Re: [IPsec] Call for adoption: The NULL Authentication Method in IKEv2 Protocol
Hugo Krawczyk <hugo@ee.technion.ac.il> Thu, 11 September 2014 04:02 UTC
Return-Path: <hugokraw@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30DAA1A0389 for <ipsec@ietfa.amsl.com>; Wed, 10 Sep 2014 21:02:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9g54AkufH3De for <ipsec@ietfa.amsl.com>; Wed, 10 Sep 2014 21:02:15 -0700 (PDT)
Received: from mail-la0-x22b.google.com (mail-la0-x22b.google.com [IPv6:2a00:1450:4010:c03::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC3BF1A0348 for <ipsec@ietf.org>; Wed, 10 Sep 2014 21:02:14 -0700 (PDT)
Received: by mail-la0-f43.google.com with SMTP id gi9so11065114lab.30 for <ipsec@ietf.org>; Wed, 10 Sep 2014 21:02:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=Axv8E4r8I46jKqVyJcEh9npdf8Z5Hxq1GrStg+bQ3ls=; b=0dg1pgLYVPxW399pcgXMbQi832W0OHW63O9ZVv5P5ofLRsCHnGYxQ9izeJMcRwW4jH UfoSFrLjO+kbQj140aUtxj5YsIF9ZrFWEzUr1JBhdHUzOhklQg5p4x2zTXYI28YLcYu0 iAn+greT+XJhRntxJ1mzrU6mZKHe9JW3AsHeklRGl4qDTDhFV95SAOaUdejr7T3PjuZS NG5ig3AWUTqQuzQYzxeHzv3wVu8xF1zR+9/rE05l/ZRbETAHC26cHnkTA/Bzth8q666c YyRQdHctwym0OBGWPv0SL0ymzgeJzDbYcSSPkErcyS3eH5Dd2yHF2XJAqVdZG87zh0+M t3zw==
X-Received: by 10.112.209.37 with SMTP id mj5mr222405lbc.55.1410408133034; Wed, 10 Sep 2014 21:02:13 -0700 (PDT)
MIME-Version: 1.0
Sender: hugokraw@gmail.com
Received: by 10.25.16.135 with HTTP; Wed, 10 Sep 2014 21:01:41 -0700 (PDT)
In-Reply-To: <6E9345DD1E9A43158A0DD61F96C09741@buildpc>
References: <540CA9B2.3090807@gmail.com> <BE175F90-68B6-4731-B32E-BA9EF3F3BAD8@dell.com> <CADi0yUM3ESC9A1WaJJZ5QKrAeUd-wiNLFRdpRUYp5vGXir-A6Q@mail.gmail.com> <6E9345DD1E9A43158A0DD61F96C09741@buildpc>
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Thu, 11 Sep 2014 00:01:41 -0400
X-Google-Sender-Auth: poEohaD6eG8ey6h0-QPE6u550wQ
Message-ID: <CADi0yUMQftcsij+aH5XB2O97LZ7fVJeq2jNTHqK5kvsaZuSWYQ@mail.gmail.com>
To: Valery Smyslov <svanru@gmail.com>
Content-Type: multipart/alternative; boundary="001a11c266d8c2098f0502c23be8"
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/BjaYxy33hNVR9Y3K1dMhjHLSmBE
Cc: IPsecme WG <ipsec@ietf.org>, Paul_Koning@dell.com
Subject: Re: [IPsec] Call for adoption: The NULL Authentication Method in IKEv2 Protocol
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Sep 2014 04:02:19 -0000
I didn't know (or remember) that IKEv2 allows for different directional authentication mechanisms. In any case, as a general rule, the fact that two methods are secure, doesn't mean that mix-and-match-ing them (or taking a subset) is still secure. Particularly for IKEv2, I do not know of any work that has shown such security. Hugo On Tue, Sep 9, 2014 at 7:58 AM, Valery Smyslov <svanru@gmail.com> wrote: > Hi Hugo, > > The subject line (and the comment on Bellovin attack) caught my eye. I > don't follow the discussions in this list so I don't know how much the need > and dangers of unauthenticated methods were discussed here. I want to point > out that (and probably many did before me) that un-authentication is a very > tricky option especially in a protocol that was created with mutual > authentication as a core requirement and assumption. I can see potential > benefits and uses but I can also see it abused and misused (the internet > draft doesn't do too good a job warning about it but even if it did, people > will misuse it). > > I agree that the draft's Security Consideration section in its current > form is incomplete. > And I hope that if the draft is adopted then it will draw an attention of > many people, > who will help to improve the Security Considerations to list all the > caveats, > to make all possible warning and to give advice how to safely use this > mode. > > But requirements aside, I cannot vow for the security of IKE's key > exchange in a one-way authentication mode. No one (that I know, definitely > not me) designed this protocol to support one-way authentication. So the > question of whether it is secure in this setting has not been investigated. > Moreover, I see that the draft uses shared-key fields for theanonymous side > of the communication and, I imagine, the other can use signature-based > authentication. What security properties do you get from that mix-and-match > authentication methods? > > IKEv2 currently