Re: an imperfection in skip-pfs
Ashar Aziz <ashar@sunpak.sdnpk.undp.org> Sat, 24 February 1996 19:23 UTC
Received: from ietf.cnri.reston.va.us by IETF.CNRI.Reston.VA.US id aa23975; 24 Feb 96 14:23 EST
Received: from CNRI.Reston.VA.US by IETF.CNRI.Reston.VA.US id aa23971; 24 Feb 96 14:23 EST
Received: from neptune.tis.com by CNRI.Reston.VA.US id aa17256; 24 Feb 96 14:23 EST
Received: from neptune.tis.com by neptune.TIS.COM id aa13783; 24 Feb 96 14:07 EST
Received: from relay.tis.com by neptune.TIS.COM id aa13768; 24 Feb 96 14:04 EST
Received: by relay.tis.com; id OAA09318; Sat, 24 Feb 1996 14:06:06 -0500
Received: from sol.tis.com(192.33.112.100) by relay.tis.com via smap (V3.1) id xma009316; Sat, 24 Feb 96 14:05:46 -0500
Received: from relay.tis.com by tis.com (4.1/SUN-5.64) id AA13694; Sat, 24 Feb 96 14:04:35 EST
Received: by relay.tis.com; id OAA09311; Sat, 24 Feb 1996 14:05:36 -0500
Received: from interlock.ans.net(147.225.5.5) by relay.tis.com via smap (V3.1) id xma009306; Sat, 24 Feb 96 14:05:28 -0500
Received: by interlock id AA23890 (InterLock SMTP Gateway 3.0 for ipsec@ans.net); Sat, 24 Feb 1996 14:06:26 -0500
Received: by interlock (Protected-side Proxy Mail Agent-3); Sat, 24 Feb 1996 14:06:26 -0500
Received: by interlock (Protected-side Proxy Mail Agent-2); Sat, 24 Feb 1996 14:06:26 -0500
Message-Id: <199602241730.AA13651@sdnpk.undp.org>
Received: by interlock (Protected-side Proxy Mail Agent-1); Sat, 24 Feb 1996 14:06:26 -0500
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: Ashar Aziz <ashar@sunpak.sdnpk.undp.org>
To: ipsec@ans.net
Date: Sat, 24 Feb 1996 17:23:14 +0000
X-Total-Enclosures: 1
Subject: Re: an imperfection in skip-pfs
Priority: normal
X-Mailer: Pegasus Mail for Windows (v2.01)
X-Orig-Sender: ipsec-request@neptune.tis.com
Precedence: bulk
> From: Bill Sommerfeld <sommerfeld@apollo.hp.com> > While I believe this provides perfect forward secrecy for subsequent > traffic keys derived from g^xy, this does not appear to provide > perfect forward privacy protection for the identities enclosed in the > ephemeral certificates Cert_I and Cert_J. Bill, You are correct that the SKIP PFS draft does not provide equal protection for identity information as it does for traffic. However, the same is true of OAKLEY (and I believe Photuris, though I dont have a draft at hand to check), albeit in a different manner. With, e.g., OAKLEY, the identity information is revealed in the unauthenticated phase, meaning that identity information would be disclosed under an active (intruder-in-the-middle) attack. Of course, traffic is secure against active forms of attack, since it is transmitted in the authenticated phase. An intruder-in-the-middle attack on SKIP PFS does not disclose identity information. There are some additional points to consider. The most common usage of the anonymity feature is likely to be for mobile users, making secured access to corporate information across the Internet. In this scenario, J is an organizational firewall, and I is the mobile user. Compromise of the mobile user's long-term keys does not disclose identity information. Only compromise of the firewall's long term keys discloses identity information. From a practical point of view, a mobile user's long-term keys are more likely to be compromised than the long-term keys of a physically protected organizational firewall. Therefore, considering only identity protection, one has to ask oneself what is a greater threat: a) The possibility of a compromise of a firewall's long-term keys or b) the possibility of an intruder-in-the-middle attack on the key exchange. If a) is a greater threat then the identity protection provided by Photuris/Oakley is better. If b) is a greater threat then the identity protection provided by SKIP PFS is better. In favor of the identity protection provided by Photuris/Oakley, it is worth noting that identity disclosure requires an attack on each key exchange, wherease