IPsec +- Perfect Forward Secrecy
Ariel Shaqed Scolnicov
ascolnic at checkpoint.com
Thu Dec 2 02:37:44 EST 2004
Eric Rescorla <ekr at rtfm.com> writes:
> John Denker <jsd at av8n.com> writes:
> > Eric Rescorla wrote:
> >
> >> Uh, you've just described the ephemeral DH mode that IPsec
> >> always uses and SSL provides.
> >
> > I'm mystified by the word "always" there, and/or perhaps by
> > the definition of Perfect Forward Secrecy. Here's the dilemma:
> >
> > On the one hand, it would seem to the extent that you use
> > ephemeral DH exponents, the very ephemerality should do most
> > (all?) of what PFS is supposed to do. If not, why not?
> >
> > And yes, IPsec always has ephemeral DH exponents lying around.
> >
> > On the other hand, there are IPsec modes that are deemed to
> > not provide PFS. See e.g. section 5.5 of
> > http://www.faqs.org/rfcs/rfc2409.html
>
> Sorry, when I said IPsec I mean IKE. I keep trying to forget
> about the manual keying modes. AFAICT IKE always uses the
> DH exchange as part of establishment.
IKE always performs DH as part of phase 1 ("Main Mode" or "Aggressive
Mode"), which authenticates and produces long-term keys for phase 2
and similar. In phase 2 ("Quick Mode"), which actually produces IPsec
SAs, one can optionally perform an additional DH for PFS.
--
This message may contain confidential and/or proprietary information, and
is intended only for the person/entity to whom it was originally addressed.
The content of this message may contain private views and opinions which do
not constitute a formal disclosure or commitment unless specifically stated.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list