IETF Logo Mail Archive

Re: [IPsec] Call for adoption: The NULL Authentication Method in IKEv2 Protocol

Yaron Sheffer <yaronf.ietf@gmail.com> Thu, 11 September 2014 07:24 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F1AB1A03E2 for <ipsec@ietfa.amsl.com>; Thu, 11 Sep 2014 00:24:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1
X-Spam-Level:
X-Spam-Status: No, score=-1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ADo7eGyI8ZMK for <ipsec@ietfa.amsl.com>; Thu, 11 Sep 2014 00:24:03 -0700 (PDT)
Received: from mail-we0-x236.google.com (mail-we0-x236.google.com [IPv6:2a00:1450:400c:c03::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A19DB1A058E for <ipsec@ietf.org>; Thu, 11 Sep 2014 00:24:02 -0700 (PDT)
Received: by mail-we0-f182.google.com with SMTP id k48so4037313wev.41 for <ipsec@ietf.org>; Thu, 11 Sep 2014 00:24:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=BxuR/+bxMGOL6BQyDmP5sb0BMnlKZCtnnJ2gkIq2yCc=; b=qSvKZ6bLJtgr/FXN4sDcbo7WSu8rBiQUSW0jQI8nORKbGvNtTF/9qZOMFePaAQqP04 clLHwdebw9OtjWcy51RD0sjwg+vNwnBAeafcXiv9+Hpg/v2UIbb8PFmcwsDuai7QeDeh yZm2W0H8GsxpuL/zZeOr6Afx7ADSbOffd7R9k4UU8Mxx+ADo/K4bnlRrDafZc/yMcLDy edjgnOtAQ6rCkFy0feg3woUUXK94zwmXevOQadxoQrjyAqmg+ULeN6agbr6dOcxyj3bx oXbBvF5AEeO4dNDixWV3ktnwf7UHdEdoE0YYa4fbjvdk/iIYqes6XZjyjve2OamBq40T lrBg==
X-Received: by 10.180.198.232 with SMTP id jf8mr4583614wic.37.1410420241305; Thu, 11 Sep 2014 00:24:01 -0700 (PDT)
Received: from [10.2.0.78] (85-250-123-108.bb.netvision.net.il. [85.250.123.108]) by mx.google.com with ESMTPSA id a5sm178131wje.17.2014.09.11.00.24.00 for <multiple recipients> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 11 Sep 2014 00:24:00 -0700 (PDT)
Message-ID: <54114E0E.80108@gmail.com>
Date: Thu, 11 Sep 2014 10:23:58 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: Hugo Krawczyk <hugo@ee.technion.ac.il>, Valery Smyslov <svanru@gmail.com>
References: <540CA9B2.3090807@gmail.com> <BE175F90-68B6-4731-B32E-BA9EF3F3BAD8@dell.com> <CADi0yUM3ESC9A1WaJJZ5QKrAeUd-wiNLFRdpRUYp5vGXir-A6Q@mail.gmail.com> <6E9345DD1E9A43158A0DD61F96C09741@buildpc> <CADi0yUMQftcsij+aH5XB2O97LZ7fVJeq2jNTHqK5kvsaZuSWYQ@mail.gmail.com>
In-Reply-To: <CADi0yUMQftcsij+aH5XB2O97LZ7fVJeq2jNTHqK5kvsaZuSWYQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/EabSkyEYs4ue0wblpK6j6mFaF7s
Cc: IPsecme WG <ipsec@ietf.org>, Paul_Koning@dell.com
Subject: Re: [IPsec] Call for adoption: The NULL Authentication Method in IKEv2 Protocol
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Sep 2014 07:24:04 -0000

Hi Hugo,

We know what to expect from IKEv2 with mutual certificate or PSK 
authentication.

I *think* we also know what IKEv2 provides when both sides are NOT 
authenticated. To summarize my own understanding: the IKE exchange and 
any resulting Child SAs are confidential (only encrypted payloads of 
course) and integrity protected, provided there was no MITM attacker at 
the time of the initial IKE exchange. If there was one, all bets are off.

The document is unclear about the security properties of the proposed 
1-way auth, but from the discussion, many people believe it is similar 
to TLS. I agree that a serious analysis of this option is called for.

The document's introduction does give the impression that the main point 
of this document is one-way auth, but I think most of the people who 
support this document are more interested in fully anonymous key 
exchange. So I would like to focus the WG adoption discussion right now 
on the anonymous use case, and then, if the WG decides to adopt the 
document, go back to the question you raised.

