[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IKEv2 and Perfect Forward Secrecy



Hi,

I am a little disturbed by section 2.12 - "Reuse of Diffie-Hellman
Exponentials" in the latest IKEv2(-05) draft. If I understand correctly PFS
means that after closing a tunnel with Bob Alice is guaranteed that even if
an attacker gained access to all the keys used for that tunnel, he has not
gained any information which may help him break future tunnels between Alice
and Bob.

It seems section 2.12 implies that Bob is allowed to keep his DH secret y,
and reuse it until the tunnel between Alice and Bob is closed WITHOUT
compromising PFS:

  "... Or it could keep track of which
   exponential was used for each connection and delete the information
   associated with the exponential only when some corresponding
   connection was closed. This would allow the exponential to be reused
   without losing perfect forward secrecy at the cost of maintaining
   more state."

This seems misleading. A common case would be for Alice to establish a
tunnel (Alice uses x1, sends g^x1, Bob uses y1, sends g^y1). Later Alice
would want to re-key, BEFORE the current SA expires she starts a new
exchange (Alice using x2, sends g^x2), Bob who is following the suggestion
made in 2.12 reuses y1 since the first tunnel is not yet closed. He thinks
he is still guaranteeing PFS. Once this tunnel is established Alice closes
the old one and continues to use the new one thinking she has PFS. This
seems bad since an attacker who gained access of y1 and recorded all traffic
between Alice and Bob can decrypt all traffic which passed through BOTH
tunnels.

What am I missing?

P.S. I deliberately ignored the distinction between IKE-SA and CHILD-SA with
PFS, since it seems it is ignored in the quoted section from the draft as
well.

Jesse