Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue
"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Thu, 17 August 2017 14:19 UTC
Return-Path: <sfluhrer@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D883132668 for <ipsec@ietfa.amsl.com>; Thu, 17 Aug 2017 07:19:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.52
X-Spam-Level:
X-Spam-Status: No, score=-14.52 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S8USh25XmQbd for <ipsec@ietfa.amsl.com>; Thu, 17 Aug 2017 07:19:40 -0700 (PDT)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8CBDD132645 for <ipsec@ietf.org>; Thu, 17 Aug 2017 07:19:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4028; q=dns/txt; s=iport; t=1502979579; x=1504189179; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=GZsAb4XlMC9SIsLfvDj4sH8/SaMnnM7us32b1xjP7YU=; b=I4R3GhlnrTAWinOCutmudHUbSC3bx8734H5E9+dyR7uPDfgl0UGDi5iH tFo+crOyzrt4yuwsfvaKqOV/XZvyr/bampmv4QhAwjAT/OQYQivBwOV44 eV5C+DmJU+CHkopM/FYok7pWetGOUc0Cei6/t5GbHUWnoPK2DtqdA5rFn 0=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0C5AQC+pZVZ/4wNJK1dGQEBAQEBAQEBAQEBBwEBAQEBgy8rgXkHnhyBbneVJIIShUcChFhBFgECAQEBAQEBAWsohRgBAQEBAgE6PwUHBAIBCBEEAQEfCQcyFAkIAgQBDQUIiBIBgg0IrC+LYAEBAQEBAQEBAQEBAQEBAQEBAQEBAR2DKIICgUyBY4JzNIRdhgoFiX6HF480AosniRCSZZYcASYDLoEKdxVJhRYBHIFndodjB4ErgQ8BAQE
X-IronPort-AV: E=Sophos;i="5.41,388,1498521600"; d="scan'208";a="471245884"
Received: from alln-core-7.cisco.com ([173.36.13.140]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 17 Aug 2017 14:19:13 +0000
Received: from XCH-RTP-006.cisco.com (xch-rtp-006.cisco.com [64.101.220.146]) by alln-core-7.cisco.com (8.14.5/8.14.5) with ESMTP id v7HEJC8h001046 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 17 Aug 2017 14:19:12 GMT
Received: from xch-rtp-006.cisco.com (64.101.220.146) by XCH-RTP-006.cisco.com (64.101.220.146) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Thu, 17 Aug 2017 10:19:12 -0400
Received: from xch-rtp-006.cisco.com ([64.101.220.146]) by XCH-RTP-006.cisco.com ([64.101.220.146]) with mapi id 15.00.1210.000; Thu, 17 Aug 2017 10:19:12 -0400
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: Paul Wouters <paul@nohats.ca>, "ipsec@ietf.org WG" <ipsec@ietf.org>
CC: Vukasin Karadzic <vukasin.karadzic@gmail.com>
Thread-Topic: draft-fluhrer-qr-ikev2 AUTH issue
Thread-Index: AQHTFv7PXMQpAeZDckWYCR1jI1LmeqKIlRwQ
Date: Thu, 17 Aug 2017 14:19:11 +0000
Message-ID: <38865aa6100d491fb1beb120f72d4bda@XCH-RTP-006.cisco.com>
References: <alpine.LRH.2.21.1708162147570.26093@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.21.1708162147570.26093@bofh.nohats.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.86.252.68]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/3Sz-PKXPDZ8foQqanGaBEQL4cVg>
Subject: Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Aug 2017 14:19:42 -0000
> -----Original Message----- > From: Paul Wouters [mailto:paul@nohats.ca] > Sent: Wednesday, August 16, 2017 10:16 PM > To: ipsec@ietf.org WG > Cc: Scott Fluhrer (sfluhrer); Vukasin Karadzic > Subject: draft-fluhrer-qr-ikev2 AUTH issue > > > Hi, > > Vukasin Karadzic is working on implementing draft-fluhrer-qr-ikev2 for > libreswan and stumbled upon a problem. The relevant text: > > When the initiator receives this reply, it checks whether the > responder included the PPK_SUPPORT notify. If the responder did not, > then the initiator MUST either proceed with the standard IKE > negotiation (without using a PPK), or abort the exchange (for > example, because the initiator has the PPK marked as mandatory). If > the responder did include the PPK_SUPPORT notify, then it selects a > PPK, along with its identifier PPK_id. Then, it computes this > modification of the standard IKE key derivation: > > A responder answering an IKE_INIT containing PPK_SUPPORT needs to reply > without knowing for which connection this IKE_INIT will be. > > The responder has not yet received the initiator's ID. If the responder has > some connections that require a PPK and some connections that require NO > PPK, We never envisioned a situation where you would deliberately chose not to use a PPK. Can we replace this with a situation where you don't know whether you share a PPK with the initiator? > then it has to flip a coin on whether or not to send the PPK_SUPPORT > notify and if it guessed wrong, the AUTH payload on the initiator will be > wrong. Sending the notify commits to using a PPK because the initiator uses > it as input to the AUTH payload. > > So this table from the RFC is incomplete: > > This table summarizes the above logic by the responder > > Received PPK_SUPPORT Have PPK PPK Mandatory Action > ------------------------------------------------------------------ > No No * Standard IKE protocol > No Yes No Standard IKE protocol > No Yes Yes Abort negotiation > Yes No * Standard IKE protocol > Yes Yes * Include PPK_SUPPORT > > Basically, we are in the case where "Have PPK" is not yet known. > > > One way of solving this could be to allow PPK_SUPPORT to have some notify > data, which could for instance be a hash of the connection/group name used > by the responder. > Another option is to use the PPK as one of the inputs to > some hash algorithm as PPK_SUPPORT data, so the responder can go > through its list of PPKs to match it back to a connection/group. But we would > need to be sure that this does not open up the PPK to attacks (classic and > quantum) That's what we did in our original proposal (actually, it was a function of the PPK itself). The problems with that were: - If we made it a nondeterministic function (that is, include a randomizer), then the server had to do a linear scan over all their known PPKs to find the matching one. - If we made it a deterministic function, then someone listening in can trivially determine when we're reusing the same PPK (There's also a minor issue of "which hash function to use"; we haven't negotiated any at this time). A linear scan over possibly 10,000 PPKs was considered unacceptable. One of our proposals even allowed the server to specify the trade-off between the above two; that was considered too complex. I'm not thrilled with Tero's answer of "lets be careful about the order we upgrade things in complex networks", but I don't know how to better solve it without adding lots of complexity to the protocol, potential anonymity leaks or requiring significant computation on the server side. > > Paul
- [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Paul Wouters
- [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Tero Kivinen
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Scott Fluhrer (sfluhrer)
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Panos Kampanakis (pkampana)
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Paul Wouters
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Derrell Piper
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Graham Bartlett (grbartle)
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Valery Smyslov
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Panos Kampanakis (pkampana)
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Vukasin Karadzic
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Valery Smyslov
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Paul Wouters
- Re: [IPsec] draft-fluhrer-qr-ikev2 AUTH issue Panos Kampanakis (pkampana)