[860] in cryptography@c2.net mail archive
Re: forward secrecy and email protocols
daemon@ATHENA.MIT.EDU (William Allen Simpson)
Mon May 19 12:29:25 1997
Date: Fri, 16 May 97 22:39:15 GMT
From: "William Allen Simpson" <wsimpson@greendragon.com>
To: pgut001@cs.auckland.ac.nz
Cc: cryptography@c2.net
> ... A problem with SKEME (and
> Oakley I think) is that the "fast rekey" mechanism is based on the initial key
> shared via PKC-encrypted messages rather than the DH-derived session key, so a
> compromise of the private keys also gives you all the session keys. What
> would be nice is a cheap (ie less expensive than full DH) method of agreeing
> on a new session key based on an existing shared secret which doesn't weaken
> the new key if the secret is later compromised.
That's what I did in Photuris. All keys, including fast rekey, are
based on both of the party secrets, and the DH-derived shared-secret.
+ the Initiator Cookie,
+ the Responder Cookie,
+ the SPI Owner secret-key,
+ the SPI User secret-key,
+ the message Verification field,
+ the computed shared-secret.
The message verification field is what changes in each rekey, and itself
has the shared-secret mixed in.
I hoped that it would be harder to compromise all three sources of secrets.
Karn originally designed the verification field to be encrypted too,
but Krawcyk managed to get that to be "optional", back when we were
trying to cooperate with the IPSec group.
> (Speaking of SKEME and Oakley, I haven't heard much of these recently - have
> there been any developments with them since late last year? SKEME seems far
> too elegant to sit around not being used...).
>
I haven't read SKEME. Do you know where to find it? Is it online?
But, I heard that SKEME was a subset of Photuris (which has "schemes").
Photuris is alive and well, and has various flavors of implementations
floating around. I'm trying to corral them and get them all updated to
the same revision.
Oakley is alive and still in the process of being regularly mangled by
the IPSec group. The Oakley author has gone over to the DoD, but she's
still around.
WSimpson@UMich.edu
Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
BSimpson@MorningStar.com
Key fingerprint = 2E 07 23 03 C5 62 70 D3 59 B1 4F 5E 1D C2 C1 A2
