[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SOI QUESTIONS: 2.3 Perfect forward secrecy (PFS)

To: Paul Koning <pkoning@equallogic.com>
Subject: Re: SOI QUESTIONS: 2.3 Perfect forward secrecy (PFS)
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Thu, 20 Jun 2002 15:19:53 -0400
cc: ipsec@lists.tislabs.com
In-reply-to: Your message of "Thu, 20 Jun 2002 13:56:18 EDT." <15634.5954.4000.837554@gargle.gargle.HOWL>
Sender: owner-ipsec@lists.tislabs.com

-----BEGIN PGP SIGNED MESSAGE-----

>>>>> "Paul" == Paul Koning <pkoning@equallogic.com> writes:
    >> They migrate from distributing opaque blobs of hex digits that must be
    >> kept private to distributing opaque blobs of base64 digits that do not
    >> benefit from staying private, but it doesn't hurt them either.
    >> 
    >> Can they tell the difference? The length is a bit longer.

    Paul> A LOT longer.  Long enough that -- unlike preshared keys -- you
    Paul> cannot enter them manually.

  Not compared to a decent shared secret. If you want to do passwords, fine.
However, since they do not need to be kept secret, you can cut and paste. 
For the client system, typing stuff in is not the end of the world. Here is
a 1024 bit public key:

        AwEAAZ7PeJWDMO69GjPbXWaN0UnHnNj3lANETIAtluJbpLfVeVpRubsYTru4kYxU
        K999Ga/23/Aw7mZrI+wQ3uhF36Tuxw76ls3FsgJuWxqdzLxlZxM8r/lXNGUftLPk
        fxbTwXgsfKcqhJCfraPLFH0QhCRVN56EW3Y91YCIMMyRAHbR

I wouldn't want to do that every day, but it is doable. Babble format
would do an even better job. 

    Paul> True.  But PK, even if all you ever use is selfsigned certs, still
    Paul> needs a lot more near-incomprehensible concepts than preshared keys
    Paul> do.

Only if you write a poor interface.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (NetBSD)
Comment: Finger me for keys

iQCVAwUBPRIq14qHRg3pndX9AQHuqwP/QWhev3cT8CCiMqpYUTZQSqda6oZHeUMr
DYlfu4FkFiXoYx5HWuj2MUEyZzabscvgwAIXlwCdnYlMD3QjFSgSeVpXm+RoXAON
ZV915lqWjHmp5CjN9wg/MxhmMVvmfjoOQROVydr16ju0o163DnsVHlrhCueU5j1a
tgb5ZMzZgC0=
=4x2T
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: SOI QUESTIONS: 2.3 Perfect forward secrecy (PFS)
  - From: Tylor Allison <allison@securecomputing.com>
- RE: SOI QUESTIONS: 2.3 Perfect forward secrecy (PFS)
  - From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>

References:
- Re: SOI QUESTIONS: 2.3 Perfect forward secrecy (PFS)
  - From: Paul Koning <pkoning@equallogic.com>

Prev by Date: RE: SOI QUESTIONS: 2.4-2.6
Next by Date: Re: SOI QUESTIONS: 2.2 Perfect forward secrecy (PFS)
Prev by thread: replacing preshared keys
Next by thread: Re: SOI QUESTIONS: 2.3 Perfect forward secrecy (PFS)
Index(es):
- Date
- Thread