IETF Logo Mail Archive

Re: [IPsec] Comments to the g-ikev2

Tero Kivinen <kivinen@iki.fi> Tue, 18 January 2022 15:49 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A6583A167E; Tue, 18 Jan 2022 07:49:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.814
X-Spam-Level:
X-Spam-Status: No, score=-2.814 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.714, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iki.fi
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VJPdWIR5TyMR; Tue, 18 Jan 2022 07:49:05 -0800 (PST)
Received: from meesny.iki.fi (meesny.iki.fi [195.140.195.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 855EF3A1681; Tue, 18 Jan 2022 07:49:04 -0800 (PST)
Received: from fireball.acr.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: kivinen@iki.fi) by meesny.iki.fi (Postfix) with ESMTPSA id C85D020151; Tue, 18 Jan 2022 17:49:00 +0200 (EET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1642520941; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=dIFKOC0T11/qbKWPKkM5TzWajG59Da1G7/yjA58Nl3c=; b=A5VldfnjvDTNVAPoGBI+eVUI3ygh7IU5WxKxcyceWGLLTzACYXeTRfe8WtX95gUZQ3+jZR 8pjUwGrBSYqA6yMl2k/2jjKrQM7BNvMQl2ADDTs8cqFXnUCsWev7RAX/oyoHQgq0OXuNPA os7JSLwb5Zf6MM38Boqy2/MXu07pItI=
Received: by fireball.acr.fi (Postfix, from userid 15204) id 4F2D325C12E5; Tue, 18 Jan 2022 17:49:00 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <25062.57708.269429.346988@fireball.acr.fi>
Date: Tue, 18 Jan 2022 17:49:00 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Valery Smyslov <smyslov.ietf@gmail.com>
Cc: 'Valery Smyslov' <svan@elvis.ru>, ipsec@ietf.org, draft-ietf-ipsecme-g-ikev2@ietf.org
In-Reply-To: <060301d80b9e$8dfc2540$a9f46fc0$@gmail.com>
References: <25052.46852.971778.754673@fireball.acr.fi> <057b01d80950$854ba330$8fe2e990$@elvis.ru> <25059.849.299801.984109@fireball.acr.fi> <060301d80b9e$8dfc2540$a9f46fc0$@gmail.com>
X-Mailer: VM 8.2.0b under 26.3 (x86_64--netbsd)
X-Edit-Time: 6 min
X-Total-Time: 5 min
ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=kivinen@iki.fi smtp.mailfrom=kivinen@iki.fi
ARC-Seal: i=1; s=meesny; d=iki.fi; t=1642520941; a=rsa-sha256; cv=none; b=JMHJoHe0bNwZO4Sh+qrLx0z8xs9+sP3aa/QL5XhBSLwDKuvHRY1VdVcM/1hiMEvDgPdHPd PGdY/lUDn29fA86pv0Hmv5NdxaC08bBUb5JxqjJ3CwrgYXSDZ+7ptZ3gAUGRjnXdOX467y jaJHLPQIpeW3luA45FUUKlvXUPEUcfg=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1642520941; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=dIFKOC0T11/qbKWPKkM5TzWajG59Da1G7/yjA58Nl3c=; b=kX0+ZsE/7YY21Ji19Mn36XzV9BtA1bv+byyQrz5ihnph52z6wENVDOXpxdjug6iyyZ9oBz iZOfPkxn4EjyB30Obdai+n45wzYpR9BTKsIzBFyM0oFK5jZ+tkXOIoN/Q6zRtMoWFqL3Kb 1QqvSZDyJunIewfgopVhM4jlNLVFcDE=
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/OYIK4pxYaLEo9KIOEYStpvacz5M>
Subject: Re: [IPsec] Comments to the g-ikev2
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jan 2022 15:49:09 -0000

Valery Smyslov writes:
> After some thinking and recollecting I realized, that things are not that
> simple.
> It's true that SK_w is derived in QC-resistant way, but it is only used
> for providing confidentiality of the wrapped keys. Note, that their
> authenticity and integrity is provided only on G-IKEv2 message level, 
> so it is SK_a[i/r] that are responsible for these properties, and 
> these keys are not QC-resistant. So, a QC-equipped attacker
> cannot learn the keys, but can substitute them if they are
> transferred in GSA_AUTH. 

True, but note, that this requires active attack with real time attack
against the IKEv2 Diffie-Hellman.

The main reason for PPK is to provide protection against the store and
attack later cases, i.e., where attackers store all traffic now, and
then later break the Diffie-Hellman and then can see the traffic keys
and then will be able to decrypt the traffic protected by those keys.

I.e. PPK is not properly trying to protect against the cases where
there is real time quantum computers, for that we most likely need to
have quantum safe key exchange, and authentication algorithms too,
i.e., multiple-ke and ikev2 intermediate...

I think we can simply document this to the security considerations
section saying that if that kind of protection against real time
attacks is needed then quantum safe key exchange is needed, and most
likely also quantum safe authentication algorithms...
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email