Re: Newer Rev of Section 11 - was: Re: IESG feedback on core drafts.

[Heikki Nousiainen <htn%sumu.org@localhost>]

On Tue, 15 Apr 2003, Nicolas Williams wrote:
> On Tue, Apr 15, 2003 at 05:07:38AM +0300, Heikki Nousiainen wrote:
> > Re: Newer Rev of Section 11 - was: Re: IESG feedback on core drafts.,
> > Nicolas Williams, Fri 4/11/2003 9:22 AM
> 
> [...]
> > > > I'm also not sure, but it would be nice if we could find
> > > > someone who is sure -- preferably someone who can supply
> > > > a citation or a more detailed rationale to support the claim.
> > >
> > > "Perfect forward secrecy" - see Google search:
> > [...]
> > 
> > This is not "perfect forward secrecy". From what I understand, the text
> > merely points out that the transport layer provides confidentiality and
> > integrity protection [given encryption and mac] for authentication
> > protocol (and methods within, e.g. password authentication) running on top
> > of it.
> 
> Diffie-Hellman (DH) key exchanges have PFS as a property; specifically,
> keys exchanged with DH are perfectly forward secure.
> 
> SSHv2 uses DH as the basis of the key exchange and derives session keys
> from the DH exchange.
> 
> Ergo SSHv2 has PFS as a property.
> 
> The text should say so since this is an important cryptographic property
> of the protocol.

Yes, PFS is a property we get wih DH key exchanges, but I don't think it 
applies to paragraph 11.2. Clearly, compromise of a session key leads into 
a compromise of secret data, e.g. password, sent over that session.

PFS is not property of the SSHv2 protocol, but a property of the key 
exchange method, and I'd be vary to lay claims on it in the SSHv2 
protocol level.

 Regards,
  Heikki Nousiainen