[IPsec] Puzzle algorithm negotiation
Yoav Nir <ynir.ietf@gmail.com> Sun, 18 January 2015 15:39 UTC
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 449581ACD07 for <ipsec@ietfa.amsl.com>; Sun, 18 Jan 2015 07:39:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_64=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zqQsi6CMlPjA for <ipsec@ietfa.amsl.com>; Sun, 18 Jan 2015 07:39:07 -0800 (PST)
Received: from mail-wg0-x236.google.com (mail-wg0-x236.google.com [IPv6:2a00:1450:400c:c00::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F8BF1B2A03 for <ipsec@ietf.org>; Sun, 18 Jan 2015 07:39:07 -0800 (PST)
Received: by mail-wg0-f54.google.com with SMTP id z12so27796730wgg.13 for <ipsec@ietf.org>; Sun, 18 Jan 2015 07:39:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:subject:message-id:date:to:mime-version; bh=wuAdsac7EabvVK7hy8JSFKjsfSN5qdaEf3TMUT1M+t0=; b=Ikc88xE/sYPkLiCzRY783k9ZqCYlboujy6ZDvEQ9YfRmlHnCOwqzQf5p6NI4/VMFtX oCMv+/4QXsr8N8xDqt0afhWI57VaVx5WnpRrosmYhs7ifjKRW6Qq9qXI1nXYVEq5mwQO Y6W//0c5aGKY2fxN/9G+qxvxUqKMSaXRE9KgJdyw/CuFV5aoZWNTWD2Ot/uKzd+52S+1 JctknvB48Xo/JH8Pr7WyxJM1GOsQLrICzfHx/sPXjoMTKAwXW/D+8Q7YdLQgwxR2srT7 BRnBr4dgnCpzzAcd1gXQyZ8C7znN5IKPT4sKW1NLqPMveWsE3wue8U5DPMMD6MGJzuxv Kqfw==
X-Received: by 10.194.48.109 with SMTP id k13mr50886489wjn.7.1421595546308; Sun, 18 Jan 2015 07:39:06 -0800 (PST)
Received: from [172.24.251.208] (dyn32-131.checkpoint.com. [194.29.32.131]) by mx.google.com with ESMTPSA id gl1sm5812043wib.13.2015.01.18.07.39.05 for <ipsec@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 18 Jan 2015 07:39:05 -0800 (PST)
From: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_2EB15AC3-62AE-40AF-AED7-7DD9A11D3D5E"
Message-Id: <BB49D854-245F-468E-9BBC-78D51B62ADCA@gmail.com>
Date: Sun, 18 Jan 2015 17:39:04 +0200
To: ipsec <ipsec@ietf.org>
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
X-Mailer: Apple Mail (2.1993)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/AEqrRJjrjMWdIPbScKG5CD13nso>
Subject: [IPsec] Puzzle algorithm negotiation
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Jan 2015 15:39:09 -0000
Pull Request: https://github.com/ietf-ipsecme/drafts/pull/2 <https://github.com/ietf-ipsecme/drafts/pull/2> Hi, Valery has created this pull request. During the meeting in Honolulu and subsequent discussion on the list, several people requested that there be a negotiation of the algorithm used in the puzzle rather than fixing it to SHA-256. The pull request suggests figuring out which algorithms the Initiator supports by examining the SA payload in the IKE_SA_INIT request, and using the PRF algorithms. I’m posting this to the list, even thought we’re not sure about this. Specifically, PRF_AES128_XCBC and (I think) PRF_AES128_CMAC won’t work with the bitcoin-like puzzle that is currently in the draft. Why? For convenience assume a 16-byte cookie, a fixed zero IV (as always in AES-XCBC) and fixed zero key. So let Y = AESENC(key, IV XOR COOKIE) = AESENC(zero, COOKIE) Let Z = AESDEC(key, zero) = AESDEC(zero, zero) Extend the cookie by Y XOR Z. The result will give you a 128-bit tag of all zeros. Way too easy. Another way to do this is to add a notification in the Initiator’s request listing the hash algorithms that it supports. We could reuse the RFC 7427 registry of hash algorithms. Personally, I really don’t like this algorithm agility, because we don’t want to give the Initiator the options of a hard vs easy puzzle. So suppose the Responder supports two algorithms, SHA-256 and SHA-512, and that the latter is half as fast as the former, then a SHA-512 puzzle would have to have 1 bit less than the SHA-256 puzzle. But in fact, we know that SHA-512 is faster on 64-bit platforms, while SHA-256 is faster on 32-bit platforms. Add some GOST-certified hash to the mix, and the administrator’s task becomes that much harder. OTOH often when a protocol is published without algorithm agility, we end up extending it later. Yoav
- [IPsec] Puzzle algorithm negotiation Yoav Nir
- Re: [IPsec] Puzzle algorithm negotiation Valery Smyslov
- Re: [IPsec] Puzzle algorithm negotiation Yaron Sheffer
- Re: [IPsec] Puzzle algorithm negotiation Yoav Nir
- Re: [IPsec] Puzzle algorithm negotiation Yaron Sheffer