IETF Logo Mail Archive

Re: [IPsec] Quantum Resistance SK_d, SK_pi, SK_pr etc mixing

Michael Richardson <mcr+ietf@sandelman.ca> Thu, 06 April 2017 15:37 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 235A4129529 for <ipsec@ietfa.amsl.com>; Thu, 6 Apr 2017 08:37:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bY_0XgIM5lST for <ipsec@ietfa.amsl.com>; Thu, 6 Apr 2017 08:37:50 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [IPv6:2a01:7e00::f03c:91ff:feae:de77]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9597C129533 for <ipsec@ietf.org>; Thu, 6 Apr 2017 08:37:48 -0700 (PDT)
Received: from dooku.sandelman.ca (unknown [75.98.19.134]) by relay.sandelman.ca (Postfix) with ESMTPS id D82071F8F5 for <ipsec@ietf.org>; Thu, 6 Apr 2017 15:37:44 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id 5A2862916; Thu, 6 Apr 2017 10:37:42 -0500 (CDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: "ipsec@ietf.org" <ipsec@ietf.org>
In-reply-to: <22756.60015.425330.926683@fireball.acr.fi>
References: <22748.16157.573889.454241@fireball.acr.fi> <35c28486d67f45d897458a91d0b874d2@XCH-RTP-006.cisco.com> <22755.38800.522208.481154@fireball.acr.fi> <77827c4b2e8046c38f82aaffdb36d0f8@XCH-RTP-006.cisco.com> <22756.60015.425330.926683@fireball.acr.fi>
Comments: In-reply-to Tero Kivinen <kivinen@iki.fi> message dated "Wed, 05 Apr 2017 16:00:31 +0300."
X-Mailer: MH-E 8.6; nmh 1.6; GNU Emacs 24.5.1
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha1"; protocol="application/pgp-signature"
Date: Thu, 06 Apr 2017 11:37:42 -0400
Message-ID: <22016.1491493062@dooku.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/3FjK-hAyYJtY9keqYsoWj49C8JE>
Subject: Re: [IPsec] Quantum Resistance SK_d, SK_pi, SK_pr etc mixing
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Apr 2017 15:37:52 -0000

Tero Kivinen <kivinen@iki.fi> wrote:
    > Scott Fluhrer (sfluhrer) writes:
    >> Going through this suggestion (and tweaking it a bit):
    >>
    >> Pluses: - I believe it can be made a bit more flexible than you make
    >> it out; it don't believe that you actually need to update every node
    >> with every PPK at the start.  With this protocol, the initiator
    >> decides

    > I did not even require that. I said you need to provide all PPKs for
    > that one node at the same time. Or at least that I was trying to say.
    > I can now see that my text was bit unclear.

Why do we need to provide PPKs for all peers at the same time?

    > Only reason why you want to enforce the PPKs to be used always, is when
    > you know that your attacker can already break Diffie-Hellman on real
    > time, and can also break your authentication method in real time.  Then
    > you need to use PPK to protect the authentication, as if attacker is
    > able to break the authentication in real time, then it can also modify
    > the packets on the wire by removing the N(PPK_IDENTITY) or
    > N(PPK_SUPPORTED) notifies and disabled PPK. If the authentication (and
    > Diffie-Hellman) cannot be broken in real time then authentiation will
    > prevent attacker disabling PPK.

Agreed, but I don't think this mandates that one load all the PPKs at the
same time, does it?


--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email