Comments from Paul Van Oorschot
Phil Karn <karn@unix.ka9q.ampr.org> Tue, 14 March 1995 23:15 UTC
Received: from ietf.nri.reston.va.us by IETF.CNRI.Reston.VA.US id aa12533; 14 Mar 95 18:15 EST
Received: from CNRI.Reston.VA.US by IETF.CNRI.Reston.VA.US id aa12529; 14 Mar 95 18:15 EST
Received: from interlock.ans.net by CNRI.Reston.VA.US id aa17329; 14 Mar 95 18:15 EST
Received: by interlock.ans.net id AA06850 (InterLock SMTP Gateway 3.0 for ipsec-out@ans.net); Tue, 14 Mar 1995 18:09:26 -0500
Message-Id: <199503142309.AA06850@interlock.ans.net>
Received: by interlock.ans.net (Protected-side Proxy Mail Agent-2); Tue, 14 Mar 1995 18:09:26 -0500
Received: by interlock.ans.net (Protected-side Proxy Mail Agent-1); Tue, 14 Mar 1995 18:09:26 -0500
Date: Tue, 14 Mar 1995 15:13:46 -0800
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: Phil Karn <karn@unix.ka9q.ampr.org>
To: ipsec@ans.net
Reply-To: karn@qualcomm.com
Subject: Comments from Paul Van Oorschot
I got this in email. I'm forwarding it to the list as it seems much more relevant than so much of the discussion here recently. I'll follow up with some responses. Phil Date: Thu, 9 Mar 1995 16:00:00 -0500 Content-Identifier: re:My photuri... From: "paul (p.c.) van oorschot" <paulv@bnr.ca> Sender: "paul (p.c.) van oorschot" <paulv@bnr.ca> To: karn Cc: "marcus (m.d.) leech" <mleech@bnr.ca>, ashar@osmosys.incog.com, whitfield.diffie@eng.sun.com Subject: re:My photuris protocol >Hi. Marcus Leech tells me you're interested in reviewing my photuris key >exchange protocol. It's out as an Internet draft in the usual places, >e.g., > >ftp://ds.internic.net/internet-drafts/draft-karn-photuris-00.txt. > >I'd like to hear your comments, especially on the advisability of signing >just the DH public component so it can be done in advance to save delay. >This is a hot topic of discussion on the ipsec mailing list. > >Phil Phil, I have looked over your Photuris I-D of December 1994, and offer the following comments. As I don't participate in the mailing list regularly, it would seem inappropriate for me to post to the list and not be available for responses, so I respond to you directly. Please feel free to forward/discuss in the list if you think appropriate. 1. (section 1) The first discussion of "perfect forward secrecy" I am aware of is by Gunther in his Eurocrypt'89 paper, ``An identity-based key exchange protocol", pp.29-37, though it is possible this term was defined earlier. BTW, this paper is quite relevant background reading. 2. (section 3.3, Cookie Generation) If I understand correctly, it appears the cookie party A creates to use with party B is time-invariant. Does this imply that if B is a malicious party, then any party A which ever gives to B a cookie is subject to a flooding attack by B? If so, it would seem prudent to recommend cookies be time-variant. 3. (section 4.5, Moduli) It is only fair to list disadvantages as well as advantages, of a fixed prime, including: 1) a fixed prime is a much more rewarding cryptanalytic target 2) the security of the whole system rests on this prime being good 3) changing this prime may lead to difficulties 4. (section 5.1, Signature Transmission) The authenticated key exchange protocol seems very similar to the the Station-to-Station (STS) protocol described by Diffie, van Oorschot and Wiener ("Authentication and authenticated key exchanges", Designs, Codes and Cryptography vol.2 pp.107-125 (1992)), including allowing identities to remain hidden from eavesdroppers, and encrypting a subset of the protocol data messages exchanged themselves. I have sent a hard copy of this paper to you by post today, presuming you do not have access to it. 5. I strongly recommend against signing only a single exponential. Attacks are known against similar protocols which do so, and there are general concerns (e.g. see pp.116-117 of STS paper). Signing both exponentials provides entity authentication guarantees, which prevent one class of replay attacks; signing only one does not, and in general is vulnerable to a wide array of possible "interleaving" attacks. 6. Due to the incredibly embarrassing track record of newly proposed authentication and authenticated key exchange proposals, I hesitate to support any brand new protocol, and recommend the group consider choosing one (from the literature or elsewhere) which has already been well-studied by a large number of experts, or which can be proven to be cryptographically equivalent to such a protocol. Kindest regards, Paul. P.S. I have also recently looked at Perry Metzger's "Troublemakers DRAFT" draft-metzger-ah-md5-01.txt. Am I correct in concluding it is indeed a joke? As has been discussed in the literature, the secret-prefix method proposed therein is insecure. ------------------------------------------------------------------------------ Paul Van Oorschot Bell-Northern Research | EMAIL: paulv@bnr.ca | MAIL TO: SHIP TO: | VOICE: 613-763-4199 | BNR, Box 3511, Station C, BNR, 2 Constellation Cr. | FAX: 613-765-3520 | Ottawa, Canada K1Y 4H7 Nepean, ON, Canada K2G 5J9 | | ------------------------------------------------------------------------------
- Comments from Paul Van Oorschot Phil Karn
- Re: Comments from Paul Van Oorschot Phil Karn