IPsec +- Perfect Forward Secrecy
John Denker
jsd at av8n.com
Wed Dec 1 21:08:13 EST 2004
OK, let me ask a more specific question. Actually, let me
put forth some hypotheses about how I think it works, and
see if anyone has corrections or comments.
0) I'm not sure the words Perfect Forward Secrecy convey what
we mean when we talk about PFS. Definition 12.16 in HAC suggests
_break-backward protection_ as an alternative, and I prefer that.
Perhaps the complementary concept of break-back _exposure_ would
be even more useful.
http://www.cacr.math.uwaterloo.ca/hac/
http://www.cacr.math.uwaterloo.ca/hac/about/chap12.pdf
I think for today we don't have a simple yes/no question as
to whether the secrecy is "perfect"; instead we have multiple
quantitative questions as to which connections have how much
break-back exposure.
1) First an ISAKMP SA is set up, then it is used to negotiate
one or more IPsec SAs, which carry the traffic.
2) Ephmeral DH is always used on the ISAKMP SA, so the ISAKMP
session has no more than one ISAKMP session's worth of break-back
exposure. That is, the attacker who steals an ISAKMP session
key can read that session, but (so far as we know :-) does not
thereby gain any head-start toward reading earlier ISAKMP sessions.
3) Each IPsec SA has its own session key. The stated purpose of
Quick Mode is to provide "fresh" keying material. "Nonces" are
used. As I understand it, that means the IPsec session keys are
sufficiently ephemeral that each IPsec session has no more than
one IPsec session's worth of break-back exposure. That is, the
attacker who steals an IPsec session key can read that session,
but does not (sfawk :-) gain any head-start toward reading
earlier IPsec sessions.
4) As far as I can tell, the only interesting question is whether
a break of the ISAKMP session is _inherited_ by the IPsec sessions
set up using that ISAKMP session. The break of an IPsec session
will not spread at all. The break of an ISAKMP session will not
spread beyond that ISAKMP session ... but what happens within that
ISAKMP session? The answer, as I understand it, depends on the
setting of the misleadingly-named "IPsec PFS" option. If the
option is set, there is an additional layer of opacity on a
per-IPsec-SA basis, so that a break of the ISAKMP session is not
inherited by its IPsec SAs.
Bottom line:
As I understand it, IPsec always has reasonably tight limit on
the amount of break-back exposure, but setting the so-called
"PFS" option reduces the exposure further ... roughly speaking,
by a factor of the number of IPsec SAs per ISAKMP SA.
Comments, anyone?
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list