Re: [IPsec] Stephen Farrell's Yes on draft-ietf-ipsecme-ikev2-null-auth-06: (with COMMENT)
Valery Smyslov <svan@elvis.ru> Wed, 27 May 2015 08:49 UTC
Return-Path: <svan@elvis.ru>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A48C11A9041; Wed, 27 May 2015 01:49:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -97.301
X-Spam-Level:
X-Spam-Status: No, score=-97.301 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_RU=0.595, HOST_EQ_RU=0.875, STOX_REPLY_TYPE=0.439, T_RP_MATCHES_RCVD=-0.01, USER_IN_WHITELIST=-100] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZTQb8CXGfLBQ; Wed, 27 May 2015 01:49:53 -0700 (PDT)
Received: from fish.elvis.ru (fish.elvis.ru [82.138.51.18]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13BAF1A9042; Wed, 27 May 2015 01:49:53 -0700 (PDT)
Received: from [10.111.1.40] (helo=robin.office.elvis.ru) by fish.elvis.ru with esmtp (Exim 4.76) (envelope-from <svan@elvis.ru>) id 1YxX22-00061M-EV; Wed, 27 May 2015 11:49:46 +0300
Received: from buildpc (10.111.10.31) by robin.office.elvis.ru (10.111.1.40) with Microsoft SMTP Server id 14.3.224.2; Wed, 27 May 2015 11:49:46 +0300
Message-ID: <0024D7C10AD742EA968C394854CF1167@buildpc>
From: Valery Smyslov <svan@elvis.ru>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, The IESG <iesg@ietf.org>
References: <20150527074332.5286.73511.idtracker@ietfa.amsl.com>
Date: Wed, 27 May 2015 11:49:49 +0300
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="UTF-8"; reply-type="original"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/M2nS2zkI2UuDMQldfTKRk63PNkM>
X-Mailman-Approved-At: Wed, 27 May 2015 08:38:55 -0700
Cc: ipsecme-chairs@ietf.org, paul.hoffman@vpnc.org, ipsec@ietf.org, draft-ietf-ipsecme-ikev2-null-auth.ad@ietf.org, draft-ietf-ipsecme-ikev2-null-auth.shepherd@ietf.org, draft-ietf-ipsecme-ikev2-null-auth@ietf.org
Subject: Re: [IPsec] Stephen Farrell's Yes on draft-ietf-ipsecme-ikev2-null-auth-06: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 May 2015 08:49:55 -0000
Hi Stephen, thank you for your comments. > Stephen Farrell has entered the following ballot position for > draft-ietf-ipsecme-ikev2-null-auth-06: Yes > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > > - 2.1: just wanted to check as I didn't have time to go > through it all myself - are we confident that using > SK_pi/SK_pr in this way has no cryptographic downsides? The > reference to the EAP methods convinces me this is no worse > than an existing thing, but not (by itself) that it is > cryptographically sound, so I just wanted to check as I > think prf(SK_pr,IDr') has until now been calculated but not > transmitted, so there's a tiny change here maybe, but as I > said I didn't have time to fully check. If someone just > tells me that yes, the authors/wg did consider this, that'll > be fine, no need to fully explain to me why using SK_pr like > this is safe (though if you want to, that'd be fine too). In IKEv2 the AUTH payload plays dual role - it first authenticates peer identity and it also cryptographically binds the first messages of IKE_SA_INIT exchange to the protocol run. Unlike the other IKEv2 messages the messages of IKE_SA_INIT have no cryptographic protection and are sent in clear, so they need to be included into the AUTH payload calculation. The calculation of the AUTH payload depends on the authentication method the host selected, but in general it is digital signature (in case of certificates or raw public keys) or prf (in case of preshared key) over the blob of data containing the IKE_SA_INIT message, peer's nonce and own MAC'ed identity. With the NULL authentication the first role of the AUTH payload is obviously lost (by definition there is no credential in case of the NULL authentication, and thus no way to authenticate identity, and often no identity itself). But the second role - binding the first messages, is still very important. That's why the AUTH payload cannot be omited. As the host has no credentials, the only way to calculate AUTH payload is to use some key derived from SKEYSEED for that calculation. The SK_pi/SK_pr are the natural choice. And the situation with the NULL Authentication in this regard is the same, as with the EAP authentication in case the EAP method doesn't produce the shared secret. In this case the RFC7296 instructs to use SK_pi/SK_pr as shared secrets when calculating AUTH payload. Note, that in this case IKE identity becomes not authenticated (only the identities that were exchanged inside EAP method are authenticated), so we get the same situation as with NULL authentication. The SK_pi/SK_pr are also used in the calculations of MAC'ed identities (e.g. prf(SK_pr,IDr')), but it is not where SK_pi/SK_pr are used as keys for calculating AUTH payload. To be precise, in case of the NULL authentication (and EAP with non-key-generating methods) the SK_pi/SK_pr are used twice in the calculation of the AUTH payload - first as preshared key and second in the calculation of MAC'ed identity, that then included in a data blob, "signed" with the preshared key (the same SK_pi/SK_pr). We (the authors) don't believe that the draft somehow changes the authentication fundamentals, that IKEv2 is based on. The construction of AUTH payload in case of NULL authentication is exactly the same, as with EAP methods that don't generate shared secret. It was in the draft from the very begining and I drew WG's attention to this fact, but no comments were received, that would criticize it from cryptographic point of view. Hope this long explanation helps. > - 2.5: "hand out" is an odd phrase here - would be better > to expand on that I think and say more precisely what > should never be done. I think Paul Wouters, my co-author, will address this and will expand the text. Regards, Valery Smyslov.
- [IPsec] Stephen Farrell's Yes on draft-ietf-ipsec… Stephen Farrell
- Re: [IPsec] Stephen Farrell's Yes on draft-ietf-i… Valery Smyslov
- Re: [IPsec] Stephen Farrell's Yes on draft-ietf-i… Paul Wouters
- Re: [IPsec] Stephen Farrell's Yes on draft-ietf-i… stephen.farrell