Hi Yaron, > > OK, I see your point (no pun intended). Regarding ECDH secret reuse, can you > please review > http://tools.ietf.org/html/rfc5996#section-2.12. That section was supposed to > cover the relevant security > considerations. In fact I think your attack is alluded to in the paper we > reference from that section (see Sec. 5, first > paragraph). >
I agree with you that this is a general issue that should be addressed generally. Yet, as a precaution, I could also include such a requirement in the current draft. > If this needs to become a MUST requirement for IKEv2 peers using ECDH, it > needs to be spelled out and not left as an > exercise to the reader. But we have to understand whether this is a general > requirement, or it only applies to peers > that are reusing ECDH private keys for multiple IKE sessions. > If the ECDH key is chosen at random for each negotiation, then the attacker can only gain knowledge on the shared secret and private key of the current negotiation. There is no other secret information involved that could be learned. Johannes _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
