Re: [IPsec] Proposed method to achieve quantum resistant IKEv2
"Graham Bartlett (grbartle)" <grbartle@cisco.com> Tue, 22 August 2017 15:03 UTC
Return-Path: <grbartle@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCF041329D3 for <ipsec@ietfa.amsl.com>; Tue, 22 Aug 2017 08:03:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.519
X-Spam-Level:
X-Spam-Status: No, score=-14.519 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xv4X3Z05Jf7P for <ipsec@ietfa.amsl.com>; Tue, 22 Aug 2017 08:03:19 -0700 (PDT)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D3AA1329CF for <ipsec@ietf.org>; Tue, 22 Aug 2017 08:03:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=13188; q=dns/txt; s=iport; t=1503414199; x=1504623799; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=zm7MacQSr4xVVnXOCO5VKBY6dEhbLtY8n521FPSc3lQ=; b=DVzNCZHbHegUduvUelsg804L1ySciBf+J27wgaXymVFno+OEaXHGB9XI lYfetbhfXyNZUb5hYuLB5wQDssTkWqe64sPI074tNr2x1dHcDu9DqUqkd 9rQ6YsO+I0ecC+lZhe3Ieq4fEw6wvI02jhY44xBSc/R+vYJirleI01ZQ+ 8=;
X-Files: smime.p7s : 4557
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DCAABpRpxZ/4cNJK1cGQEBAQEBAQEBAQEBBwEBAQEBg1pkgRUHjgyQGIFMlkGCEgcaC4UbAiOEBT8YAQIBAQEBAQEBayiFGQIBAwEBIQQtGgsQAgEIQgICAiULJQIEAQkEBQ6KIxCsV4FsOotcAQEBAQEBAQEBAQEBAQEBAQEBAQEBDgoFgyYEgWIggUyBYysLgnGETD6CfDCCMQWJfpZXAoQxgiGNb5JgligBHziBCncVSRIBhQQFF4FndohUgTKBDwEBAQ
X-IronPort-AV: E=Sophos;i="5.41,412,1498521600"; d="p7s'?scan'208";a="473479649"
Received: from alln-core-2.cisco.com ([173.36.13.135]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 22 Aug 2017 15:03:18 +0000
Received: from XCH-ALN-009.cisco.com (xch-aln-009.cisco.com [173.36.7.19]) by alln-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id v7MF3Iuh011797 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 22 Aug 2017 15:03:18 GMT
Received: from xch-aln-007.cisco.com (173.36.7.17) by XCH-ALN-009.cisco.com (173.36.7.19) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Tue, 22 Aug 2017 10:03:17 -0500
Received: from xch-aln-007.cisco.com ([173.36.7.17]) by XCH-ALN-007.cisco.com ([173.36.7.17]) with mapi id 15.00.1210.000; Tue, 22 Aug 2017 10:03:17 -0500
From: "Graham Bartlett (grbartle)" <grbartle@cisco.com>
To: Tero Kivinen <kivinen@iki.fi>, Cen Jung Tjhai <CJT@post-quantum.com>
CC: "ipsec@ietf.org" <ipsec@ietf.org>, Valery Smyslov <svanru@gmail.com>
Thread-Topic: [IPsec] Proposed method to achieve quantum resistant IKEv2
Thread-Index: AQHTDE+mPH5PNqQgTkK9LOvm4SvL2qJ0fkoAgAIguwCABYr/gIAU0YGA
Date: Tue, 22 Aug 2017 15:03:17 +0000
Message-ID: <5E6A99A5-1867-4632-BA67-25A52D97AF71@cisco.com>
References: <BBEB2C9C-9B96-4C6C-BB9B-4415F096FAE1@cisco.com> <041b01d30d21$8d33f230$a79bd690$@gmail.com> <1501968567726.89885@post-quantum.com> <22922.57101.227283.113155@fireball.acr.fi>
In-Reply-To: <22922.57101.227283.113155@fireball.acr.fi>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.1a.0.160910
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.55.142.72]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3586262595_1289572235"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/SqgIMiOVBP0Ovq0c8jEF57I-9-o>
Subject: Re: [IPsec] Proposed method to achieve quantum resistant IKEv2
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Aug 2017 15:03:25 -0000
