Re: Newer Rev of Section 11 - was: Re: IESG feedback on core drafts.

To: Nicolas Williams <Nicolas.Williams%sun.com@localhost>
Subject: Re: Newer Rev of Section 11 - was: Re: IESG feedback on core drafts.
From: Heikki Nousiainen <htn%sumu.org@localhost>
Date: Tue, 15 Apr 2003 21:16:40 +0300 (EEST)

On Tue, 15 Apr 2003, Nicolas Williams wrote:
> On Tue, Apr 15, 2003 at 07:29:44PM +0300, Heikki Nousiainen wrote:
> > On Tue, 15 Apr 2003, Nicolas Williams wrote:
> > > Ergo SSHv2 has PFS as a property.
> > > 
> > > The text should say so since this is an important cryptographic property
> > > of the protocol.
> > 
> > Yes, PFS is a property we get wih DH key exchanges, but I don't think it 
> > applies to paragraph 11.2. Clearly, compromise of a session key leads into 
> > a compromise of secret data, e.g. password, sent over that session.
> 
> Of course.  I'd lost track of the text in question - I was responding
> to the question of what is PFS and what is a good reference for it.
> 
> Now that I look at it, I have to agree with you that the text should
> clearly state that PFS is a property of the key exchange, that SSHv2 key
> exchange provides PFS for the session keys used in the transport layer
> (the proposed text reads: "The transport layer provides forward secrecy
> for password authentication ...," this is not correct).

Now that I read my e-mail again, I could have made my point clearer, 
sorry about that.

In conclusion, I think RJ Atkinson's original question '"perfect forward 
secrecy" or "forward secrecy"' is irrelevent to 11.2. I believe the intention
of this chapter is that authentication schemes based on shared secret are 
secured by the transport layer below, given encryption and MAC.

> > PFS is not property of the SSHv2 protocol, but a property of the key 
> > exchange method, and I'd be vary to lay claims on it in the SSHv2 
> > protocol level.
> 
> This is evident from the definition of PFS.  SSHv2 sessions are secure
> even if private keying/authentication material is later revealed[*], but
> not if the session keys are revealed.  So, given the definition of PFS,
> SSHv2 does have PFS.

My point is, since we don't know whether the key exchange algorithm 
provides PFS, I think we can't make an explicit claim about PFS in SSHv2. 
Certainly that is the case for diffie-hellman-group1-sha1 (and as far as 
I know, for the rest of the key exchange methods drafted), but not 
necessarily for all key exchange methods used within the protocol.

[...]
> Perhaps there should be a sub-section on the key exchange phase of the
> protocol.

The core document should address diffie-hellman-group1-sha1, and each key 
exhance method draft should discuss the security considerations for the 
given alogrihm.

 Best regards,
  Heikki Nousiainen

Follow-Ups:
- Re: Newer Rev of Section 11 - was: Re: IESG feedback on core drafts.
  - From: Nicolas Williams

References:
- Re: Newer Rev of Section 11 - was: Re: IESG feedback on core drafts.
  - From: Nicolas Williams

Prev by Date: Re: Please publish attached draft-ietf-secsh-break-01
Next by Date: Re: Newer Rev of Section 11 - was: Re: IESG feedback on core drafts.
Previous by Thread: Re: Newer Rev of Section 11 - was: Re: IESG feedback on core drafts.
Next by Thread: Re: Newer Rev of Section 11 - was: Re: IESG feedback on core drafts.
Indexes:

Home | Main Index | Thread Index | Old Index