RE: SOI QUESTION: 4.2 Creating multiple SAs for a single pair of entities

["Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>]

> >4.2.A) How important is it that SOI be able to create multiple SA's
> >between a pair of entities "cheaply"?
>
> This is very important.  I assume that "cheaply" means that
> cracking the
> keying material associated with one of these related SAs
> MIGHT disclose
> information that could help the attacker learn the keying material
> associated with the other related SAs.  That is, there is no PFS.

Actually, not necessarily. Typically, we have:

skeyseed = PRF(g^xy, etc)
key1 = PRF(skeyseed, nonce1, etc)
key2 = PRF(skeyseed, nonce2, etc)

key1 and key2 are both outputs of a one-way function, so assuming you delete
skeyseed at some point then key1 and key2 are effectively unrelated.
Therefore, as long as you delete skeyseed at some point, you will have PFS.
(According to conventional wisdom, there is no reason to believe that it
will be easier to reverse a PRF than to crack a DH.)

Incidentally, IKEv1 had a feature (which no one implemented) where you could
do bulk negotiation of SAs. This is not preserved in IKEv2, but it lets you
trade off memory vs CPU or memory vs PFS. Theoretically, you could negotiate
10 keys in advance, delete skeyseed, and then use a modified quick mode to
assign these keys to new SAs (thus giving you full PFS across rekeys without
incurring any additional DHs).

Andrew
-------------------------------------------
There are no rules, only regulations. Luckily,
history has shown that with time, hard work,
and lots of love, anyone can be a technocrat.