Re: [IPsec] Proposed method to achieve quantum resistant IKEv2
Michael Richardson <mcr+ietf@sandelman.ca> Thu, 03 August 2017 14:13 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4ADF132058 for <ipsec@ietfa.amsl.com>; Thu, 3 Aug 2017 07:13:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id knHn6pD0COpz for <ipsec@ietfa.amsl.com>; Thu, 3 Aug 2017 07:13:12 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 80A3513203F for <ipsec@ietf.org>; Thu, 3 Aug 2017 07:13:11 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 153792009E; Thu, 3 Aug 2017 10:15:05 -0400 (EDT)
Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 2B89780717; Thu, 3 Aug 2017 10:13:10 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
cc: "Graham Bartlett (grbartle)" <grbartle@cisco.com>, "ipsec@ietf.org" <ipsec@ietf.org>
In-Reply-To: <35c7ff8909684374a316be24c7eba9d7@XCH-RTP-006.cisco.com>
References: <BBEB2C9C-9B96-4C6C-BB9B-4415F096FAE1@cisco.com> <35c7ff8909684374a316be24c7eba9d7@XCH-RTP-006.cisco.com>
X-Mailer: MH-E 8.6; nmh 1.6+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Thu, 03 Aug 2017 10:13:10 -0400
Message-ID: <1072.1501769590@obiwan.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/6AcBzLgt9MFF5if1H8jXFg8Regg>
Subject: Re: [IPsec] Proposed method to achieve quantum resistant IKEv2
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Aug 2017 14:13:14 -0000
Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com> wrote: > EAP; frankly, I’m not that familiar with EAP, however, if EAP isn’t currently > postquantum secure, it may make sense for that protocol to be updated. EAP is a framework for a set of algorithms, some of which are are as stupid as "send the cleartext password", to CHAP-methods, to run some variation of TLS and do something else inside the TLS. (Yes, you can run EAP inside the TLS, and recursive...) Key generating EAP methods (of which passwords are not an example), deliver the same key to both ends securely, which in some situations is used to authenticate something else. In WPA/1x, it becomes your WEP key. In IKEv2, we can use EAP in addition to other methods; the gateway machine will often authenticate with a certificate. So if the certificate is post-quantum, is it enough to have half-duplex resistance? I suspect not. (I didn't read the rest of your message yet) -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- [IPsec] Proposed method to achieve quantum resist… Graham Bartlett (grbartle)
- Re: [IPsec] Proposed method to achieve quantum re… Scott Fluhrer (sfluhrer)
- Re: [IPsec] Proposed method to achieve quantum re… Michael Richardson
- Re: [IPsec] Proposed method to achieve quantum re… Cen Jung Tjhai
- Re: [IPsec] Proposed method to achieve quantum re… Paul Wouters
- Re: [IPsec] Proposed method to achieve quantum re… Valery Smyslov
- Re: [IPsec] Proposed method to achieve quantum re… Scott Fluhrer (sfluhrer)
- Re: [IPsec] Proposed method to achieve quantum re… Cen Jung Tjhai
- Re: [IPsec] Proposed method to achieve quantum re… Cen Jung Tjhai
- Re: [IPsec] Proposed method to achieve quantum re… Graham Bartlett (grbartle)
- Re: [IPsec] Proposed method to achieve quantum re… Tero Kivinen
- Re: [IPsec] Proposed method to achieve quantum re… Tero Kivinen
- Re: [IPsec] Proposed method to achieve quantum re… Daniel Van Geest
- Re: [IPsec] Proposed method to achieve quantum re… Michael Richardson
- Re: [IPsec] Proposed method to achieve quantum re… Michael Richardson
- Re: [IPsec] Proposed method to achieve quantum re… Daniel Van Geest
- Re: [IPsec] Proposed method to achieve quantum re… Cen Jung Tjhai
- Re: [IPsec] Proposed method to achieve quantum re… Cen Jung Tjhai
- Re: [IPsec] Proposed method to achieve quantum re… Tero Kivinen
- Re: [IPsec] Proposed method to achieve quantum re… Tero Kivinen
- Re: [IPsec] Proposed method to achieve quantum re… Scott Fluhrer (sfluhrer)
- Re: [IPsec] Proposed method to achieve quantum re… Michael Richardson
- Re: [IPsec] Proposed method to achieve quantum re… Valery Smyslov
- Re: [IPsec] Proposed method to achieve quantum re… Cen Jung Tjhai
- Re: [IPsec] Proposed method to achieve quantum re… Scott Fluhrer (sfluhrer)
- Re: [IPsec] Proposed method to achieve quantum re… Graham Bartlett (grbartle)
- Re: [IPsec] Proposed method to achieve quantum re… Bruckert, Leonie
- Re: [IPsec] Proposed method to achieve quantum re… Tero Kivinen
- Re: [IPsec] Proposed method to achieve quantum re… Graham Bartlett (grbartle)
- Re: [IPsec] Proposed method to achieve quantum re… Michael Richardson
- Re: [IPsec] Proposed method to achieve quantum re… Valery Smyslov
- Re: [IPsec] Proposed method to achieve quantum re… Paul Wouters
- Re: [IPsec] Proposed method to achieve quantum re… Valery Smyslov
- Re: [IPsec] Proposed method to achieve quantum re… Cen Jung Tjhai