Hi Tero So I’m not a big fan of the interim exchange (Scott had suggested something similar). I would imagine that it’s going to decrease the tunnel setup rate on VPN GW’s. Adds at minimum another round trip, which could be >two if the QS blob isn’t correct or many more if fragmentation. It seems to be a large change to what’s there today. Does not allow for a 1-1 swap for the DH value today to something that is QS. On a more positive note I like the idea of the incrementing message ID’s for re-transmissions. I had a similar idea myself ☺ As mentioned before, if the issue is with sending these QS blobs is the size. At the moment CJ has given some indication of the sizes, however what is going to be used isn’t decided. With regards to sending the QS blob using IKEv2 fragmentation. Unless this is sent after authentication occurs it still allows for an attack whereby someone can send up to HDR(PRE_AUTH, MID=1), SKF(NextPld=0, Frag#=m-1, TotalFrags=m) To exhaust the receivers buffers.. cheers On 09/08/2017, 11:08, "IPsec on behalf of Tero Kivinen" <ipsec-bounces@ietf.org on behalf of kivinen@iki.fi> wrote: Cen Jung Tjhai writes: >>And I think if the IKE_SA_INIT messages grow too large with QSKE, >>then it’s better to develop generic fragmentation mechanism for >>IKE_SA_INIT, rather than making it specific for fragmenting QSKE >>blobs. Generic mechanism would allow to reuse it in case we’ll have >>to include other large payloads in initial messages. > > Yes, while a generic mechanism would allow it to be reused, it > sounds like a different draft all together. It could result in a > very complex change in the protocol. Furthermore, we would like to > support QSKE blob that is larger than 64KB in size, hence we > fragment it in that way. Actually I think it would be better NOT to change IKE_SA_INIT at all, but instead add new exchange between the IKE_SA_INIT and IKE_AUTH. I.e., lets have following exchange: Initiator Responder ------------------------------------------------------------------- HDR(IKE_SA_INIT, MID=0), SAi1, KEi, Ni, N(IKEV2_FRAGMENTATION_SUPPORTED), N(PRE_AUTH_SUPPORTED) --> <-- HDR(IKE_SA_INIT, MID=0), SAr1, KEr, Nr, N(IKEV2_FRAGMENTATION_SUPPORTED) N(PRE_AUTH_NEEDED), [CERTREQ] HDR(PRE_AUTH, MID=1), SKF(NextPld=PLD1, Frag#=1, TotalFrags=m) {...} --> HDR(PRE_AUTH, MID=1), SKF(NextPld=0, Frag#=2, TotalFrags=m) {...} --> ... HDR(PRE_AUTH, MID=1), SKF(NextPld=0, Frag#=m, TotalFrags=m) {...} --> <-- HDR(PRE_AUTH, MID=1), SKF(NextPld=PLD1, Frag#=1, TotalFrags=m) {...} <-- HDR(PRE_AUTH, MID=1), SKF(NextPld=0, Frag#=2, TotalFrags=m) {...} ... <-- HDR(PRE_AUTH, MID=1), SKF(NextPld=0, Frag#=m, TotalFrags=m) {...} HDR(IKE_AUTH, MID=2), SK {IDi, [CERT,] [CERTREQ,] [IDr,] AUTH, SAi2, TSi, TSr} --> <-- HDR(IKE_AUTH, MID=2), SK {IDr, [CERT,] AUTH, SAr2, TSi, TSr} I.e., we run normal IKE_SA_INIT with message ID of 0. It negotiates the fragmentation (IKEV2_FRAGMENTATION_SUPPORTED), so all further exchanges after IKE_SA_INIT can use fragmentation. Then we do another exchange before the IKE_AUTH, i.e. we do PRE_AUTH exchange before IKE_AUTH using message id 1 (or even message ids 2, 3, 4, etc, as many as are needed). This step does the large blob exchange neede for the IKE_AUTH. As these are normal fragmented IKEv2 message, i.e. there is request and there is reply. What goes in there is most likely using some new payload number to transfer the QSKE data in both directions. Note, that IKEv2 messages are limited to 4GB in size, and one payload inside IKEv2 message is limited to 64kB in size, so if larger than 64k objects need to be transmitted, it can be transmitted using exactly one IKEv2 message, having multiple payloads in it. On the other hand as fragments are not individually acknowledged, we do not want to transfer too big messages using it, so it might be better to allow multiple PRE_AUTH message exchanges before moving to the IKE_AUTH. This means that the PRE_AUTH exchange most likely needs to