[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Please save the pre-shared key mode



On Fri, 7 Dec 2001, Wang, Cliff wrote:

> The documentation is not about how to generate self-signed cert. The
> document should cover the integration with IKEv2, security analysis, wire
> format, .....
> 
There ARE no integration issues, nor is the security analysis any different
(if you transfer a pre-shared symmetric key insecurely over an insecure
network, then you're being stupid. Same is true for transferring an RSA
keypair (pair!) over an insecure network, when (for example) pre-provisioning
configs and sending them to the user. There's no difference that I can
ascertain).

On the wire format doesn't change. That's the whole point. IKEv2 and JFK
define messages using rsa keys. That's all you need.

The question is: How do you get and authenticate the RSA key. That's the
part we're talking about. The main thrust some people are trying to get
across is that you do not (again: NOT) need a PKI for this. There's several
ways to get an RSA key distributed and authenticated, and there's plenty of
alternative to a PKI.

Hints: Look at SSH as one example. Freeswan's way of distributing RSA keys
via DNS has also been documented (and discussed on this list. Check the
archives). Consider saving the RSA fingerprint instead of the key, then
compare the saved fingerprint to the key you received from the other side in
a self-signed certificate (CERT payload in IKE and IKEv2).  Etc... the
variety is endless, and doesn't affect interoperability of the protocol
itself (since the protocol only cares that you HAVE an RSA key you trust, and
not how you got it, nor how you decided to trust it; it merely assumes you
haven't been stupid and let some attacker see your secret).

> Without a clear cut IETF documentation, it might be difficult for vendors to
> come to the same page and accept it.
>  
As Henry mentioned, most people thought this stuff was pretty simple and
self-explanatory (and obvious). Maybe someone should write it up, since
apparently not everyone sees the obvious (even after being told by several
people multiple times).

jan


> 
> -----Original Message-----
> From: Henry Spencer [mailto:henry@spsystems.net] 
> Sent: Friday, December 07, 2001 4:46 PM
> To: Wang, Cliff
> Cc: 'Jan Vilhuber'; ipsec@lists.tislabs.com
> Subject: RE: Please save the pre-shared key mode
> 
> 
> On Fri, 7 Dec 2001, Wang, Cliff wrote:
> >> The justification being offered for saving it is "nothing else works" 
> >> -- that is, that there is no other equally quick and simple way of 
> >> setting up a simple connection.  This is false.  There are non-PKI 
> >> approaches to public keys which are just as simple and easy as PSK.
> > 
> > ...Where are these alternative approaches documented in the form of
> > internet draft?
> 
> I don't know that anyone has ever thought to document them in I-Ds, since
> mostly they are too simple to need much explaining.  The hard part is
> deprogramming people from the "public key implies PKI" religion. 
> 
> Self-signed certs are a well-known concept, and fit naturally into existing
> cert machinery. 
> 
> RFC 3110 documents how to represent (in DNS) RSA public keys without
> involving any form of certificate.  We used that as our representation. 
> We preconfigure with public keys in much the same way that we preconfigure
> with shared secrets.  What else is there to tell? 
> 
>                                                           Henry Spencer
>                                                        henry@spsystems.net
> 

 --
Jan Vilhuber                                            vilhuber@cisco.com
Cisco Systems, San Jose                                     (408) 527-0847



References: