Re: [IPsec] Last minute change to draft-ietf-ipsecme-qr-ikev2

"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Mon, 08 June 2020 15:07 UTC

Return-Path: <sfluhrer@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42E9A3A0C53 for <ipsec@ietfa.amsl.com>; Mon, 8 Jun 2020 08:07:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.597
X-Spam-Level:
X-Spam-Status: No, score=-9.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=J0B9bACK; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=kmv5+slN
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0-vddk2sNY6i for <ipsec@ietfa.amsl.com>; Mon, 8 Jun 2020 08:07:23 -0700 (PDT)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 537BD3A0DD5 for <ipsec@ietf.org>; Mon, 8 Jun 2020 08:06:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=22924; q=dns/txt; s=iport; t=1591628792; x=1592838392; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=pwfEza2PCb+xZr5N0GXC6wOudfEWXsI8Mb2OfItrM5M=; b=J0B9bACK8x/hcUdDQJy0pBqaZOkRQ4NWUBWwRHYpv3wUuJMn1e8KL6hv 92S2AGhJm98FJzPoI0W2xEaGQxKjNi54nUwq1RuTo6YqDrVYDN5qgPSNl qgfJwulK0SDXMIR51QNgirHjFG1ClpMzMLSbYA7Xn9Hu6ii3W3yK8quRb 0=;
IronPort-PHdr: 9a23:uDrnExTBEuued0BFvWtbsIrSQdpsv++ubAcI9poqja5Pea2//pPkeVbS/uhpkESQBN+J6v9YhazRqa+zEWAD4JPUtncEfdQMUhIekswZkkQmB9LNEkz0KvPmLklYVMRPXVNo5Te3ZE5SHsutZlDOrDu19zFBUhn6PBB+c+LyHIOahs+r1ue0rpvUZQgAhDe0bb5oahusqgCEvcgNiowkIaE0mRY=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0ABCgCuU95e/5hdJa1mHgEBCxIMQIJtL1IHb1gvLAqHYAONP5hSgUKBEANVCwEBAQwBAS0CBAEBhEQCgjQCJDgTAgMBAQsBAQUBAQECAQYEbYVbAQuFcgEBAQEDEgsQEwEBLAwPAgEIEQQBARkIDjIdCAEBBBMIDQQJgwWBfk0DLgGlAAKBOYhhdIE0gwEBAQWFKxiCDgmBOIJkhyGCTBqBQT+BVIJNPoQZARIBCRpNgniCLY5diV8linGQOAqCWY5PileeSpEDmguEBQIEAgQFAg4BAQWBaiJmcHAVO4JpUBcCDZBAg3KKVnQ3AgYIAQEDCXyMUiQJgQYBgQ8BAQ
X-IronPort-AV: E=Sophos;i="5.73,487,1583193600"; d="scan'208,217";a="492467934"
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by alln-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 08 Jun 2020 15:06:27 +0000
Received: from XCH-RCD-002.cisco.com (xch-rcd-002.cisco.com [173.37.102.12]) by rcdn-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id 058F6RKp001064 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL) for <ipsec@ietf.org>; Mon, 8 Jun 2020 15:06:27 GMT
Received: from xhs-aln-002.cisco.com (173.37.135.119) by XCH-RCD-002.cisco.com (173.37.102.12) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 8 Jun 2020 10:06:26 -0500
Received: from xhs-rcd-001.cisco.com (173.37.227.246) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 8 Jun 2020 10:06:26 -0500
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Mon, 8 Jun 2020 10:06:26 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bMRNwmM7Eqf0PDV/dmivb8PrcxacDNJZmgsNbIsiCiJ2KdwED9nHynTdGVrkDRvUogLLKsfIwQKOk2BDhhhbilTQUyIy63evbe5uFvHc/29PrL38fGjOfhGOySoLfbHmlOwR1dwjXwujOj0Q4VkeKswMtXtQAIqvpoHSTvjb3+CsIl7F5Ssm3dB3aCmmOb5EldOLFC8s1coSXLCHJ7MAf984iifHbMTeneId3WNvTGU42ZAuNr28S5C1hhZeqzrPv1Xm2Hew0eVqu813xgIJ9FwZSegq4FMHv7m5HOHsOxTTSXmP3cxDmn7piRfyPa28gVlepIssCxzNavqfpqBDgA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zAjP30+F08Pi8+VXkr70cprNtJS9LCRfKaUJ3iNtxjI=; b=VBKoYfPL5M/r1zH6LM1B57pYnQN8BzsbZmq/3pU9Byi/P7PJm8PctCE1ZV05AJUaLbtFRUS7Z7WU8pAQ0g7Bsq+enWLFkvQ0ndsBx9OZNfLppNeLgclUJNaRanYiBTDS8lLFSacwKcs0RoFHnHT6PVVrn7HB3hr3WwwksHvsCBom189eOpCf+zokPHno1C94Z/B3VTTADj1VWZQ+FLXuMtUylFAG/ogDhJC833N6pz6+PVbu2ou7gmUxCzZ0Dt4vAhH9usBVJlNcR71/lGMjXiQTdySS9QWDVsCUbRrZOuj6Z4M+LnPHC7eU27FH1bl6cpQOiNPM6RKbmZONhgiShw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zAjP30+F08Pi8+VXkr70cprNtJS9LCRfKaUJ3iNtxjI=; b=kmv5+slNMKil2y8VtkNOtq/6dEv6dQV+rZ2WQGbDzylTBYYaW8h/isYdb2AuGChIpyZ8AgKDqkKlR7JMhxXAm4DeD0cHd98gvYtzfoqOjhlI34zFCtdIPaFt1FK9uioI7ohFaZSaSLA/EleRFrmjXaImCuW2ZdUYRGnHbjWxO8k=
