Eric Rescorla <[EMAIL PROTECTED]> writes: > John Denker <[EMAIL PROTECTED]> writes: > > Eric Rescorla wrote: > > > >> Uh, you've just described the ephemeral DH mode that IPsec > >> always uses and SSL provides. > > > > I'm mystified by the word "always" there, and/or perhaps by > > the definition of Perfect Forward Secrecy. Here's the dilemma: > > > > On the one hand, it would seem to the extent that you use > > ephemeral DH exponents, the very ephemerality should do most > > (all?) of what PFS is supposed to do. If not, why not? > > > > And yes, IPsec always has ephemeral DH exponents lying around. > > > > On the other hand, there are IPsec modes that are deemed to > > not provide PFS. See e.g. section 5.5 of > > http://www.faqs.org/rfcs/rfc2409.html > > Sorry, when I said IPsec I mean IKE. I keep trying to forget > about the manual keying modes. AFAICT IKE always uses the > DH exchange as part of establishment.
IKE always performs DH as part of phase 1 ("Main Mode" or "Aggressive Mode"), which authenticates and produces long-term keys for phase 2 and similar. In phase 2 ("Quick Mode"), which actually produces IPsec SAs, one can optionally perform an additional DH for PFS. -- This message may contain confidential and/or proprietary information, and is intended only for the person/entity to whom it was originally addressed. The content of this message may contain private views and opinions which do not constitute a formal disclosure or commitment unless specifically stated. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]