Thanks,
	Yaron

On 09/11/2014 07:01 AM, Hugo Krawczyk wrote:
> I didn't know (or remember) that IKEv2 allows for different directional
> authentication mechanisms.
> In any case, as a general rule, the fact that two methods are secure,
> doesn't mean that mix-and-match-ing them (or taking a subset) is still
> secure.
> Particularly for IKEv2, I do not know of any work that has shown such
> security.
>
> Hugo
>
> On Tue, Sep 9, 2014 at 7:58 AM, Valery Smyslov <svanru@gmail.com
> <mailto:svanru@gmail.com>> wrote:
>
>     __
>     Hi Hugo,
>
>         The subject line (and the comment on Bellovin attack) caught my
>         eye. I don't follow the discussions in this list so I don't know
>         how much the need and dangers of unauthenticated methods were
>         discussed here. I want to point out that (and probably many did
>         before me) that un-authentication is a very tricky option
>         especially in a protocol that was created with mutual
>         authentication as a core requirement and assumption. I can see
>         potential benefits and uses but I can also see it abused and
>         misused (the internet draft doesn't do too good a job warning
>         about it but even if it did, people will misuse it).
>
>     I agree that the draft's Security Consideration section in its
>     current form is incomplete.
>     And I hope that if the draft is adopted then it will draw an
>     attention of many people,
>     who will help to improve the Security Considerations to list all the
>     caveats,
>     to make all possible warning and to give advice how to safely use
>     this mode.
>
>         But requirements aside, I cannot vow for the security of IKE's
>         key exchange in a one-way authentication mode. No one (that I
>         know, definitely not me) designed this protocol to support
>         one-way authentication. So the question of whether it is secure
>         in this setting has not been investigated. Moreover, I see that
>         the draft uses shared-key fields for theanonymous side of the
>         communication and, I imagine, the other can use signature-based
>         authentication. What security properties do you get from that
>         mix-and-match authentication methods?
>
>     IKEv2 currently allows the peers to use different authentication
>     methods.
>     So, if one of the peers uses preshared key, while the other uses
>     digital signature, then it is considered legal and secure from
>     protocol's design point of view. If the peer, using preshared key in
>     this scenario,
>     uses key, known to everyone, then we will get one-way authentication
>     with the current IKEv2. The next step, that the draft does - get rid of
>     well-known preshared key and compute the content of the AUTH Payload
>     the same way it is computed currently in IKEv2 when it is used
>     with non key generating EAP methods - using SK_pi (or SK_Pr) as the key
>     I believe the draft doesn't change the way cryptography is used in
>     IKEv2.
>
>         One likely misuse of this technique is that people will use
>         unauthenticated (or one-way) IKE and will run some other
>         authentication on top of it (say, password based or whatever).
>         Well, protocols do not necessarily compose securely. TLS had
>         many failures like that (BEAST, re-negotiation, triple
>         handshake, ...) and IPsec saw examples of that in the
>         combinations of unauthenticated ESP and AH. IKE's cryptographic
>         design has endured the test of time but these variations (or
>         improvisations) endanger it.
>
>     Well, sometimes mutual authentication is impossible or undesirable.
>     Sometimes privacy is more important and people are ready to
>     sacrifice some level of security to keep their privacy.
>     And sometimes the choice is - either use plaintext
>     or unauthenticated encryption. The latter at least
>     prevents passive eavesdropping...
>
>         Finally, since Bellovin's attack was mentioned, I want to make
>         sure that no one is thinking of not using the MAC authentication
>         at the IP packet level, right?
>
>     Absolutely.
>
>         Hugo
>
>     Regards,
>     Valery Smyslov.
>
>         On Mon, Sep 8, 2014 at 10:54 AM, <Paul_Koning@dell.com
>         <mailto:Paul_Koning@dell.com>> wrote:
>
>
>             On Sep 7, 2014, at 2:53 PM, Yaron Sheffer
>             <yaronf.ietf@gmail.com <mailto:yaronf.ietf@gmail.com>> wrote:
>
>             > Dear working group,
>             >
>             > This is a call foradopting draft-smyslov-ipsecme-ikev2-null-auth as a WG
>             document. Please respond to this mail with a Yes or No and a
>             short rationale, at latest by Friday Sep. 12.
>
>             Maybe.
>
>             I understand and support the rationale for this draft.
>
>             The Security Considerations seems to be inadequate.
>             Whenever possible, real authentication should be used.  So
>             the Security Considerations should explicitly and strongly
>             emphasize that, and recommend that products that incorporate
>             Null authentication should strive to avoid its use whenever
>             possible, and steer users away from its use when they can.
>
>             A related question: does the use of Null authentication open
>             up the Bellovin attack?  It seems that it would.  If so, my
>             answer changes to “NO”.
>
>                  paul
>
>             _______________________________________________
>             IPsec mailing list
>             IPsec@ietf.org <mailto:IPsec@ietf.org>
>             https://www.ietf.org/mailman/listinfo/ipsec
>
>
>         ------------------------------------------------------------------------
>
>         _______________________________________________
>         IPsec mailing list
>         IPsec@ietf.org <mailto:IPsec@ietf.org>
>         https://www.ietf.org/mailman/listinfo/ipsec
>
>
>
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>

v2.23.0 | Report a Bug | By Email