with SKIP PFS compromise of a firewall's long-term keys discloses identity information for a large number of exchanges. However, in principle if one can perform an active attack on one key exchange, one could perform active attacks on many key exchanges. Given these different tradeoffs, my own view is that the anonymity protection of SKIP PFS is adequate, however I am open to modifying this if the WG believes a) to be a greater threat than b). (It is possible for the anonymity protection for SKIP PFS to be more like Oakley/Photuris, at the cost of some additional complexity.) Regards, Ashar. -------------- Enclosure number 1 ---------------- From ashar Sat, 24 Feb 1996 12:12:54 PST +0500 remote from sunpak Received: from ashar@sunpak by sunpak.sdnpk.undp.org (PMail+UDG PegWaf v0.26 93.04.04) id 3761 for ipsec@ans.net; Sat, 24 Feb 1996 12:12:54 PST +0500 From: ashar@sunpak.sdnpk.undp.org (Ashar Aziz) To: ipsec@ans.net Date: Sat, 24 Feb 1996 12:12:53 +0000 Subject: Re: an imperfection in skip-pfs. (fwd) Priority: normal X-mailer: Pegasus Mail for Windows (v2.01) > From: Bill Sommerfeld <sommerfeld@apollo.hp.com> > While I believe this provides perfect forward secrecy for subsequent > traffic keys derived from g^xy, this does not appear to provide > perfect forward privacy protection for the identities enclosed in the > ephemeral certificates Cert_I and Cert_J. Bill, You are correct that the SKIP PFS draft does not provide equal protection to identity information as it does to traffic. However, the same is true of OAKLEY (and I believe Photuris, though I dont have a draft at hand to check), albeit in a different manner. With, e.g., OAKLEY, the identity information is revealed in the unauthenticated phase, meaning that identity information would be disclosed under an active (intruder-in-the-middle) attack. Of course, traffic is secure against active forms of attack, since it is transmitted in the authenticated phase. An intruder-in-the-middle attack on SKIP PFS does not disclose identity information. There are some additional points to consider. The most common usage of the anonymity feature is likely to be for mobile users, making secured access to corporate information across the Internet. In this scenario, J is an organizational firewall, and I is the mobile user. Compromise of the mobile user's long-term keys does not disclose identity information. Only compromise of the firewall's long term keys discloses identity information. From a practical point of view, a mobile user's long-term keys are more likely to be compromised than the long-term keys of a physically protected organizational firewall. This is why the identities are protected with g^xj and not g^ij. Therefore, considering only identity protection, one has to ask oneself what is a greater threat: a) The possibility of a compromise of a firewall's long-term keys or b) the possibility of an intruder-in-the-middle attack on the key exchange. If a) is a greater threat then the identity protection provided by Photuris/Oakley is better. If b) is a greater threat then the identity protection provided by SKIP PFS is better. In favor of the identity protection provided by Photuris/Oakley, it is worth noting that identity disclosure requires an attack on each key exchange, wherease with SKIP PFS compromise of a firewall's long-term keys discloses identity information for a large number of exchanges. However, in principle if one can perform an active attack on one key exchange, one could perform active attacks on many key exchanges. Given these different tradeoffs, my own view is that the anonymity protection of SKIP PFS is adequate, however I am open to modifying this if the WG believes a) to be a greater threat than b). (It is possible for the anonymity protection for SKIP PFS to be more like Oakley/Photuris, at the cost of some additional complexity.) Regards, Ashar.
- Re: an imperfection in skip-pfs Ashar Aziz