IETF Logo Mail Archive

Re: [IPsec] Beginning discussion on secure password-only authentication for IKEv2

"Dan Harkins" <dharkins@lounge.org> Tue, 02 March 2010 23:00 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 28D803A7A68 for <ipsec@core3.amsl.com>; Tue, 2 Mar 2010 15:00:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.115
X-Spam-Level:
X-Spam-Status: No, score=-6.115 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id emSxtuEu5xmU for <ipsec@core3.amsl.com>; Tue, 2 Mar 2010 15:00:31 -0800 (PST)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by core3.amsl.com (Postfix) with ESMTP id 0917A3A7870 for <ipsec@ietf.org>; Tue, 2 Mar 2010 15:00:31 -0800 (PST)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id 5C1E51022404A; Tue, 2 Mar 2010 14:54:43 -0800 (PST)
Received: from 216.31.249.246 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Tue, 2 Mar 2010 14:54:43 -0800 (PST)
Message-ID: <bcc4d01cd3d8be09590e22bc5066bab2.squirrel@www.trepanning.net>
In-Reply-To: <p06240812c7b33427a351@[10.20.30.158]>
References: <p0624081ac7b20a6459c5@[10.20.30.158]> <3a17cf9ee724023e307fc446a871f9bf.squirrel@www.trepanning.net> <p06240812c7b33427a351@[10.20.30.158]>
Date: Tue, 02 Mar 2010 14:54:43 -0800
From: Dan Harkins <dharkins@lounge.org>
To: Paul Hoffman <paul.hoffman@vpnc.org>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: IPsecme WG <ipsec@ietf.org>, cfrg@irtf.org, Dan Harkins <dharkins@lounge.org>
Subject: Re: [IPsec] Beginning discussion on secure password-only authentication for IKEv2
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Mar 2010 23:00:31 -0000

  Hi Paul,

On Tue, March 2, 2010 1:37 pm, Paul Hoffman wrote:
[snip]
>>  RFC 2409 supported negotiation of various parameters, like the group
>>used for the Diffie-Hellman key exchange. That was removed in RFC 4306.
>>All of the candidate exchanges listed in draft-sheffer-ipsecme-pake-
>>criteria do some sort of discrete logarithm cryptography and therefore
>>it would be useful to list whether the candidate algorithm can use
>>any of the groups either negotiated or asserted by IKE(v2).
>
> OK, but...
>
>>  For instance, I do not believe EKE is suitable for any of the
>>groups currently in the IANA registry of groups that can be used with
>>IKE(v2). The MODP groups have a generator that is a quadratic residue
>>which enables a passive attacker to eliminate passwords from the
>>dictionary if they do not decrypt to a value that is, itself, a quadratic
>>residue and ECP groups are unsuitable because a passive attacker can
>>eliminate passwords from the group if they do not decrypt to a valid
>> point
>>on the curve. In either case, after seeing a trivial number of exchanges
>>a passive attacker is able to determine the password with high
>> probability.
>
> Those two paragraphs don't line up. Why would you want to use the groups
> negotiated or demanded in the IKEv2 exchange if they allow for easier
> attacks? Wouldn't it be better to allow the PAKE to negotiate or demand
> its own, presumably better, groups?

  The candidate exchanges all rely on the "hard problem" of doing a
discrete logarithm in one of the defined groups. It's the same "hard
problem" that makes the Diffie-Hellman portion of IKE secure. If the
group negotiated or demanded in IKE allows for an "easier attack" then
it shouldn't be used in the IKE exchange to do the Diffie-Hellman. And
if the group is good enough to use for the Diffie-Hellman key exchange
then, by definition, it is good enough for password authentication.

  If someone wants to use a 521-bit ECP group for the Diffie-Hellman key
exchange then requiring him to use a 2048-bit MODP group for authentication
seems a bit odd and constraining. It would make more sense, to me at least,
if the same 521-bit ECP group was used for authentication. Substitute the
group based on your own policy or whim-- 192-bit ECP, 8192-bit MODP,
1024-bit MODP-- and it's still odd and constraining to be forced to use
a different one for authentication.

  I think there is value in being able to use the same group (a lesson
learned from IKEv1 is that not everything needs to be negotiated and the
increase in complexity just isn't worth it). Some may find value in
negotiating groups separately. Whatever. But I think this should be
included in the criteria for selection so we can discuss the pros and
cons.

>>  So EKE requires a hard-coded special group to be used for its discrete
>>logarithm operations and since negotiation has been removed in RFC 4306
>>it means that the ability to change the group to suit the policy or whim
>>of the user (what is popularly termed "crypto agility") goes away. EKE
>>also requires specification of the mode of encryption used which may or
>>may not be the same as the one negotiated or asserted in IKE(v2). It
>>could be hard-coded into the specification, like the group, but this too
>>further limits "crypto agility".
>
> Yaron disagreed with this assessment. I would like to hear from others
> with EKE experience.

  Yaron points out that EAP-EKE negotiates the special group but we're
not using EAP here so the point he makes is neither here nor there.

>>  The other candidates, I believe, can use the same group, whether MODP
>>or ECP, that the IKE(v2) exchange is using. I think it would be good to
>>add these criteria to the draft.
>
> See above. I think the requirement should be "crypto agility, which means
> X Y Z" unless that agility itself opens up a security hole, such as a
> downgrade attack.

  No downgrade attacks. I agree. An attacker will go after the weakest
point. Which in this case has to be repeated active guessing attack
(which should be easy enough to notice and deal with).

  regards,

  Dan.

v2.23.0 | Report a Bug | By Email