IETF-SSH archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Newer Rev of Section 11 - was: Re: IESG feedback on core drafts.
On Tue, 15 Apr 2003, Nicolas Williams wrote:
> On Tue, Apr 15, 2003 at 07:29:44PM +0300, Heikki Nousiainen wrote:
> > On Tue, 15 Apr 2003, Nicolas Williams wrote:
> > > Ergo SSHv2 has PFS as a property.
> > >
> > > The text should say so since this is an important cryptographic property
> > > of the protocol.
> >
> > Yes, PFS is a property we get wih DH key exchanges, but I don't think it
> > applies to paragraph 11.2. Clearly, compromise of a session key leads into
> > a compromise of secret data, e.g. password, sent over that session.
>
> Of course. I'd lost track of the text in question - I was responding
> to the question of what is PFS and what is a good reference for it.
>
> Now that I look at it, I have to agree with you that the text should
> clearly state that PFS is a property of the key exchange, that SSHv2 key
> exchange provides PFS for the session keys used in the transport layer
> (the proposed text reads: "The transport layer provides forward secrecy
> for password authentication ...," this is not correct).
Now that I read my e-mail again, I could have made my point clearer,
sorry about that.
In conclusion, I think RJ Atkinson's original question '"perfect forward
secrecy" or "forward secrecy"' is irrelevent to 11.2. I believe the intention
of this chapter is that authentication schemes based on shared secret are
secured by the transport layer below, given encryption and MAC.
> > PFS is not property of the SSHv2 protocol, but a property of the key
> > exchange method, and I'd be vary to lay claims on it in the SSHv2
> > protocol level.
>
> This is evident from the definition of PFS. SSHv2 sessions are secure
> even if private keying/authentication material is later revealed[*], but
> not if the session keys are revealed. So, given the definition of PFS,
> SSHv2 does have PFS.
My point is, since we don't know whether the key exchange algorithm
provides PFS, I think we can't make an explicit claim about PFS in SSHv2.
Certainly that is the case for diffie-hellman-group1-sha1 (and as far as
I know, for the rest of the key exchange methods drafted), but not
necessarily for all key exchange methods used within the protocol.
[...]
> Perhaps there should be a sub-section on the key exchange phase of the
> protocol.
The core document should address diffie-hellman-group1-sha1, and each key
exhance method draft should discuss the security considerations for the
given alogrihm.
Best regards,
Heikki Nousiainen
Home |
Main Index |
Thread Index |
Old Index