Received: from BN7PR11MB2641.namprd11.prod.outlook.com (2603:10b6:406:b1::25) by BN7PR11MB2627.namprd11.prod.outlook.com (2603:10b6:406:ae::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3066.18; Mon, 8 Jun 2020 15:06:25 +0000
Received: from BN7PR11MB2641.namprd11.prod.outlook.com ([fe80::35bd:ecae:1e28:58f5]) by BN7PR11MB2641.namprd11.prod.outlook.com ([fe80::35bd:ecae:1e28:58f5%5]) with mapi id 15.20.3066.023; Mon, 8 Jun 2020 15:06:25 +0000
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: Last minute change to draft-ietf-ipsecme-qr-ikev2
Thread-Index: AdY7b0YZDPRKeamGTBelnS42EluRIwCIhypQ
Date: Mon, 08 Jun 2020 15:06:24 +0000
Message-ID: <BN7PR11MB2641A192BD1268A76C880B63C1850@BN7PR11MB2641.namprd11.prod.outlook.com>
References: <BN7PR11MB2641BAFC172E209AFCF219FDC1860@BN7PR11MB2641.namprd11.prod.outlook.com>
In-Reply-To: <BN7PR11MB2641BAFC172E209AFCF219FDC1860@BN7PR11MB2641.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [173.38.117.76]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 74c0cf34-bb1b-4c1c-da1c-08d80bbd833e
x-ms-traffictypediagnostic: BN7PR11MB2627:
x-microsoft-antispam-prvs: <BN7PR11MB2627EF170BF5F42A94C6AD74C1850@BN7PR11MB2627.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 042857DBB5
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: EEpiZA4zktltm9Aq/UjUa8dIPLmIigmPTvJKEeulxwFaAaxWWRPZj5H8xcVZ0BPtHSCuCUvqCfVzH8qVYDr6lAjkUeh04xpTjabdcPs+k7ncewTYmupZKJ3/OzqaXYccvbP+fv2OraejtuAj7aH+/6CuOzpOfJmovw+RiqFg7EHUMSqoBTKockem9on1X6VDdiFQG2ePvpUZlxmBW9fU21DtwTQ/lnBYP/D0IE2vMMNHXb6EtdvxQE4hT/u4QW2tgIwQUJwAJxwIi/LiyvUja+RazuQS5QyxnLGXKaxyIqFtKCGL/whUQq3O1YUoxdmgmmzZSRjiY/BBWG5fwTV4wA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN7PR11MB2641.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(39860400002)(346002)(366004)(376002)(396003)(136003)(33656002)(83380400001)(66556008)(55016002)(64756008)(7696005)(2906002)(53546011)(26005)(66476007)(66946007)(66446008)(9686003)(76116006)(6506007)(71200400001)(478600001)(186003)(86362001)(52536014)(5660300002)(8936002)(8676002)(6916009)(316002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: 3cSx8Z96RqDeEgf7eulrM8SQPE73jUj5VLiHgNHYnNrC/TyB+yOQsyAs4XY0KoZXxSkCMpCcCnNDwfrmFov5RyH6ozXSR/I6I01qYqi9E3aC1ZF3eSKy/gNrwWjjbBfiGzqsVRNP02jFU+NfWZlQs+clNFK7TVe0qmBPpdGHhAly+YchPUh9bIbio89tuSaGSpBq27456SMn4E3CQd43KaUnxyc/7eE9wxBOaaiB90ocL17n+Q96hva6Q9Dzqk2laQDUlKmGc61whiPJSTqgH5Hs/x5P83ULquKpXUm7B6lOXlrH2ZK/f8PmyaiFLVnU7uNcVsDLC61adMq2vuQnmeWByQagquZscNwqhcgISHRd9B8A+fim98CYIGeP+SxlPuRFpwllANQaZgE2sbHw3jJBojdvNUpwXl4JSitllIivOaixUS7yln5OMqdztCRYcfEENltOq6UlMznYO9+KufuhkXsHwIoEDnRliP2DQ60=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BN7PR11MB2641A192BD1268A76C880B63C1850BN7PR11MB2641namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 74c0cf34-bb1b-4c1c-da1c-08d80bbd833e
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Jun 2020 15:06:25.0374 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: TYV+rbqDLPoxExE1HU/I6/F86FkoyYeZv2Ni1EMlWyiwZ0PczWyDwNQmYfKsQstt0YNBz9upVbSJ0hoOC42fIg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN7PR11MB2627
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.12, xch-rcd-002.cisco.com
X-Outbound-Node: rcdn-core-1.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/PMkcn9QceQCzdyHdRbJT5CdXELs>
Subject: Re: [IPsec] Last minute change to draft-ietf-ipsecme-qr-ikev2
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jun 2020 15:07:25 -0000

Tero had this comment (which didn't make it onto this mailing list):


Btw, there is similar text in RFC7296 (base IKEv2) saying following:



   When using pre-shared keys, a critical consideration is how to assure

   the randomness of these secrets.  The strongest practice is to ensure

   that any pre-shared key contain as much randomness as the strongest

   key being negotiated.  Deriving a shared secret from a password,

   name, or other low-entropy source is not secure.  These sources are

   subject to dictionary and social-engineering attacks, among others.



so one option would also point to IKEv2 RFC and say that same restrictions for not using low-entropy key that apply for pre-shared keys there applies also PPK.





That comment strikes me as having a good point; the pre-shared keys in IKE are subject to exactly the same dictionary attack that a PPK would have, and so the same advice would apply to both.  On the other hand, asking the reader to dig through a 142 page document for the relevant advice, or even scan through 3 pages of the security considerations would appear to be less friendly than we could be; in addition, advice for PPKs also need to consider Quantum Computers (which were not a consideration with IKE pre-shared keys).



How about this text (which integrates suggestions both from the security considerations of both RFC7296 and the PPK text, while trying to not sound like Frankentext [1].


   A critical consideration is how to assure the randomness of this
   post-quantum preshared key.  Quantum computers are able to perform
   Grover's algorithm [GROVER]; that effectively halves the size of a
   symmetric key.  In addition, an adversary, even with a conventional
   computer, can perform a dictionary search over plausible post-quantum
   preshared key values.  The strongest practice is to ensure that
   any post-quantum preshared key contains at least 256 bits of entropy,
   this will provide 128 bits of post-quantum security, while providing
   security against conventional dictionary attacks.  That provides
   security equivalent to Level 5 as defined in the NIST PQ Project Call
   For Proposals [NISTPQCFP].  Deriving a postquantum preshared key from
   a password, name, or other low-entropy source is not secure because
   of these known attacks.


The highlighted sections is text that is new to the draft; this would replace the first paragraph of the Security Considerations section.



And, I would agree with Valery; I also would prefer to avoid putting numbers that sound concrete; especially on something that is hard to measure (and "amount of entropy" is notoriously hard to measure - you can measure length, but that doesn't actually mean "guessability", which is what we're trying to get at).





[1]: For those readers who might not be familiar with English Literation or pop culture, there is a classic English novel "Frankenstein", when a scientist (Dr Frankenstein) patches together parts from several corpses, and brings it to life (of course, it didn't go well); in later references to this original novel, the stitching of the several parts is obvious.  The allusion "Frankentext" suggests parts of several works being clumsily stitched together.  It is typically good advice to avoid cultural references when talking on an international mailing list; I just couldn't help myself this time...


From: Scott Fluhrer (sfluhrer)
Sent: Friday, June 05, 2020 3:41 PM
To: ipsec@ietf.org
Subject: Last minute change to draft-ietf-ipsecme-qr-ikev2

The draft "Mixing Preshared Keys in IKEv2 for Post-quantum Security" was winding through the AUTH48 process, when at the last minute, I received an email from a researcher who thought they found a problem with low entropy PPKs (the preshared keys that the draft uses).  While it turned out that what the found really wasn't a problem, such low entropy PPKs are a problem in general.

To address this, I suggested to the RFC editors that we modify the first paragraph of the security considerations from:

Original text:
   Quantum computers are able to perform Grover's algorithm [GROVER];
   that effectively halves the size of a symmetric key.  Because of
   this, the user SHOULD ensure that the post-quantum preshared key used
   has at least 256 bits of entropy, in order to provide 128 bits of
   post-quantum security.  That provides security equivalent to Level 5
   as defined in the NIST PQ Project Call For Proposals [NISTPQCFP].

Modified text:
   Quantum computers are able to perform Grover's algorithm [GROVER];
   that effectively halves the size of a symmetric key.  Because of
   this, the user SHOULD ensure that the post-quantum preshared key used
   has at least 256 bits of entropy, in order to provide 128 bits of
   post-quantum security.  That provides security equivalent to Level 5
   as defined in the NIST PQ Project Call For Proposals [NISTPQCFP].
   An attacker who impersonates the server is able to validate guesses to
   the PPK.  Because of this, low entropy PPK values MUST NOT be used.

Additional text high-lighted.

Because of the lateness of this change, Ben Kaduk (the area director) asked me to check with the list to make sure everyone is OK with this addition.

Comments?