Re: Newer Rev of Section 11 - was: Re: IESG feedback on core drafts.

[Nicolas Williams <Nicolas.Williams%sun.com@localhost>]

On Tue, Apr 15, 2003 at 07:29:44PM +0300, Heikki Nousiainen wrote:
> On Tue, 15 Apr 2003, Nicolas Williams wrote:
> > Ergo SSHv2 has PFS as a property.
> > 
> > The text should say so since this is an important cryptographic property
> > of the protocol.
> 
> Yes, PFS is a property we get wih DH key exchanges, but I don't think it 
> applies to paragraph 11.2. Clearly, compromise of a session key leads into 
> a compromise of secret data, e.g. password, sent over that session.

Of course.  I'd lost track of the text in question - I was responding
to the question of what is PFS and what is a good reference for it.

Now that I look at it, I have to agree with you that the text should
clearly state that PFS is a property of the key exchange, that SSHv2 key
exchange provides PFS for the session keys used in the transport layer
(the proposed text reads: "The transport layer provides forward secrecy
for password authentication ...," this is not correct).

> PFS is not property of the SSHv2 protocol, but a property of the key 
> exchange method, and I'd be vary to lay claims on it in the SSHv2 
> protocol level.

This is evident from the definition of PFS.  SSHv2 sessions are secure
even if private keying/authentication material is later revealed[*], but
not if the session keys are revealed.  So, given the definition of PFS,
SSHv2 does have PFS.

[*] Of course, if the DH private parameters for the client and server
    and revealed then the session key is revealed, but these items can
    be thrown away after the key exchange completes.  It's worth
    pointing out that these items should not be allowed to end up on
    swap space and that they should be erased from memory as soon as the
    kex completes.

Perhaps there should be a sub-section on the key exchange phase of the
protocol.

Cheers,

Nico
--