IETF Logo Mail Archive

Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue

"Panos Kampanakis (pkampana)" <pkampana@cisco.com> Tue, 22 August 2017 16:58 UTC

Return-Path: <pkampana@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE4881321A2 for <ipsec@ietfa.amsl.com>; Tue, 22 Aug 2017 09:58:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.52
X-Spam-Level:
X-Spam-Status: No, score=-14.52 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9LREsTgRs6x9 for <ipsec@ietfa.amsl.com>; Tue, 22 Aug 2017 09:58:53 -0700 (PDT)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87DFF132026 for <ipsec@ietf.org>; Tue, 22 Aug 2017 09:58:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5485; q=dns/txt; s=iport; t=1503421133; x=1504630733; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=gux4lE4XFx0dLYtXLhZpBUREO130+rLlT5ZiyGz6/zI=; b=LNSk4I8/iVsNBdQcvGWE5YKs1RpJFxt5KSOkEngFWmhVKloSvmoDpabB XKpNF4Ai5igRr/6z1+pYjZYRWglNe7PKOphJWX2Pve7XUBDc42JD1t4yU seTJrHck3+VrZ50/dZSZBsj/D4hKDQJZUheq8AuWyJ50uyMxGCS/aBHHU s=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CxAQB9YZxZ/5hdJa1cGQEBAQEBAQEBAQEBBwEBAQEBg1pkgRUHniSBbneHQY1nghIhC4UbAoQvQBcBAgEBAQEBAQFrKIUYAQEBAQIBAQElEw0nCwwEAgEIDgMEAQEfCQchBgsUCQgCBAENBQgTiX4DDQgQrlk6gz6Ddw2EHQEBAQEBAQEBAQEBAQEBAQEBAQEBARgFgyYEggKBTIFjgnM0gleCBoYKBYl+hxyOfzwCiyiEI4RtkmmMPolqASABNoEKdxVJhRYBHIFndohUB4ErgQ8BAQE
X-IronPort-AV: E=Sophos;i="5.41,412,1498521600"; d="scan'208";a="475342659"
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 22 Aug 2017 16:58:52 +0000
Received: from XCH-ALN-008.cisco.com (xch-aln-008.cisco.com [173.36.7.18]) by rcdn-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id v7MGwq69016590 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 22 Aug 2017 16:58:52 GMT
Received: from xch-aln-010.cisco.com (173.36.7.20) by XCH-ALN-008.cisco.com (173.36.7.18) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Tue, 22 Aug 2017 11:58:51 -0500
Received: from xch-aln-010.cisco.com ([173.36.7.20]) by XCH-ALN-010.cisco.com ([173.36.7.20]) with mapi id 15.00.1210.000; Tue, 22 Aug 2017 11:58:51 -0500
From: "Panos Kampanakis (pkampana)" <pkampana@cisco.com>
To: Valery Smyslov <svanru@gmail.com>, "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>, 'Paul Wouters' <paul@nohats.ca>, "ipsec@ietf.org" <ipsec@ietf.org>
CC: 'Vukasin Karadzic' <vukasin.karadzic@gmail.com>
Thread-Topic: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue
Thread-Index: AQFrzo/mLNHQ912KAIRbgs5wCt+pzQFW4fuSo1KroxCAAG3q0A==
Date: Tue, 22 Aug 2017 16:58:51 +0000
Message-ID: <5ad2cc4718e2447b94b80cbb4a04dfef@XCH-ALN-010.cisco.com>
References: <alpine.LRH.2.21.1708162147570.26093@bofh.nohats.ca> <38865aa6100d491fb1beb120f72d4bda@XCH-RTP-006.cisco.com> <001701d31a89$3cf35ca0$b6da15e0$@gmail.com>
In-Reply-To: <001701d31a89$3cf35ca0$b6da15e0$@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.150.34.216]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/0CG_ODfyKJxHT6oZ4x0n0Fm1CEw>
Subject: Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Aug 2017 16:58:56 -0000

Valery,
It is a good idea. A new optional notification that includes the auth_data as it would be calculated without the PPK would work. With that, the corner case of ' PPK_id configured on initiator but missing on the responder' is addressed. There is an additional cost of the extra notification message for every initiator that has no-mandatory ppk configured for the responder. In the worst case scenario the responder would need to go through looking up the PPK_id and if that fails then authenticate the auth_data. Even though it is slightly more work for the responder, I don't consider that heavy processing that would introduce attack concerns. 

