So far, we've had a lot of talk about TLS and email (which is great!), but
I wonder if we want to broaden our horizons a bit and consider what else
we should be talking about.
Many symmetric key cryptosystems (such as Kerberos) do not really include
provisions for forward secrecy. A pervasive passive attacker, then, who
can record all traffic involving certain participants over a long
timescale (years?), can then go back and decrypt all the old traffic, if a
key is ever revealed. Now, a responsible deployment will of course have a
schedule for changing long-term keys (note: most deployments I interact
with are not responsible in this regard), but it is common for the old
long-term key to be used to secure the exchange setting the new long-term
key. If that exchange is captured by the adversary, then leaking the old
key will also leak the new key!
In Kerberos, we have session keys and key derivation to avoid producing
much ciphertext in a given long-term key to give to an attacker, but it
seems unlikely that an attacker in this scenario will be using only
cryptanalitic techniques. The KDC presents a very juicy target, for one,
but other long-term keys can be compromised in other ways (and from less
sensitive targets).
We have some ideas for how to improve the situation in Kerberos, adding
forward secrecy for kadmin exchanges and AP-REQ/AP-REP exchanges, to
prevent leaking old keys from exposing new keys, and to give extra
protection to application traffic. There is probably more that can be
done for Kerberos as well; we haven't had too much time to think about it,
yet.
The question I pose to this list is: what other symmetric-key systems
should we be thinking about? (Even without the qualification, what other
systems should we be thinking about?)
-Ben Kaduk
_______________________________________________
perpass mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/perpass