allows the peers to use different authentication methods. > So, if one of the peers uses preshared key, while the other uses > digital signature, then it is considered legal and secure from > protocol's design point of view. If the peer, using preshared key in this > scenario, > uses key, known to everyone, then we will get one-way authentication > with the current IKEv2. The next step, that the draft does - get rid of > well-known preshared key and compute the content of the AUTH Payload > the same way it is computed currently in IKEv2 when it is used > with non key generating EAP methods - using SK_pi (or SK_Pr) as the key > I believe the draft doesn't change the way cryptography is used in IKEv2. > > One likely misuse of this technique is that people will use > unauthenticated (or one-way) IKE and will run some other authentication on > top of it (say, password based or whatever). Well, protocols do not > necessarily compose securely. TLS had many failures like that (BEAST, > re-negotiation, triple handshake, ...) and IPsec saw examples of that in > the combinations of unauthenticated ESP and AH. IKE's cryptographic design > has endured the test of time but these variations (or improvisations) > endanger it. > > Well, sometimes mutual authentication is impossible or undesirable. > Sometimes privacy is more important and people are ready to > sacrifice some level of security to keep their privacy. > And sometimes the choice is - either use plaintext > or unauthenticated encryption. The latter at least > prevents passive eavesdropping... > > Finally, since Bellovin's attack was mentioned, I want to make sure that > no one is thinking of not using the MAC authentication at the IP packet > level, right? > > Absolutely. > > Hugo > > Regards, > Valery Smyslov. > > On Mon, Sep 8, 2014 at 10:54 AM, <Paul_Koning@dell.com> wrote: > >> >> On Sep 7, 2014, at 2:53 PM, Yaron Sheffer <yaronf.ietf@gmail.com> wrote: >> >> > Dear working group, >> > >> > This is a call for adopting draft-smyslov-ipsecme-ikev2-null-auth as a >> WG document. Please respond to this mail with a Yes or No and a short >> rationale, at latest by Friday Sep. 12. >> >> Maybe. >> >> I understand and support the rationale for this draft. >> >> The Security Considerations seems to be inadequate. Whenever possible, >> real authentication should be used. So the Security Considerations should >> explicitly and strongly emphasize that, and recommend that products that >> incorporate Null authentication should strive to avoid its use whenever >> possible, and steer users away from its use when they can. >> >> A related question: does the use of Null authentication open up the >> Bellovin attack? It seems that it would. If so, my answer changes to “NO”. >> >> paul >> >> _______________________________________________ >> IPsec mailing list >> IPsec@ietf.org >> https://www.ietf.org/mailman/listinfo/ipsec >> > > ------------------------------ > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > >
- [IPsec] Call for adoption: The NULL Authenticatio… Yaron Sheffer
- Re: [IPsec] Call for adoption: The NULL Authentic… Valery Smyslov
- Re: [IPsec] Call for adoption: The NULL Authentic… Paul Wouters
- Re: [IPsec] Call for adoption: The NULL Authentic… Paul_Koning
- Re: [IPsec] Call for adoption: The NULL Authentic… Graham Bartlett (grbartle)
- Re: [IPsec] Call for adoption: The NULL Authentic… Paul Wouters
- Re: [IPsec] Call for adoption: The NULL Authentic… Paul_Koning
- Re: [IPsec] Call for adoption: The NULL Authentic… Yaron Sheffer
- Re: [IPsec] Call for adoption: The NULL Authentic… Paul_Koning
- Re: [IPsec] Call for adoption: The NULL Authentic… Hugo Krawczyk
- Re: [IPsec] Call for adoption: The NULL Authentic… Valery Smyslov
- Re: [IPsec] Call for adoption: The NULL Authentic… Daniel Migault
- Re: [IPsec] Call for adoption: The NULL Authentic… Valery Smyslov
- Re: [IPsec] Call for adoption: The NULL Authentic… Graham Bartlett (grbartle)
- Re: [IPsec] Call for adoption: The NULL Authentic… Hugo Krawczyk
- Re: [IPsec] Call for adoption: The NULL Authentic… Yaron Sheffer
- [IPsec] Call for adoption: The NULL Authenticatio… Tero Kivinen
- Re: [IPsec] Call for adoption: The NULL Authentic… Michael Richardson
- Re: [IPsec] Call for adoption: The NULL Authentic… Paul Wouters