[859] in cryptography@c2.net mail archive
Re: forward secrecy and email protocols
daemon@ATHENA.MIT.EDU (Peter Gutmann)
Fri May 16 17:26:06 1997
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: hal@rain.org
Cc: cryptography@c2.net
Reply-To: pgut001@cs.auckland.ac.nz
X-Charge-To: pgut001
Date: Sat, 17 May 1997 09:05:33 (NZST)
>One of the ideas we talked about on cypherpunks a while back was
>to keep a session key around for each person you communicate with.
>For each message, you use the session key, and then you run it through a
>one-way function to derive the session key to use for the next message.
>There would need to be an initial public key communication to set up
>the session keys, but if the eavesdroppers didn't have access to that
>(because it happened a long time ago) then you get forward secrecy.
You don't really get forward secrecy because if someone compromises session
key n then they also have n+1, n+2, ... A while back I thought of using
something like SKEME to exchange a master secret and derive new session keys
from this (that is, from the master secret, not from another session key),
which still isn't perfect because a compromise of the master secret (rather
than one session key) compromises the session keys. A problem with SKEME (and
Oakley I think) is that the "fast rekey" mechanism is based on the initial key
shared via PKC-encrypted messages rather than the DH-derived session key, so a
compromise of the private keys also gives you all the session keys. What
would be nice is a cheap (ie less expensive than full DH) method of agreeing
on a new session key based on an existing shared secret which doesn't weaken
the new key if the secret is later compromised. SKEME offers something which
is a step in this direction by allowing you to do a new EXCH step during idle
time and authenticating it when you need a new key with an AUTH step, which at
least moves the DH cost into the background.
(Speaking of SKEME and Oakley, I haven't heard much of these recently - have
there been any developments with them since late last year? SKEME seems far
too elegant to sit around not being used...).
Peter.