have some way of telling the other end when it is done, and when to move to IKE_AUTH. IKE_AUTH then would be just normal IKE_AUTH. The fact whether we need the PRE_AUTH exchange can be negotiated in the IKE_SA_INIT, either using transform types in SA payload, or using the notify payloads. Also if we split data to less than 64k chunks anyways, it might also be better not to use IKEv2 fragmentation, but instead just send several PRE_AUTH exchanges instead. Note, that the PRE_AUTH happening between IKE_SA_INIT and IKE_AUTH would be encrypted, and MACed, but it WILL NOT be authenticated, i.e., we have not yet authenticated the other peer, and we will not include those octets to the AUTH payload calculations, so they will not be authenticated in AUTH phase, like the IKE_SA_INIT contents will be authenticated. I think this kind of step between IKE_SA_INIT and IKE_AUTH might be easiest and most generic way of transferring the QSKE data. We will be transferring large amount of data anyways, so trying to put it part of IKE_SA_INIT is not useful, and trying to play around with cookies, and IKE_SA_INIT modifications is just adding complexity. -- kivinen@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] Proposed method to achieve quantum resist… Graham Bartlett (grbartle)
- Re: [IPsec] Proposed method to achieve quantum re… Scott Fluhrer (sfluhrer)
- Re: [IPsec] Proposed method to achieve quantum re… Michael Richardson
- Re: [IPsec] Proposed method to achieve quantum re… Cen Jung Tjhai
- Re: [IPsec] Proposed method to achieve quantum re… Paul Wouters
- Re: [IPsec] Proposed method to achieve quantum re… Valery Smyslov
- Re: [IPsec] Proposed method to achieve quantum re… Scott Fluhrer (sfluhrer)
- Re: [IPsec] Proposed method to achieve quantum re… Cen Jung Tjhai
- Re: [IPsec] Proposed method to achieve quantum re… Cen Jung Tjhai
- Re: [IPsec] Proposed method to achieve quantum re… Graham Bartlett (grbartle)
- Re: [IPsec] Proposed method to achieve quantum re… Tero Kivinen
- Re: [IPsec] Proposed method to achieve quantum re… Tero Kivinen
- Re: [IPsec] Proposed method to achieve quantum re… Daniel Van Geest
- Re: [IPsec] Proposed method to achieve quantum re… Michael Richardson
- Re: [IPsec] Proposed method to achieve quantum re… Michael Richardson
- Re: [IPsec] Proposed method to achieve quantum re… Daniel Van Geest
- Re: [IPsec] Proposed method to achieve quantum re… Cen Jung Tjhai
- Re: [IPsec] Proposed method to achieve quantum re… Cen Jung Tjhai
- Re: [IPsec] Proposed method to achieve quantum re… Tero Kivinen
- Re: [IPsec] Proposed method to achieve quantum re… Tero Kivinen
- Re: [IPsec] Proposed method to achieve quantum re… Scott Fluhrer (sfluhrer)
- Re: [IPsec] Proposed method to achieve quantum re… Michael Richardson
- Re: [IPsec] Proposed method to achieve quantum re… Valery Smyslov
- Re: [IPsec] Proposed method to achieve quantum re… Cen Jung Tjhai
- Re: [IPsec] Proposed method to achieve quantum re… Scott Fluhrer (sfluhrer)
- Re: [IPsec] Proposed method to achieve quantum re… Graham Bartlett (grbartle)
- Re: [IPsec] Proposed method to achieve quantum re… Bruckert, Leonie
- Re: [IPsec] Proposed method to achieve quantum re… Tero Kivinen
- Re: [IPsec] Proposed method to achieve quantum re… Graham Bartlett (grbartle)
- Re: [IPsec] Proposed method to achieve quantum re… Michael Richardson
- Re: [IPsec] Proposed method to achieve quantum re… Valery Smyslov
- Re: [IPsec] Proposed method to achieve quantum re… Paul Wouters
- Re: [IPsec] Proposed method to achieve quantum re… Valery Smyslov
- Re: [IPsec] Proposed method to achieve quantum re… Cen Jung Tjhai