[16500] in cryptography@c2.net mail archive
Re: IPsec +- Perfect Forward Secrecy
daemon@ATHENA.MIT.EDU (Ariel Shaqed (Scolnicov))
Sun Dec 5 15:29:19 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
To: EKR <ekr@rtfm.com>
Cc: John Denker <jsd@av8n.com>, iang@systemics.com,
Ben Nagy <bnagy@eeye.com>, cryptography@metzdowd.com
Reply-To: Ariel Shaqed (Scolnicov) <ascolnic@checkpoint.com>
From: ascolnic@checkpoint.com (Ariel Shaqed (Scolnicov))
Date: 02 Dec 2004 09:37:44 +0200
In-Reply-To: <kjvfblrfnf.fsf@romeo.rtfm.com>
Eric Rescorla <ekr@rtfm.com> writes:
> John Denker <jsd@av8n.com> writes:
> > Eric Rescorla wrote:
> >
> >> Uh, you've just described the ephemeral DH mode that IPsec
> >> always uses and SSL provides.
> >
> > I'm mystified by the word "always" there, and/or perhaps by
> > the definition of Perfect Forward Secrecy. Here's the dilemma:
> >
> > On the one hand, it would seem to the extent that you use
> > ephemeral DH exponents, the very ephemerality should do most
> > (all?) of what PFS is supposed to do. If not, why not?
> >
> > And yes, IPsec always has ephemeral DH exponents lying around.
> >
> > On the other hand, there are IPsec modes that are deemed to
> > not provide PFS. See e.g. section 5.5 of
> > http://www.faqs.org/rfcs/rfc2409.html
>
> Sorry, when I said IPsec I mean IKE. I keep trying to forget
> about the manual keying modes. AFAICT IKE always uses the
> DH exchange as part of establishment.
IKE always performs DH as part of phase 1 ("Main Mode" or "Aggressive
Mode"), which authenticates and produces long-term keys for phase 2
and similar. In phase 2 ("Quick Mode"), which actually produces IPsec
SAs, one can optionally perform an additional DH for PFS.
--
This message may contain confidential and/or proprietary information, and
is intended only for the person/entity to whom it was originally addressed.
The content of this message may contain private views and opinions which do
not constitute a formal disclosure or commitment unless specifically stated.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
