[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Please kill preshared key.



Well,
The pre-shared key model uses 'out-of-band' secured channel to exchange
asymmetric or symmetric keys. (so is self-signed cert :-)

In this model, exchnage phase2's symmetric key through 'out-of-band' secured
channel
is possible.
It is very effective for a small realm.
(but can not reach out other realm, therefore not scalable).

Off course, the pre-shared symmetric key is less scalable than pre-shared
public key method.
Yet, public key method is less effecient than symmetric key.  (computation
cost is prohibitive)

On second thought, for large scale implemenation/inter-operation,
I would imagine a effective model that uses pre-shared public key as id
authentication basis for
further exchange its symmetric key (and for a session only).

--- David


----- Original Message -----
From: "Scott Fluhrer" <sfluhrer@cisco.com>
To: "david chen" <ietf_davidchen@hotmail.com>
Cc: <sommerfeld@east.sun.com>; <ipsec@lists.tislabs.com>
Sent: Thursday, December 06, 2001 6:31 PM
Subject: Re: Please kill preshared key.


>
>
> On Thu, 6 Dec 2001, david chen wrote:
>
> > Agree,
> >
> > IKE is for 'key exchange'.
> > It is *no* needs to change keys in pre-shared key mode.
> >
> > In the pre-share key model, the two devices can just go directly to
phase 2
> > of
> > IPSec.
>
> Ummm, no.  That's not how preshared keys work in IKEv1, and I don't think
> anyone is advocating such a feature for SOI/JFK/Whatever.  Instead, with
> PSKs in IKEv1, devices authenticate each other by knowledge of the PSK --
> without the PSK, a device is unable to compute the SKEYID, and thus will
> be unable to complete the final part of the IKE transaction.  This means
> that knowledge of the PSK does not allow an attacker to decrypt a
> transcript of an IKE session authenticated via that PSK (unless he can
> solve the DH problem as well).
>
> >
> > --- David
> >
> >
> >
> >
> > ----- Original Message -----
> > From: "Bill Sommerfeld" <sommerfeld@east.sun.com>
> > To: <ipsec@lists.tislabs.com>
> > Sent: Thursday, December 06, 2001 1:47 PM
> > Subject: Please kill preshared key.
> >
> >
> > > Since there are people arguing to save preshared key, I just wanted to
> > > reemphasize that:
> > >
> > >  0) it adds cryptographic complexity -- you essentially need a
> > > different cryptographic protocol for PSK vs. signature keys.  Let's
> > > spend the cycles of our cryptographers on more important stuff than
> > > this.
> > >
> > >  1) it adds YET ONE MORE OPTION you need to test, one more knob you
> > > can misconfigure.. more time for customers spent fumbling around
> > > trying to figure out how to configure systems.
> > >
> > >  2) equivalent functionality can be found in preconfigured public keys
> > > and/or self-signed certificates.
> > >
> > > There's no need for it, it adds complexity.  Kill it.
> > >
> > > - Bill
> > >
> >
>
>


References: