Re: [IPsec] Last minute change to draft-ietf-ipsecme-qr-ikev2
"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Thu, 11 June 2020 20:05 UTC
Return-Path: <sfluhrer@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E63003A0CBA for <ipsec@ietfa.amsl.com>; Thu, 11 Jun 2020 13:05:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.597
X-Spam-Level:
X-Spam-Status: No, score=-9.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=bqdpxmFf; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=AgUD8eLY
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qrpDoCPjWlMW for <ipsec@ietfa.amsl.com>; Thu, 11 Jun 2020 13:05:27 -0700 (PDT)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 321363A0CBC for <ipsec@ietf.org>; Thu, 11 Jun 2020 13:05:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=24053; q=dns/txt; s=iport; t=1591905927; x=1593115527; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=CaKoikjh+bWGk2of1JLAw0vYsnl3sUmAejUI8aMl3TA=; b=bqdpxmFfTjfAJXfN0P/49G5q3qyrSJXyowZ5bTUBn0vxmvLPP7EVNpNa 4/2FG/TcsT4gM/bZIHFi0SavqXeZztryQt9M4QqCFCpCXZ4O/2QrV4deS tALBpbFehQO2xWB+60zGRhIui6HmEH7V4F5kI/Aptn3m81n7NaleTgaHF c=;
IronPort-PHdr: 9a23:tsCdiBF5eyaDghAdnOW8q51GYnJ96bzpIg4Y7IYmgLtSc6Oluo7vJ1Hb+e401gObUYDS8fkCiufKvebnQ2NTqZqCsXVXdptKWldFjMgNhAUvDYaDDlGzN//laSE2XaEgHF9o9n22Kw5ZTcD5YVCBrni79zVUGxjjO0xyPOumUoLXht68gua1/ZCbag5UhT27NLV1Khj+rQjYusQMx4V4LaNkwRrSqXwOcONTlm4=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AJCAB7jeJe/5RdJa1mHQEBAQEJARIBBQUBQIFKgSMvUgdvWC8sCodgA405mFKBQoEQA1ULAQEBDAEBLQIEAQGERAKCIgIkOBMCAwEBCwEBBQEBAQIBBgRthVsMhXIBAQEBAxILEBMBASwMDwIBCBEEAQEZCAcHMhQJCAEBBAESCA0ECYMFgX5NAy4BqQsCgTmIYXSBNIMBAQEFhSAYgg4JgTiCZIcbgkwagUE/gVSCTT6EGQESAQkaNBmCeIItjm6JaSWKepBFCoJZjlmKXJ5ckROaIoQGAgQCBAUCDgEBBYFqImZwcBU7gmlQFwINjh6DcYpWdDcCBggBAQMJfI0VJAmBBgGBDwEB
X-IronPort-AV: E=Sophos;i="5.73,500,1583193600"; d="scan'208,217";a="505660195"
Received: from rcdn-core-12.cisco.com ([173.37.93.148]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 11 Jun 2020 20:05:26 +0000
Received: from XCH-RCD-001.cisco.com (xch-rcd-001.cisco.com [173.37.102.11]) by rcdn-core-12.cisco.com (8.15.2/8.15.2) with ESMTPS id 05BK5PU5032465 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 11 Jun 2020 20:05:26 GMT
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by XCH-RCD-001.cisco.com (173.37.102.11) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 11 Jun 2020 15:05:26 -0500
Received: from xhs-aln-001.cisco.com (173.37.135.118) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 11 Jun 2020 15:05:25 -0500
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Thu, 11 Jun 2020 15:05:25 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GQNZYLI5UFCWg6cSp6UW2+zd5Nu0zOgQtpjHyOb5+6A6FRkCTae9IeN+AqjkNnYD1PzDtuz79p/wqL7cSuFxpPTyWkuivYkCU+Lr3sm8kEsiGIgOwJuVl8bTcJVjFkVywRAi1FgFC+qej//GRp8QiXbNaNAmidQO2xknQCyesPnLFGcDIGhPuNS9Muik1mJA4PsIk+9js9dr3uyeORRo4IFcAFc+X6GupvYlZZkjueLViYAjPi9GuoDeLSELzBn9jcvuzmMN4Sr6eArzN8fMS1UoYIghYfHF6AUXrWz4Z/lytll83FyVshR8N4qQ82BEHdzbg9iMHYTbwm5vAd/Ntw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mW7WWjpIKSSFClAbOf8Bq8F4V+pTSuD08yF+Sugc27c=; b=XColDv+gG4ggkaMSqk6HDyk3J3YqyisZ5LO2UYHoXota2jpNP/ablTsATsOk3VRgJp/2w5/mRCEkf/hj28P0DAZwGWT/mPNwmWIq4OaJYLuYLMc4W/NNUqYkUrOTUO8GtBmrn4LjDVbeya379IitZvBtDs3zhLF/BSvky0sa/Jl8ZpQ2uOarL9hZQBX+7VMUmgKqr1OSkEYqtLaWe58IiFuUJfWIUL2GU7XZs2s62umGBQvqdJUaG+tlz0yVixINRVGuonlsnVIFQN2ih2/9bpS0fOVSSpolvLZMv2UCetfPPNsb7k40JaT9GTRjsrvrUudDlPQU1pOFP5uANVUmpQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mW7WWjpIKSSFClAbOf8Bq8F4V+pTSuD08yF+Sugc27c=; b=AgUD8eLYqVnuy09J2O2J+ZWVpoGk6OYcC6tw5OCfYwYY1Y4EF5rdK/lgWaQmqiiu3FlxVuolZYzZP9syycakLdNok28eKdpN8H1RXXEpJpW1/Lx2SnYwqZYQP4Up4afnqAdv5BUAUmTo5Ijk0oWVUqNrTXLfT9hdGwSUs01dDw4=
Received: from BN7PR11MB2641.namprd11.prod.outlook.com (2603:10b6:406:b1::25) by BN8PR11MB3714.namprd11.prod.outlook.com (2603:10b6:408:90::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3066.19; Thu, 11 Jun 2020 20:05:24 +0000
Received: from BN7PR11MB2641.namprd11.prod.outlook.com ([fe80::35bd:ecae:1e28:58f5]) by BN7PR11MB2641.namprd11.prod.outlook.com ([fe80::35bd:ecae:1e28:58f5%5]) with mapi id 15.20.3088.022; Thu, 11 Jun 2020 20:05:24 +0000
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: "Scott Fluhrer (sfluhrer)" <sfluhrer=40cisco.com@dmarc.ietf.org>, "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: Last minute change to draft-ietf-ipsecme-qr-ikev2
Thread-Index: AdY7b0YZDPRKeamGTBelnS42EluRIwCIhypQAKZrv1A=
Date: Thu, 11 Jun 2020 20:05:24 +0000
Message-ID: <BN7PR11MB2641A4A2967691DC5EE7A198C1800@BN7PR11MB2641.namprd11.prod.outlook.com>
References: <BN7PR11MB2641BAFC172E209AFCF219FDC1860@BN7PR11MB2641.namprd11.prod.outlook.com> <BN7PR11MB2641A192BD1268A76C880B63C1850@BN7PR11MB2641.namprd11.prod.outlook.com>
In-Reply-To: <BN7PR11MB2641A192BD1268A76C880B63C1850@BN7PR11MB2641.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [173.38.117.76]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 7f92e411-bad0-4807-cb56-08d80e42c6f8
x-ms-traffictypediagnostic: BN8PR11MB3714:
x-microsoft-antispam-prvs: <BN8PR11MB3714EF54E003AB20934C0DA2C1800@BN8PR11MB3714.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0431F981D8
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: vs2Zg0Wh04Uj+s4cI56L6I/ybbESgpOB6QnoJ6QJSHJUqkHU82k2ROIqH3gYxfEeGYWQHrKeiG6TDceSBrN6vxUqEcbu2oJv7FNv5l1oxf+G5530IWpiF/rzWxm9ozehx6YpPa2qG6j6bKwS7A1AsToBOTnfONd26p/eSvJGS4CKSzEMYIaTlweifOrms3UtYVUuHECnL6igRW1PRF8xTOyruF1pVjgxf51Qb32seMz9shGAaHTeSZXGCpSfBCVTK24rfvbLB/pqBKbHUjn4Vve1HGHeSGD/FyuhJ+Kp2pxu9zoeY587IUyeCmQDPuVn6Pcvua33LvCr57iDEyoJwA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN7PR11MB2641.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(136003)(346002)(366004)(376002)(39860400002)(396003)(478600001)(8676002)(6506007)(7696005)(2906002)(110136005)(186003)(9686003)(71200400001)(53546011)(316002)(33656002)(26005)(83380400001)(55016002)(76116006)(66446008)(66556008)(64756008)(8936002)(86362001)(66946007)(66476007)(5660300002)(52536014); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: vsj+k5EnTSf3Un9pyS4o/5oHqpG9K74JL+qpM6+yzTI8ZgHyCmdUd3imNU7FDWuJQeXiYHOGXKNDf5TMqqJc4Pbc39XnuR/KEH/K5yCO19+29qzDWzGeIC8IL7RajBwb+6wA01mI9Cdxp5hmiILLjXm92GanICZ+oSONvz5/4Dld5MTToexuKblQZLTldCaokRYtW823QoiWbEdPlIUrNdO/J5EmQcMRms68q9yMGO8Njvq+EYNamgiwog7kEkKMbh/rzYHMO7DV1F6TCxzWf/vUT0/DqbW6H3GdhaY8TzeM+prgYxszFaunEYAFRr9D06lVgDMJx4nIXsGt4EZIen/2i/pvp6OY7NyZEiAOsI312f/O2QNuM0llqm2cZCV6QRuv0PgA7pDKZnKWAOBK1NDWFWkwiB9GBockTAikqdlZSdIXSNPKrqaYYbZpPMLWWRIfUZeKZUQPyrlEkClAbzpRVMKK8VuawsJMdaYo9TpPrE5bAG74v6jPzkpDFySc
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BN7PR11MB2641A4A2967691DC5EE7A198C1800BN7PR11MB2641namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 7f92e411-bad0-4807-cb56-08d80e42c6f8
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Jun 2020 20:05:24.1269 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: JBdChxZgkByntf55+tbjYiG9M/Q+1qk199vBqK0oJ2R0AF44++p8J3/kCD4vXA6bW7sQizcpyGAgatyMjmqgyA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR11MB3714
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.11, xch-rcd-001.cisco.com
X-Outbound-Node: rcdn-core-12.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/5qoqiF0oAyts10Lm5fyWJwt_UFw>
Subject: Re: [IPsec] Last minute change to draft-ietf-ipsecme-qr-ikev2
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jun 2020 20:05:30 -0000
Does anyone else have comments about this text (either for or against)? Paul, Tero, you had previously chimed in; do either of you something to say? From: IPsec <ipsec-bounces@ietf.org> On Behalf Of Scott Fluhrer (sfluhrer) Sent: Monday, June 08, 2020 11:06 AM To: ipsec@ietf.org Subject: Re: [IPsec] Last minute change to draft-ietf-ipsecme-qr-ikev2 Tero had this comment (which didn't make it onto this mailing list): Btw, there is similar text in RFC7296 (base IKEv2) saying following: When using pre-shared keys, a critical consideration is how to assure the randomness of these secrets. The strongest practice is to ensure that any pre-shared key contain as much randomness as the strongest key being negotiated. Deriving a shared secret from a password, name, or other low-entropy source is not secure. These sources are subject to dictionary and social-engineering attacks, among others. so one option would also point to IKEv2 RFC and say that same restrictions for not using low-entropy key that apply for pre-shared keys there applies also PPK. That comment strikes me as having a good point; the pre-shared keys in IKE are subject to exactly the same dictionary attack that a PPK would have, and so the same advice would apply to both. On the other hand, asking the reader to dig through a 142 page document for the relevant advice, or even scan through 3 pages of the security considerations would appear to be less friendly than we could be; in addition, advice for PPKs also need to consider Quantum Computers (which were not a consideration with IKE pre-shared keys). How about this text (which integrates suggestions both from the security considerations of both RFC7296 and the PPK text, while trying to not sound like Frankentext [1]. A critical consideration is how to assure the randomness of this post-quantum preshared key. Quantum computers are able to perform Grover's algorithm [GROVER]; that effectively halves the size of a symmetric key. In addition, an adversary, even with a conventional computer, can perform a dictionary search over plausible post-quantum preshared key values. The strongest practice is to ensure that any post-quantum preshared key contains at least 256 bits of entropy, this will provide 128 bits of post-quantum security, while providing security against conventional dictionary attacks. That provides security equivalent to Level 5 as defined in the NIST PQ Project Call For Proposals [NISTPQCFP]. Deriving a postquantum preshared key from a password, name, or other low-entropy source is not secure because of these known attacks. The highlighted sections is text that is new to the draft; this would replace the first paragraph of the Security Considerations section. And, I would agree with Valery; I also would prefer to avoid putting numbers that sound concrete; especially on