[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AW: pre-established key mode as additional requirement?

To: "Dittmann, Werner" <werner.dittmann@xxxxxxxxxxx>
Subject: Re: AW: pre-established key mode as additional requirement?
From: Eric Rescorla <ekr@xxxxxxxxxxxxxxxxxxxx>
Date: Wed, 21 Feb 2007 06:42:43 -0800
Cc: "David R Oran" <oran@xxxxxxxxx>, "Dan Wing" <dwing@xxxxxxxxx>, <ietf-rtpsec@xxxxxxx>
In-reply-to: <A5B453A80186CF47BDA33BBA924EFAE901A18462@xxxxxxxxxxxxxxxxxxxxxxxxxx> (Werner Dittmann's message of "Wed, 21 Feb 2007 09:11:55 +0100")
List-archive: <http://www.imc.org/ietf-rtpsec/mail-archive/>
List-id: <ietf-rtpsec.imc.org>
List-unsubscribe: <mailto:ietf-rtpsec-request@imc.org?body=unsubscribe>
References: <01e201c75493$e985bc50$c2f0200a@xxxxxxxxxxxxxx> <655642D3-2366-4D65-8280-43441EE01195@xxxxxxxxx> <A5B453A80186CF47BDA33BBA924EFAE901A18462@xxxxxxxxxxxxxxxxxxxxxxxxxx>
Reply-to: EKR <ekr@xxxxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-rtpsec@xxxxxxxxxxxx
User-agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix)

"Dittmann, Werner" <werner.dittmann@xxxxxxxxxxx> writes:
>> On Feb 19, 2007, at 9:07 PM, Dan Wing wrote:
>> 
>> >
>> > I would like to see if there is consensus for a new 
>> requirement for  
>> > RTPSEC.
>> >
>> > Specialized devices may need to avoid public key operations or
>> > Diffie-Hellman operations because of the computational cost or  
>> > because of
>> > the additional call setup delay.  For example, it can take 
>> a second  
>> > or two
>> > to perform a Diffie-Hellman operation in certain devices.  
>> Examples  
>> > of these
>> > specialized devices would include some handsets, intelligent SIMs,  
>> > PSTN
>> > gateways, and SBCs.  For the typical case because a phone call  
>> > hasn't yet
>> > been established, ancillary processing cycles can be utilized to  
>> > perform the
>> > PK or DH operation; for example, in a PSTN gateway the DSP (which  
>> > isn't yet
>> > involved with typical DSP operations) could be used to perform the
>> > calculation, so as to avoid having the central host processor  
>> > perform the
>> > calculation.  Some devices, such as SBCs, handsets, and 
>> intelligent  
>> > SIMs do
>> > not have such ancillary processing capability.
>> >
>> > Thus, it seems a useful optimization to securely set up a call the  
>> > first
>> > time with a remote endpoint, and thereafter, when communicating  
>> > with the
>> > same remote endpoint, to leverage the DH or PK that was performed
>> > previously.
>> 
>> > Thoughts?
>> >
>> It seems eminently reasonable to support key management schemes for  
>> rtpsec that can leverage cached/stored keying material from prior  
>> sessions to derive new keys for the current session without 
>> requiring  
>> expensive cryptographic authentication operations.
>> 
>> Are you thinking of this as a MAY, a SHOULD, or a MUST?
>> 
>> Would you consider the TLS "session restart" machinery as qualifying  
>> to meet this requirement?
>> 
>> 
>> > -d
>
> Another solution to prevent DH computation during seesion set up:
> precompute some DH key pairs and store them. During session setup
> randomly select on of the pairs and use it. This precomputing could
> be done duting idle times.

This doesn't help as much as you'd like because you still need to
compute ZZ. This can actually be slower because you can't use
a table of precomputed g squares. Also, it doesn't work if there
are more than a few groups, since you don't know what shares to
precompute.


> A previously negotiated key is a "shared secret" between both parties.
> If this shared secret shall survive a session then some additional
> requirements pop up:
> - both parties MUST be sure that they are talking to the same party/client 
>   when they set up a new session. Otherwise the shared secret would be no 
>   longer a "secret". 

A properly implemented mechanism will require the other side to prove
possession. 


> - the shared secrets must be stored in save places, ideally protected by
>   some password (encrypted?). 

True. Most implementations accumulate quite a bit of secret stuff they
need to store securely. What's appropriate depends on the deployment
environment.


> - User notification that a secret was stored?

I don't see that this is necessary at the UI level. Obviously, your
toolkit should tell you what it is doing.


> - how long would such a shared secret be valid? Forever?

This was a controversial issue in the design of TLS because there's
no actual reason why a properly designed mechanism can't be used
essentially indefinitely, like a manually established secret key
is. The concerns are about policy, windows of exposure, and PFS.


> Such a mechanism and the underlying protocols must be designed very
> carefully, otherwise no security can be guaranteed. Also keep in mind how
> an user would handle it, which implications this might have to communications
> clients etc.

As I said above, the users don't have to know. In TLS, for instance, 
you typically design the APIs to provide all the information that you
would have if you hadn't done resumption, with another API mechanism
to determine if the session was in fact resumed.

-Ekr

References:
- pre-established key mode as additional requirement?
  - From: Dan Wing
- Re: pre-established key mode as additional requirement?
  - From: David R Oran
- AW: pre-established key mode as additional requirement?
  - From: Dittmann, Werner

Prev by Date: AW: pre-established key mode as additional requirement?
Previous by thread: AW: pre-established key mode as additional requirement?
Next by thread: RE: [Sip] RE: connected-identity before 200 Ok
Index(es):
- Date
- Thread