RE: SOI QUESTION: 4.2 Creating multiple SAs for a single pair of entities

["Housley, Russ" <rhousley@rsasecurity.com>]

Andrew:

> > >4.2.A) How important is it that SOI be able to create multiple SA's
> > >between a pair of entities "cheaply"?
> >
> > This is very important.  I assume that "cheaply" means that cracking the
> > keying material associated with one of these related SAs MIGHT disclose
> > information that could help the attacker learn the keying material
> > associated with the other related SAs.  That is, there is no PFS.
>
>Actually, not necessarily. Typically, we have:
>
>skeyseed = PRF(g^xy, etc)
>key1 = PRF(skeyseed, nonce1, etc)
>key2 = PRF(skeyseed, nonce2, etc)
>
>key1 and key2 are both outputs of a one-way function, so assuming you delete
>skeyseed at some point then key1 and key2 are effectively unrelated.
>Therefore, as long as you delete skeyseed at some point, you will have PFS.
>(According to conventional wisdom, there is no reason to believe that it
>will be easier to reverse a PRF than to crack a DH.)

My point was that your keying material is vulnerable (from a PFS 
perspective) until both ends have deleted the shared secret values 
(skeyseed in your example) used to derive it.  If the attacker learns 
skeyseed (from either end), then deriving the associated keying material is 
straightforward.  However, once both ends have securely deleted skeyseed, 
it should be computationally infeasible to learn key1 or skeyseed from key2.

Russ