My concerns is that we might be making it too complicated by potentially introducing two separate SK_p's. From an ops perspective, if we stated the rule that when we want to go postquantum a PPK should be populated on the responder first as Graham and others suggested, then the extra complication of a new notification can be avoided. Violation of that rule would lead to IKE_AUTH failure for that initiator only.

Vukasin,
Any thoughts from an implementer's standpoint? 

Panos


-----Original Message-----
From: IPsec [mailto:ipsec-bounces@ietf.org] On Behalf Of Valery Smyslov
Sent: Monday, August 21, 2017 10:25 AM
To: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>; 'Paul Wouters' <paul@nohats.ca>; ipsec@ietf.org
Cc: 'Vukasin Karadzic' <vukasin.karadzic@gmail.com>
Subject: Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue

Hi Scott, 

> > then it has to flip a coin on whether or not to send the PPK_SUPPORT 
> > notify and if it guessed wrong, the AUTH payload on the initiator 
> > will be wrong. Sending the notify commits to using a PPK because the 
> > initiator uses it as input to the AUTH payload.

[...]

> > One way of solving this could be to allow PPK_SUPPORT to have some 
> > notify data, which could for instance be a hash of the 
> > connection/group name used by the responder.
> > Another option is to use the PPK as one of the inputs to some hash 
> > algorithm as PPK_SUPPORT data, so the responder can go through its 
> > list of PPKs to match it back to a connection/group. But we would 
> > need to be sure that this does not open up the PPK to attacks 
> > (classic and
> > quantum)
> 
> That's what we did in our original proposal (actually, it was a 
> function of the PPK itself).  The problems with that were:
> 
> - If we made it a nondeterministic function (that is, include a 
> randomizer), then the server had to do a linear scan over all their known PPKs to find the matching one.
> 
> - If we made it a deterministic function, then someone listening in 
> can trivially determine when we're reusing the same PPK
> 
> (There's also a minor issue of "which hash function to use"; we haven't negotiated any at this time).
> 
> A linear scan over possibly 10,000 PPKs was considered unacceptable.  
> One of our proposals even allowed the server to specify the trade-off between the above two; that was considered too complex.
> 
> I'm not thrilled with Tero's answer of "lets be careful about the 
> order we upgrade things in complex networks", but I don't know how to 
> better solve it without adding lots of complexity to the protocol, potential anonymity leaks or requiring significant computation on the server side.

One (relatively) simple solution would be the following.

If initiator is configured with PPK, but at the same time its policy marks using PPK as optional, then the initiator can send two authenticators - one using SK_pi' and the other using SK_pi (where SK_pi = prf(PPK, SK_pi')). The one, computed using SK_pi (where PPK is involved) is placed in AUTH payload, and the other, computed using SK_pi' (without PPK) is placed in a new optional status notification NO_PPK_AUTH.

   Initiator                       Responder
   ------------------------------------------------------------------
   HDR, SK {IDi, [CERT,] [CERTREQ,]
       [IDr,] AUTH, SAi2, TSi, TSr, 
       N(PPK_IDENTITY)(PPK_id), 
      [N(NO_PPK_AUTH)(auth_data)] }  --->

When responder receives this message and cannot find the corresponding PPK based on PPK_id and is configured to allow PPK-less SA, it can still authenticate initiator by using the content of NO_PPK_AUTH. 
In this case the Responder replies with the IKE_AUTH response lacking PPK_IDENTITY to let the initiator know that AUTH payload is computed as per RFC7296 (using SK_pr', i.e. without using PPK).

<---   HDR, SK {IDr, [CERT,]
       AUTH, SAr2, TSi, TSr} 

If the responder has the corresponding PPK, then it computes its AUTH payload using SK_pr and includes PPK_IDENTITY notification:

<---   HDR, SK {IDr, [CERT,] 
       AUTH, SAr2, TSi, TSr, 
       N(PPK_IDENTITY)(PPK_id)} 

This solution allows peers to communicate in different settings and to enforce their own policy.
For instance, if the initiator is configured to always use PPK, it won't include NO_PPK_AUTH at all. If responder is configured to always use PPK, it will just ignore NO_PPK_AUTH and return AUTHENTICATION_FAILED in case the proper PPK is not found.

Regards,
Valery.


_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email