On Wed, Dec 01, 2004 at 01:45:15PM -0500, John Denker wrote:
> Eric Rescorla wrote:
> >Uh, you've just described the ephemeral DH mode that IPsec
> >always uses and SSL provides.
> I'm mystified by the word "always" there, and/or perhaps by
> the definition of Perfect Forward Secrecy.  Here's the dilemma:
> On the one hand, it would seem to the extent that you use
> ephemeral DH exponents, the very ephemerality should do most
> (all?) of what PFS is supposed to do.  If not, why not?
> And yes, IPsec always has ephemeral DH exponents lying around.
> On the other hand, there are IPsec modes that are deemed to
> not provide PFS.  See e.g. section 5.5 of
>   http://www.faqs.org/rfcs/rfc2409.html
> Perhaps the resolution of the dilemma is to say that IPsec
> "always" uses ephemeral DH for _some_ things, but it does not
> "always" use ephemeral DH for some _other_ things.  Right?

I apologize in advance to all IPsec-knowledgeable readers for using
imprecise terminology.

There are two types of Security Associations (encrypted channels) involved.
The first, called an "ISAKMP SA", is strictly for control traffic between
the IPsec peers ("management metadata").  The other type is an "IPsec SA",
which is for "real" data.

The negotiation to establish an ISAKMP SA *always* involves a DH exchange.
In fact, in "main mode", there are three pairs of messages:  parameter
exchange (encryption algorithm, hashing algorithm, authentication mechanism),
DH exchange, and then authentication.  The ISAKMP SA is really set up at the
end of the DH exchange; the first order of business is to do authentication
over the encrypted channel to prevent a man-in-the-middle attack.

On the other hand, the ISAKMP mode to negotiate an IPsec SA is called "quick
mode".  It is expected that that mode does not involve costly cryptographic
operations (such as a DH exchange).  The keys for an IPsec SA are derived
from keying material established in the ISAKMP SA negotiation.  If one wants
PFS for IPsec SAs, then one includes a DH exchange in the quick mode
negotiation (thereby turning it into a "not-so-quick mode" negotiation?).

So, to summarize:

- DH exchange always happens for ISAKMP SA setup
- DH exchange may or may not happen for IPsec SA setup

OK, back to lurking ...

                                        - Ken

> Also note that 'ephemeral' is not a binary predicate.  Some
> things are more ephemeral than others.  Can you also have
> more-perfect PFS and less-perfect PFS?
> =======
> There are plenty of things out there (including Cisco boxes,
> in the default configuration) where the IPsec does not have
> PFS turned on.
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to