[16495] in cryptography@c2.net mail archive
Re: IPsec +- Perfect Forward Secrecy
daemon@ATHENA.MIT.EDU (Eric Rescorla)
Wed Dec 1 14:57:18 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
To: John Denker <jsd@av8n.com>
Cc: iang@systemics.com, Ben Nagy <bnagy@eeye.com>,
cryptography@metzdowd.com
Reply-To: EKR <ekr@rtfm.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 01 Dec 2004 11:18:28 -0800
In-Reply-To: <41AE113B.7030306@av8n.com> (John Denker's message of "Wed, 01
Dec 2004 13:45:15 -0500")
John Denker <jsd@av8n.com> writes:
> Eric Rescorla wrote:
>
>> Uh, you've just described the ephemeral DH mode that IPsec
>> always uses and SSL provides.
>
> I'm mystified by the word "always" there, and/or perhaps by
> the definition of Perfect Forward Secrecy. Here's the dilemma:
>
> On the one hand, it would seem to the extent that you use
> ephemeral DH exponents, the very ephemerality should do most
> (all?) of what PFS is supposed to do. If not, why not?
>
> And yes, IPsec always has ephemeral DH exponents lying around.
>
> On the other hand, there are IPsec modes that are deemed to
> not provide PFS. See e.g. section 5.5 of
> http://www.faqs.org/rfcs/rfc2409.html
Sorry, when I said IPsec I mean IKE. I keep trying to forget
about the manual keying modes. AFAICT IKE always uses the
DH exchange as part of establishment.
-Ekr
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
