Re: [IPsec] Call for independent experts (IKEv2) for Stage 4 of the PAKE selection process

Dan Harkins <> Fri, 30 August 2019 15:35 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B055D120AB8 for <>; Fri, 30 Aug 2019 08:35:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id L4QPHC-U_s4O for <>; Fri, 30 Aug 2019 08:35:46 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E0E02120AB0 for <>; Fri, 30 Aug 2019 08:35:46 -0700 (PDT)
Received: from ( []) by (PMDF V6.8-0 #1001) with ESMTP id <> for; Fri, 30 Aug 2019 10:35:46 -0500 (CDT)
Received: from Dans-MacBook-Pro.local ([]) by (PMDF V6.7-x01 #1001) with ESMTPSA id <> for; Fri, 30 Aug 2019 08:35:43 -0700 (PDT)
Received: from ([] EXTERNAL) (EHLO Dans-MacBook-Pro.local) with TLS/SSL by ([]) (PreciseMail V3.3); Fri, 30 Aug 2019 08:35:43 -0700
Date: Fri, 30 Aug 2019 08:35:45 -0700
From: Dan Harkins <>
In-reply-to: <>
To: Tero Kivinen <>
Message-id: <>
MIME-version: 1.0
Content-type: text/plain; charset=utf-8; format=flowed
Content-language: en-US
Content-transfer-encoding: 8BIT
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
X-PMAS-SPF: SPF check skipped for authenticated session (, send-ip=
X-PMAS-External-Auth: [] (EHLO Dans-MacBook-Pro.local)
References: <> <> <> <> <>
X-PMAS-Software: PreciseMail V3.3 [190828c] (
X-PMAS-Allowed: system rule (rule allow header:X-PMAS-External noexists)
Archived-At: <>
Subject: Re: [IPsec] Call for independent experts (IKEv2) for Stage 4 of the PAKE selection process
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 30 Aug 2019 15:35:49 -0000

On 8/30/19 2:27 AM, Tero Kivinen wrote:
> Dan Harkins writes:
>>> How does the responder know which of the one million username password
>>> pairs to pick to generate the generator when calculating D-H in the
>>> IKE_SA_INIT? The actual identity of the user is only sent in the
>>> encrypted IKE_AUTH message.
>>> I.e., I think this has exactly same problem than IKEv1 has with
>>> pre-shared keys for main mode. You must know the initiator identity
>>> based on the IP-addresses, thus makes this completely unusable for
>>> non static VPN cases.
>>     HA! I did miss something :-)
>>     Yes, I guess a new payload is needed to express the username. This can
>> be added to the IKE_SA_INIT message. Or maybe it can be a special type of
>> NOTIFY, that's a six-of-one-and-a-half-dozen-of-the-other issue. But this
>> should not involve an extra Auth exchange (as the framework PAKEs do)
>> since SPEKE is just a Diffie-Hellman exchange which is exactly what IKE
>> is.
> We had similar discussion in the postquantum preshared keys case,
> i.e., we needed to know the identity of the other end to pick the PPK,
> but the identity is only transmitted in the IKE_AUTH, and IKE_AUTH is
> encrypted with the key which is generated in IKE_SA_INIT. We solved
> this issue in qr-ikev2 by making so that encryption of the IKE_AUTH
> does not need the PPK, but uses only normal Diffie-Hellman and PPK is
> only added to the actual IPsec trafic keys.
> The problem is that if we add the identity to the IKE_SA_INIT, then we
> loose the identity protection part of the IKEv2, as we then cannot
> encrypt the identity.

   Sure we can. We could do the thing that was done in TLS-pwd. When the
client registers his username and password she gets a static DH public
key of the server (TLS-pwd made this be a p256 curve for its compact
representation and adequate strength for the purpose of identity
protection). The scheme then is if the client wants to protect its
identity it uses the server's DH public key and does a static-ephemeral
exchange, gets a secret, encrypts its identity and sends its ephemeral
DH key (in compact representation, it's 33 octets) plus the encrypted
identity in one "identity payload". If it doesn't care about identity
protection it just sends its identity.

> Current solutions have been trying to keep the identity protection
> part as good as it is without those extensions, i.e., qr-ikev2 still
> provides same identity protection than what normal IKEv2 does, and
> then provides extended protection for the actual trafic keys. Attacker
> who can break Diffie-Hellman can see the identities, but will not see
> the actual trafic protected by PPK.
> With PAKEs, I think it is important to do the same, i.e., keep the
> identity protection parts of the IKEv2 at least as good as they are
> now, and that usually needs we need to do normal IKEv2 Diffie-Hellman
> first to protect identities, and then inside that when we know
> identities do the actual authentication using PAKE.
> Hybrid qske does things bit differently as it adds IKE_INTERMEDIATE
> exchanges between IKE_SA_INIT and IKE_AUTH but all of those
> IKE_INTERMEDIATE exchanges are anonymous, i.e., the identity of the
> other end is not yet known, the authentication is done in the end with
> IKE_AUTH, and only then the identity of the other end is known, and we
> can use per user information like shared keys or password etc.

Yes, we can do a PAKE exchange after IKE_SA_INIT and use that to do
identity protection. It just does add another round trip and I was trying
to point out how we can get a PAKE mode of IKE without any additional
round trips or things like that. SPEKE is just a Diffie-Hellman and IKE
already does a Diffie-Hellman. With the identity protection scheme I
described above we're doing a 2nd Diffie-Hellman so work-wise it's a
wash but from a protocol standpoint I think it's cleaner.

The qr-ikev2 stuff is done that way but that's because we want to augment
the qr exchange with a traditional D-H. That's the design. There is no
reason to force PAKEs to do the same thing, which isn't to say we can't
just that we don't have to.