IETF Logo Mail Archive

Re: [IPsec] IPsec with QKD

Tony Putman <t-ietf@putwet.me.uk> Wed, 12 November 2014 20:01 UTC

Return-Path: <t-ietf@putwet.me.uk>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D4841A1AE0 for <ipsec@ietfa.amsl.com>; Wed, 12 Nov 2014 12:01:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.701
X-Spam-Level:
X-Spam-Status: No, score=-0.701 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NZgzBp6AhqqE for <ipsec@ietfa.amsl.com>; Wed, 12 Nov 2014 12:01:31 -0800 (PST)
Received: from avasout01.plus.net (avasout01.plus.net [84.93.230.227]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 705961AD0C7 for <ipsec@ietf.org>; Wed, 12 Nov 2014 12:01:10 -0800 (PST)
Received: from [192.168.1.2] ([80.229.245.222]) by avasout01 with smtp id Ek151p0034odrNw01k16FT; Wed, 12 Nov 2014 20:01:08 +0000
X-CM-Score: 0.00
X-CNFS-Analysis: v=2.1 cv=ZZGTN6lA c=1 sm=1 tr=0 a=ZDAw9H2lLuf1cmfnewsGHg==:117 a=ZDAw9H2lLuf1cmfnewsGHg==:17 a=0Bzu9jTXAAAA:8 a=rkJuIV0pGx0A:10 a=N659UExz7-8A:10 a=apiPipScAAAA:8 a=EFN36vXRZenWvA8XG9QA:9 a=BkxV86R-1-1OVkTN:21 a=HKNG2hbzHr_FKBup:21 a=pILNOxqGKmIA:10
X-AUTH: putwet+t-ietf:2500
Message-ID: <5463BC80.5020702@putwet.me.uk>
Date: Wed, 12 Nov 2014 20:01:04 +0000
From: Tony Putman <t-ietf@putwet.me.uk>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: Rodney Van Meter <rdv@sfc.wide.ad.jp>
References: <14BE57EA00BC0C469E17B5AD698FE67783D07A82@FR711WXCHMBA03.zeu.alcatel-lucent.com> <5462A3C5.8050601@putwet.me.uk> <34767662-9F6F-4C36-8B77-1787FD705157@sfc.wide.ad.jp>
In-Reply-To: <34767662-9F6F-4C36-8B77-1787FD705157@sfc.wide.ad.jp>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/8Ijr0TVbRBqcyNO3tZMRNRxxe5Y
Cc: ipsec <ipsec@ietf.org>, Shota Nagayama <kurosagi@sfc.wide.ad.jp>, Shigeya Suzuki <shigeya@wide.ad.jp>
Subject: Re: [IPsec] IPsec with QKD
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Nov 2014 20:01:41 -0000

Rod,

I would class myself as an interested bystander, not one who would
actually implement or use a QKD protocol, so I don't know whether this
should be a work item or not.  Certainly, some of the suggestions I'm
making should not be adopted unless it *is* accepted as a work item.

On 12/11/14 03:22, Rodney Van Meter wrote:
> The KE Payload explicitly names fields like Diffie-Hellman Group Num.
> It’s pretty closely tied to D-H.  [...]
> I’m opposed to shoehorning something with rather
> different semantics into the same stuff, and adding caveats like, “We
> know that the normal use is for D-H group number, but we cheat and
> use it instead to mean…”  That approach seems likely to lead to
> maintainability problems down the road, including on things like
> having non-D-H items listed in the table of group numbers.

I don't see this as having different semantics.  Certainly the text ties
it to D-H, but conceptually it is just a method of exchanging enough
information to establish a session key with forward secrecy.  I can
describe some of the advantages that I see to doing it this way, but I
fully agree that this would need broad agreement before going ahead with
it.  Without such agreement, I suggest a new payload with the same
semantics as the KE payload.

The main advantage of using the same payload is to do with algorithm
negotiation.  It's not easy to motivate algorithm negotiation when the
underlying assumption is that the peer is known to have a shared QKD key
and so presumably already supports this draft, but let me try. 

Let's suppose that both direct use and PAK-DH are supported.  Then the
standard IKEv2 approach would be for the initiator to pick one for the
initial exchange, but to signal support for both in the SA payload.  If
the responder does not support the chosen algorithm but will support the
other, then it sends back the INVALID_KE_PAYLOAD notification which
indicates the transform that it would accept.  If we use a different
payload, then the same can be achieved by using a different
notification, but it is hard to negotiate a choice between current DH
key agreement and QKD key agreement (assuming both are acceptable to the
initiator).

Perhaps this the key point: will the initiator ever be in a position
where it does not know that the responder will accept QKD?  If so, then
it makes sense to indicate support for both DH and QKD, and allow the
responder to choose.  Although this *can* be done using two different
payload types, it is a lot simpler to use the same payload type for
both.  I have no idea what the answer to this question would be.

> So in this case, your figure above reuses the KE Payload ID, or not?
> I think you’re asking for a new Payload ID here (same as we are),
> just want to be clear.
>
> I’m not opposed to the new QKD (or OOB) Payload hewing fairly closely
> to the format of KE, but we did add some fields in our QKD ID
> Payload.  [...]

At this stage, I'm not taking a position on whether a new Payload ID is
used.  I'm only saying that the same format can be used either way.  In
this case, the "Key Exchange Method Num" (which may or may not be
identical to the "Diffie-Hellman Group Num" in the KE Payload) is
equivalent to your "version": evolving just consists of defining a new
Method; also, this will be the same number as is used as the Transform
ID (and should be maintained by IANA), so that you can negotiate which
version to use.  I described previously how I envisage implementing
negotiation on fallback policy, so I don't see a need to explicitly
include it in the QKD KeyID payload.

> [Description of key generation]

This is useful information.  It answers my question elsewhere about key
size: it's defined by the selected algorithms.  However, I still think
that Ni and Nr should feed into this in order to allow key reuse where
the authentication stage has failed.  One way to do this would be to
define SK_d as the first n bits of the QKD material, then create a
keystream as prf+ (SK_d, Ni | Nr | SPIi | SPIr) and xor this with the
remaining QKD material to obtain the remaining keys.  As far as I can
see, this doesn't decrease the entropy of the keys.

> [Regarding key material exhaustion]  I don’t think there is
> any in-band IP-level DoS attack here, but let us think about what
> happens when someone attempts to spoof the legitimate partner who
> actually holds the KeyID that matches.

After some thought, this seems to need an active attacker, so maybe it
is not so important.  But I also think that the remedy is quite simple
(and is already part of IKEv2).

> [...] 
> Thanks for the careful read & thoughtful feedback,

My pleasure!  I'm afraid that I've skipped some important points, but I
want to think more about the question of algorithm negotiation before I
address them.  I look forward to your thoughts on the matter.

Tony

v2.23.0 | Report a Bug | By Email