OK, let me ask a more specific question. Actually, let me put forth some hypotheses about how I think it works, and see if anyone has corrections or comments.
0) I'm not sure the words Perfect Forward Secrecy convey what
we mean when we talk about PFS. Definition 12.16 in HAC suggests
_break-backward protection_ as an alternative, and I prefer that. Perhaps the complementary concept of break-back _exposure_ would
be even more useful.
http://www.cacr.math.uwaterloo.ca/hac/
http://www.cacr.math.uwaterloo.ca/hac/about/chap12.pdf
I think for today we don't have a simple yes/no question as to whether the secrecy is "perfect"; instead we have multiple quantitative questions as to which connections have how much break-back exposure.
1) First an ISAKMP SA is set up, then it is used to negotiate one or more IPsec SAs, which carry the traffic.
2) Ephmeral DH is always used on the ISAKMP SA, so the ISAKMP session has no more than one ISAKMP session's worth of break-back exposure. That is, the attacker who steals an ISAKMP session key can read that session, but (so far as we know :-) does not thereby gain any head-start toward reading earlier ISAKMP sessions.
3) Each IPsec SA has its own session key. The stated purpose of Quick Mode is to provide "fresh" keying material. "Nonces" are used. As I understand it, that means the IPsec session keys are sufficiently ephemeral that each IPsec session has no more than one IPsec session's worth of break-back exposure. That is, the attacker who steals an IPsec session key can read that session, but does not (sfawk :-) gain any head-start toward reading earlier IPsec sessions.
4) As far as I can tell, the only interesting question is whether a break of the ISAKMP session is _inherited_ by the IPsec sessions set up using that ISAKMP session. The break of an IPsec session will not spread at all. The break of an ISAKMP session will not spread beyond that ISAKMP session ... but what happens within that ISAKMP session? The answer, as I understand it, depends on the setting of the misleadingly-named "IPsec PFS" option. If the option is set, there is an additional layer of opacity on a per-IPsec-SA basis, so that a break of the ISAKMP session is not inherited by its IPsec SAs.
Bottom line:
As I understand it, IPsec always has reasonably tight limit on the amount of break-back exposure, but setting the so-called "PFS" option reduces the exposure further ... roughly speaking, by a factor of the number of IPsec SAs per ISAKMP SA.
Comments, anyone?
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]