IETF Logo Mail Archive

Re: [IPsec] Call for adoption: The NULL Authentication Method in IKEv2 Protocol

"Valery Smyslov" <svanru@gmail.com> Tue, 09 September 2014 11:57 UTC

Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 930781A0052 for <ipsec@ietfa.amsl.com>; Tue, 9 Sep 2014 04:57:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ov4dtZULW70T for <ipsec@ietfa.amsl.com>; Tue, 9 Sep 2014 04:57:56 -0700 (PDT)
Received: from mail-lb0-x236.google.com (mail-lb0-x236.google.com [IPv6:2a00:1450:4010:c04::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 88F521A0068 for <ipsec@ietf.org>; Tue, 9 Sep 2014 04:57:53 -0700 (PDT)
Received: by mail-lb0-f182.google.com with SMTP id v6so2717770lbi.27 for <ipsec@ietf.org>; Tue, 09 Sep 2014 04:57:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:from:to:cc:references:subject:date:mime-version :content-type; bh=NLTSre2mKJyI+Xnod0p+m4qilxz6VWZgYnhByS41740=; b=K1KtWy4p0FoEoqmzZ1uB2KgiV1bmN6FsKrvzjQec2uO2Egh8J/a9VLd/DxnXPRIW1P RaHhh+Lsx/ngrCkatMj168RM/hb97qfcM0kb3OfI+hDxF2q26z7SikuZ/dF5jE7RZzNn Y3wQZreVJtA2iwW2A5A/jJPzpBjYTXqQMEMt9k9EAQjwdtGz8ZA7d55v3FNSshGGMcW4 PW5CEBvD7aX25TNCnqGz70yIfm9yReYDpXtm0Wny/kM8aSuG5CPS8t0NOgc55KRNdl2f WV89+S20S+ELpIwfMvcRmhaUUi1hzrB04EA/bOWEajKRek5nrI1AfFvnBWvSOUYLYdeS w2aQ==
X-Received: by 10.112.202.106 with SMTP id kh10mr33622423lbc.66.1410263871888; Tue, 09 Sep 2014 04:57:51 -0700 (PDT)
Received: from buildpc ([93.188.44.200]) by mx.google.com with ESMTPSA id s8sm4218833las.29.2014.09.09.04.57.49 for <multiple recipients> (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 09 Sep 2014 04:57:50 -0700 (PDT)
Message-ID: <6E9345DD1E9A43158A0DD61F96C09741@buildpc>
From: Valery Smyslov <svanru@gmail.com>
To: Hugo Krawczyk <hugo@ee.technion.ac.il>, Paul_Koning@dell.com
References: <540CA9B2.3090807@gmail.com> <BE175F90-68B6-4731-B32E-BA9EF3F3BAD8@dell.com> <CADi0yUM3ESC9A1WaJJZ5QKrAeUd-wiNLFRdpRUYp5vGXir-A6Q@mail.gmail.com>
Date: Tue, 09 Sep 2014 15:58:11 +0400
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_020A_01CFCC46.DB1B4C10"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/9JlyyMzSC07oV6PYWMiGEwj48mQ
Cc: IPsecme WG <ipsec@ietf.org>
Subject: Re: [IPsec] Call for adoption: The NULL Authentication Method in IKEv2 Protocol
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Sep 2014 11:57:59 -0000

Hi Hugo,
  The subject line (and the comment on Bellovin attack) caught my eye. I don't follow the discussions in this list so I don't know how much the need and dangers of unauthenticated methods were discussed here. I want to point out that (and probably many did before me) that un-authentication is a very tricky option especially in a protocol that was created with mutual authentication as a core requirement and assumption. I can see potential benefits and uses but I can also see it abused and misused (the internet draft doesn't do too good a job warning about it but even if it did, people will misuse it).
I agree that the draft's Security Consideration section in its current form is incomplete.
And I hope that if the draft is adopted then it will draw an attention of many people,
who will help to improve the Security Considerations to list all the caveats,
to make all possible warning and to give advice how to safely use this mode.
  But requirements aside, I cannot vow for the security of IKE's key exchange in a one-way authentication mode. No one (that I know, definitely not me) designed this protocol to support one-way authentication. So the question of whether it is secure in this setting has not been investigated. Moreover, I see that the draft uses shared-key fields for theanonymous side of the communication and, I imagine, the other can use signature-based authentication. What security properties do you get from that mix-and-match authentication methods? 
IKEv2 currently allows the peers to use different authentication methods. 
So, if one of the peers uses preshared key, while the other uses 
digital signature, then it is considered legal and secure from
protocol's design point of view. If the peer, using preshared key in this scenario,
uses key, known to everyone, then we will get one-way authentication
with the current IKEv2. The next step, that the draft does - get rid of 
well-known preshared key and compute the content of the AUTH Payload
the same way it is computed currently in IKEv2 when it is used
with non key generating EAP methods - using SK_pi (or SK_Pr) as the key
I believe the draft doesn't change the way cryptography is used in IKEv2.
  One likely misuse of this technique is that people will use unauthenticated (or one-way) IKE and will run some other authentication on top of it (say, password based or whatever). Well, protocols do not necessarily compose securely. TLS had many failures like that (BEAST, re-negotiation, triple handshake, ...) and IPsec saw examples of that in the combinations of unauthenticated ESP and AH. IKE's cryptographic design has endured the test of time but these variations (or improvisations) endanger it.
Well, sometimes mutual authentication is impossible or undesirable.
Sometimes privacy is more important and people are ready to
sacrifice some level of security to keep their privacy.
And sometimes the choice is - either use plaintext
or unauthenticated encryption. The latter at least
prevents passive eavesdropping...
  Finally, since Bellovin's attack was mentioned, I want to make sure that no one is thinking of not using the MAC authentication at the IP packet level, right? 
Absolutely.
  Hugo
Regards,
Valery Smyslov.
  On Mon, Sep 8, 2014 at 10:54 AM, <Paul_Koning@dell.com> wrote:


    On Sep 7, 2014, at 2:53 PM, Yaron Sheffer <yaronf.ietf@gmail.com> wrote:

    > Dear working group,
    >
    > This is a call for adopting draft-smyslov-ipsecme-ikev2-null-auth as a WG document. Please respond to this mail with a Yes or No and a short rationale, at latest by Friday Sep. 12.

    Maybe.

    I understand and support the rationale for this draft.

    The Security Considerations seems to be inadequate.  Whenever possible, real authentication should be used.  So the Security Considerations should explicitly and strongly emphasize that, and recommend that products that incorporate Null authentication should strive to avoid its use whenever possible, and steer users away from its use when they can.

    A related question: does the use of Null authentication open up the Bellovin attack?  It seems that it would.  If so, my answer changes to “NO”.

            paul


    _______________________________________________
    IPsec mailing list
    IPsec@ietf.org
    https://www.ietf.org/mailman/listinfo/ipsec





------------------------------------------------------------------------------


  _______________________________________________
  IPsec mailing list
  IPsec@ietf.org
  https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email