[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: SOI: identity protection and DOS

To: Andrew Krywaniuk <andrew.krywaniuk@alcatel.com>
Subject: RE: SOI: identity protection and DOS
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Wed, 28 Nov 2001 23:20:47 +0200 (IST)
cc: IPsec WG <ipsec@lists.tislabs.com>
In-Reply-To: <002d01c177b5$dfcc2b10$1e72788a@andrewk3.ca.newbridge.com>
Sender: owner-ipsec@lists.tislabs.com

Andrew, see below for a clarification...

On Tue, 27 Nov 2001, Andrew Krywaniuk wrote:

> > >(e) is only due to a flaw in IKEv1, and is unrelated to the
> > use of preshared
> > >keys in general.
> >
> > Yup. Some people think that identity protection is absolutely needed
> > in every circumstance, but most people would agree that identity
> > protection isn't worth preventing pre-shared secrets from working
> > with mobile users.
> 
> Well, my point was more that there isn't a conflict between preshared keys
> and identity protection (of the passive variety). If the PSK & PKsig SKEYID
> derivations in IKEv1 had been the same (as they could have been), this
> argument would have never come up.
> 
> As some may recall, Hugo originally argued that the PKsig authentication
> method was inadequately secure because its strength was based solely on the
> strength of the DH algorithm. The SKEYID for PSK was based on the DH value +
> a secret value. Therefore, the decision to define the SKEYID this way was
> merely a design tradeoff of identity protection for increased security. As
> we noted in draft-improveike (and elsewhere), this tradeoff was not
> necessary since an alternate SKEYID derivation could have given us both
> properties.

I never said that the sig mode of IKE was inadequately secure.
I did mention the advantage of pre-shared mode against possible 
break of a DH group in the future. The fact that pre-shared mode is
(much) better in this sense does not mean that people should consider 
the sig mode "inadequately secure".

Moreover, I already said many times, and "implemented" this idea in my
P-SIGMA proposal, that the problem of having to rely on the IP address for
identifying the shared-key is easily solvable through
an ID payload of type ID_KEY_ID (this was also the motivation to
introduce this type several years ago). 
In P-SIGMA this is done via the OIDi field.
Using this you get PFS and protection against active attacks
for BOTH peers (which is impossible to achieve under 
any signature mode).

Actually, even in IKE as it is now, where the OID mechanism is missing, 
one could have used the cookies in the header to identify shared keys in
the keys database. Any idea, why people did not do that?

Hugo

References:

RE: SOI: identity protection and DOS

From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>

Prev by Date: Re: IKEv2 and SIGMA
Next by Date: Correction -- ESP draft
Prev by thread: RE: SOI: identity protection and DOS
Next by thread: Re: SOI: identity protection and DOS
Index(es):
- Main
- Thread