Perfect Forward Secrecy

Perfect forward secrecy substitutes a clock-based master key for the long-term Diffie-Hellman shared secret K_ij. Using a clock-based master key means that the long-term secret K_ij is never directly exposed to third parties, making it less vulnerable to cryptanalysis. Another feature of perfect forward secrecy is that it prevents coarse-grain playback of traffic. Once the clock-based master key has been updated, traffic encrypted or authenticated with the help of old keys will be rejected by SKIP.

SKIP uses the long-term secret key K_ij and the date/time value n to create a time-based shared secret key K_ijn.

Kijn = h(Kij, n)

where h is a pseudo-random function such as MD5. SKIP uses the current time and date clock (actually, the number of hours since 1977) to generate n, which changes every hour. Consequently, hosts using SunScreen SKIP must verify that the date, time, and time zone settings on their systems are synchronized to ensure that they are using the same n in their master key calculations.

This time-based shared secret key is used to encrypt traffic keys. Since I and J can calculate K_ij based on their implicitly authenticated shared secret, the two computers can calculate the same value for K_ijn if their system clocks are synchronized.

SKIP relies on the system clock value to calculate time-based shared secrets. Consequently, hosts using SunScreen SKIP must verify that the date, time, and time zone settings on their systems are correct to ensure that they are using the same n in their master key calculations. Users should never change the time, date, or time zone setting on their computer while using SunScreen SKIP.

When I wants to send a secure message to J, I uses a randomly generated traffic key K_p to encrypt the contents of the message. The traffic key K_p is in turn encrypted using K_ijn. SunScreen SKIP then constructs a series of packets, each containing the IP header information (in cleartext) needed to route the packet to its destination, the traffic key encrypted with the time-based shared secret K_ijn, and the message data encrypted with the traffic key K_p. The following figure shows an encrypted IP packet, using this two-step encryption procedure.

Figure B-6 Encrypted IP Packet

When the destination host receives this encrypted packet, it looks up the sender's certificate. Using the long-term secret key K_ij and the counter value n (which is based on the current date and time), the destination host computes the same K_ijn value used by the sender. Using K_ijn, the destination host decrypts the traffic key K_p, and then uses the traffic key to decrypt the packet data.

Since K_ijn can be cached for efficiency, SKIP can change traffic keys very rapidly without incurring the computational overhead of a public key operation. SKIP changes traffic keys after a key has been idle for a user-specified number of seconds (30 seconds by default) or after a key has been used to encrypt a user-specified amount of data (512K by default).