[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: On shared keys (was RE: SOI: identity protection and DOS)

To: "'IPsec WG'" <ipsec@lists.tislabs.com>
Subject: Re: On shared keys (was RE: SOI: identity protection and DOS)
From: Sandy Harris <sandy@storm.ca>
Date: Sat, 01 Dec 2001 10:13:49 -0500
References: <4652644B98DFF34696801F8F3070D3FE01188472@D2CSPEXM001.smartpipes.com>
Sender: owner-ipsec@lists.tislabs.com

"Wang, Cliff" wrote:
> 
> It depends on how you see things. I agree that you only need to have 2N keys
> in existence.
> But from a usage/implementation/deployment point of view, you are still
> dealing n*(n-1) key delivery. The only difference is that you deliver the
> same public key (N-1) times to N boxes in the case of RSA, but you deliver
> (N-1)*N/2 different keys in PSK case, assuming we are talking a full mesh
> relationship.

There is another important differences.

With symmetric keys, you must make all the PSK deliveries securely, whether
from peer to peer or from server to client, for the system to work.

With public key tehniques, it does not matter if the enemy learns the
public keys, so there is no need for a secure channel for those. If you
have each system generate its own public/private key pair, then only
public keys ever need to be transmitted (directly to peers or to the
server if you use one) or shared.

Prev by Date: Re: ipsec in tunnel mode and dynamic routing
Next by Date: Re: ipsec in tunnel mode and dynamic routing
Prev by thread: Re: ipsec in tunnel mode and dynamic routing
Next by thread: RE: On shared keys (was RE: SOI: identity protection and DOS)
Index(es):
- Main
- Thread