[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PFS + rekeying interconnection

To: "'IP Security List'" <ipsec@lists.tislabs.com>
Subject: PFS + rekeying interconnection
From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>
Date: 20 Jun 2002 18:31:07 -0400
Importance: Normal
In-Reply-To: <000c01c21889$4bf8fbf0$1e72788a@ca.alcatel.com>
Reply-To: andrew.krywaniuk@alcatel.com
Sender: owner-ipsec@lists.tislabs.com

> 1:00 - establish phase 1
> 1:01 - establish first phase 2
> 1:02 - establish second phase 2
> 1:03 - establish third phase 2
> 1:52 - rekey first phase 2
> 1:54 - rekey second phase 2
> 1:56 - rekey third phase 2
> 2:00 - delete DH exponent
> 2:46 - rekey first phase 2 w/ PFS folded back into phase 1
> [or just rekey
> phase 1]


I had a few requests to clarify some aspects of this timeline.

> 2:00 - delete DH exponent

It's not the DH exponent that matters here, it's SKEYID_d. You can delete
the DH exponent at 1:01 if you wish. Sorry about being unclear.


> 2) how long do you retain keys derived from the shared secret (one way
>     hash of the DH-generated secret).

For upto the PFS interval. The key here is to assume that the PRF is not
reversable.

> 1:00 - establish phase 1
> 1:52 - rekey first phase 2
> 2:00 - delete DH exponent

If someone breaks into your box at 1:59, they can get key1 and key2 and
SKEYID_d, but your PFS interval hasn't elapsed yet so only 1 hour's worth of
data is compromised.

If someone breaks into your box at 2:01, they can only get key2, which has
only been used for 9 minutes. You can continue to use key 2 up until 2:52
without violating your PFS interval.


> 3) how long after the declared expiration time do you keep the SA
>    alive to catch stragglers.

I assume that you delete the SA as soon as it expires. To avoid stragglers,
you rekey in advance.


> > 6 phase 2s for the price of one DH without sacrificing PFS.
>
> admittedly the long-term steady-state here will be more like 3 phase
> 2's per DH

It depends. If your jitter is completely random then the phase 2s will
eventually end up being distributed randomly through the timeline and you
will get 4 phase 2s per DH steady state.

If you tweak the jitter so the rekeys are distributed within a fixed window
then you can get 6 rekeys per DH steady state.


>     All the phase 2 sessions may not fall in the same
> intervel. In you example all the phase 2 connections
> are started  approximatetly at same time. In normal
> case the sessions are distributed evenly in the
> intervel. Let me know if I am missing anything ...

> 2:00 - delete DH exponent
> 2:46 - rekey first phase 2 w/ PFS folded back into phase 1

In the example above, the host had no SKEYID_d for 46 minutes. If you needed
to negotiate an SA earlier than that, you would negotiate a new key sometime
between 2:00 and 2:46. As I mentioned above, this might result in you
getting 4 SAs per DH rather than 6.

Andrew
-------------------------------------------
There are no rules, only regulations. Luckily,
history has shown that with time, hard work,
and lots of love, anyone can be a technocrat.

Follow-Ups:
- RE: PFS + rekeying interconnection
  - From: "Rajesh Mohan" <rajeshmn@future.futsoft.com>

References:
- [resend] -- RE: SOI QUESTIONS: 2.1 Identity protection questions?
  - From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>

Prev by Date: RE: SOI QUESTIONS: 2.3 Perfect forward secrecy (PFS)
Next by Date: Re: SOI QUESTIONS: 2.3 Perfect forward secrecy (PFS)
Prev by thread: [resend] -- RE: SOI QUESTIONS: 2.1 Identity protection questions?
Next by thread: RE: PFS + rekeying interconnection
Index(es):
- Date
- Thread