3

I'm trying to see the actual point in implementing Perfect Forward Secrecy during Internet Key Exchange Phase 2, if it had already been used during Phase 1.

Quoting the IKEv2 RFC:

RFC 5596
3.3.2. Transform Substructure

[...] Although ESP and AH do not directly include a Diffie-Hellman exchange, a Diffie-Hellman group MAY be negotiated for the Child SA. This allows the peers to employ Diffie-Hellman in the CREATE_CHILD_SA exchange, providing perfect forward secrecy for the generated Child SA keys.

Is there a real security incentive to implement this forward secrecy feature?
What is the risk it tries to cover?

My understanding is that, without PFS here, the Child SA (Security Association) keys are derived directly from the keys negotiated during Phase 1.

If an attacker gets his hands on the dynamically generated keys negotiated during Phase 1 (in memory or after breaking the involved cryptography), I cannot see why he could not get the new ones generated during Phase 2.

Aym_C
  • 33
  • 3

1 Answers1

1

The idea of PFS is that not all keys are equal, when considering risks of ulterior theft. A private key stored in a file may be stolen afterwards, e.g. if the disk fails and is carelessly discarded. On the other hand, a key which resides in RAM only disappears when the machine is shut down or rebooted, and thus is unlikely to be recovered by an hostile entity. In the PFS security model, we care mostly about keys which are not generated dynamically, but stored on physical mediums for arbitrary amounts of time.

When using Diffie-Hellman, it is not the use of DH which grants PFS; what grants PFS is not storing the DH private key. DH or an elliptic-curve variant is often used in protocols which seek PFS, because PFS implies generating a new key pair on-the-fly, and generating a DH or ECDH key pair can be done very efficiently (as opposed to, say, RSA).

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949