SKIP Evaluation?
Vasek Petricek
petricek at KOLEJ.MFF.CUNI.CZ
Mon Jan 31 18:16:59 EST 2000
On Thu, 27 Jan 2000, Robert Moskowitz wrote:
> At 12:37 PM 1/27/2000 +0100, Vasek Petricek wrote:
>
> >Has anyone seen or done some evaluation of the SKIP protocol?
>
> We had quite a few of them for the Montreal IETF meeting ;)
Are any of these available somewhere? I think it would provde the missing
reasoning for choices made in the RFC's.
> >It seems to differ from IPSec in that it encrypts a packet using a random
> >key that is encrypted using a shared secret and sent together with tthe
> >packet. Are there any security risks in doing so, or is the overhead
> >considered to be too much?
>
> Not quite. SKIP is an alternative Key Management Protocol to IKE or
> Photuris. All three establish symetric keying material for IPsec's ESP or AH.
>
> SKIP uses 2 Diffie-Hellman exchanges. The first is based on 'well known'
> keys. Since there is a small chance that these keys would be cracked over
> time, and if used heavily, they are only used to protect an exchange of a
> pair of ephemeral D-Hs that actually supply the IPsec KEYMAT.
I see - now I have read more SKIP docs and I still like the idea with
using a long lived master key. What is your opinion on the tradeoff
between relatively frequent reestablishment of SA's (IPSec) and rare
exchanges but additional cost of sending the keys in packets?
Vasek Petricek
VPN is sponsored by SecurityFocus.COM
More information about the VPN
mailing list