[strongSwan] seeking advice: pfs on creating a child_sa?

Tue Mar 8 10:01:23 CET 2016

Hi Harrii,
I can give you only an opinion of strongswan user but this is not an
opinion of cryptographic expert.

I think that using pfs for child_sa is not critical issue but it is better
to use it if you can. If you do not use pfs for phase 2 crypto keys for
this phase are derived from other keys (i do not know the details). If you
use pfs for child_sa, phase 2 keys are "independent" from phase 1 keys so
if they (i.e. phase 1 keys) are compromised this gives no additional
information for eavesdropper for decrypting child_sa traffic.

Of course not all dh groups are considered save. So using pfs does not mean
automatically that your data are safe.

Regads,
John

2016-03-04 9:18 GMT+01:00 Harald Dunkel <harald.dunkel at aixigo.de>:

> Hi John,
>
> On 03/01/2016 12:55 PM, John Brown wrote:
> > Hi,
> >
> >  I can give you two links with some small amount information about your
> question:
> >
> >
> http://www.juniper.net/documentation/en_US/junos12.1x46/topics/concept/vpn-security-phase-2-ipsec-proposal-understanding.html
> >
> > and
> >
> >
> https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations#Perfect-Forward-Secrecy-PFS
> >
>
> I saw the wiki article before, of course. Point is that some
> implementations don't support PFS for phase 2, including the
> iphones (at least for IKEv1), Windows(7?, 10?) and even
> charon-nm. Since I made PFS optional for phase 2 in our road
> warrior setup on the server a lot of "broken connection after
> an hour or so" problems went away.
>
> AFAIU PFS provides a means to create a symmetric key on both
> peers without exchanging anything secret over a (possibly
> unprotected or compromised) communication line. I am not sure
> if this is an issue for phase 2. Is it?
>
>
> Regards
> Harri
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160308/5953178f/attachment.html>