protection and DOS
Index(es):
- Main
- Thread