something that is hard to measure (and "amount of entropy" is notoriously hard to measure - you can measure length, but that doesn't actually mean "guessability", which is what we're trying to get at). [1]: For those readers who might not be familiar with English Literation or pop culture, there is a classic English novel "Frankenstein", when a scientist (Dr Frankenstein) patches together parts from several corpses, and brings it to life (of course, it didn't go well); in later references to this original novel, the stitching of the several parts is obvious. The allusion "Frankentext" suggests parts of several works being clumsily stitched together. It is typically good advice to avoid cultural references when talking on an international mailing list; I just couldn't help myself this time... From: Scott Fluhrer (sfluhrer) Sent: Friday, June 05, 2020 3:41 PM To: ipsec@ietf.org<mailto:ipsec@ietf.org> Subject: Last minute change to draft-ietf-ipsecme-qr-ikev2 The draft "Mixing Preshared Keys in IKEv2 for Post-quantum Security" was winding through the AUTH48 process, when at the last minute, I received an email from a researcher who thought they found a problem with low entropy PPKs (the preshared keys that the draft uses). While it turned out that what the found really wasn't a problem, such low entropy PPKs are a problem in general. To address this, I suggested to the RFC editors that we modify the first paragraph of the security considerations from: Original text: Quantum computers are able to perform Grover's algorithm [GROVER]; that effectively halves the size of a symmetric key. Because of this, the user SHOULD ensure that the post-quantum preshared key used has at least 256 bits of entropy, in order to provide 128 bits of post-quantum security. That provides security equivalent to Level 5 as defined in the NIST PQ Project Call For Proposals [NISTPQCFP]. Modified text: Quantum computers are able to perform Grover's algorithm [GROVER]; that effectively halves the size of a symmetric key. Because of this, the user SHOULD ensure that the post-quantum preshared key used has at least 256 bits of entropy, in order to provide 128 bits of post-quantum security. That provides security equivalent to Level 5 as defined in the NIST PQ Project Call For Proposals [NISTPQCFP]. An attacker who impersonates the server is able to validate guesses to the PPK. Because of this, low entropy PPK values MUST NOT be used. Additional text high-lighted. Because of the lateness of this change, Ben Kaduk (the area director) asked me to check with the list to make sure everyone is OK with this addition. Comments?
- [IPsec] Last minute change to draft-ietf-ipsecme-… Scott Fluhrer (sfluhrer)
- Re: [IPsec] Last minute change to draft-ietf-ipse… Paul Wouters
- Re: [IPsec] Last minute change to draft-ietf-ipse… Valery Smyslov
- Re: [IPsec] Last minute change to draft-ietf-ipse… Paul Wouters
- Re: [IPsec] Last minute change to draft-ietf-ipse… Valery Smyslov
- Re: [IPsec] Last minute change to draft-ietf-ipse… Scott Fluhrer (sfluhrer)
- Re: [IPsec] Last minute change to draft-ietf-ipse… Valery Smyslov
- Re: [IPsec] Last minute change to draft-ietf-ipse… Paul Wouters
- Re: [IPsec] Last minute change to draft-ietf-ipse… Scott Fluhrer (sfluhrer)
- Re: [IPsec] Last minute change to draft-ietf-ipse… Paul Wouters
- Re: [IPsec] Last minute change to draft-ietf-ipse… Scott Fluhrer (sfluhrer)