Re: [IPsec] I-D on Using the ECC Brainpool Curves for IKEv2 Key Exchange
Johannes Merkle <johannes.merkle@secunet.com> Mon, 03 December 2012 10:52 UTC
Return-Path: <Johannes.Merkle@secunet.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10E0021F85E2 for <ipsec@ietfa.amsl.com>; Mon, 3 Dec 2012 02:52:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6HOYeeFICQfN for <ipsec@ietfa.amsl.com>; Mon, 3 Dec 2012 02:52:22 -0800 (PST)
Received: from a.mx.secunet.com (a.mx.secunet.com [195.81.216.161]) by ietfa.amsl.com (Postfix) with ESMTP id 6BB3D21F85D1 for <ipsec@ietf.org>; Mon, 3 Dec 2012 02:52:22 -0800 (PST)
Received: from localhost (alg1 [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id 61B431A007F; Mon, 3 Dec 2012 11:52:09 +0100 (CET)
X-Virus-Scanned: by secunet
Received: from mail-srv1.secumail.de (unknown [10.53.40.200]) by a.mx.secunet.com (Postfix) with ESMTP id E748A1A0079; Mon, 3 Dec 2012 11:52:06 +0100 (CET)
Received: from [10.208.1.73] ([10.208.1.73]) by mail-srv1.secumail.de with Microsoft SMTPSVC(6.0.3790.4675); Mon, 3 Dec 2012 11:52:17 +0100
Message-ID: <50BC8460.9030808@secunet.com>
Date: Mon, 03 Dec 2012 11:52:16 +0100
From: Johannes Merkle <johannes.merkle@secunet.com>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/17.0 Thunderbird/17.0
MIME-Version: 1.0
To: Yaron Sheffer <yaronf.ietf@gmail.com>
References: <50B8A287.9090509@secunet.com> <074557eff2f722f10198aac4fb2f8d9c.squirrel@www.trepanning.net> <4613980CFC78314ABFD7F85CC30277210EDCE571@IL-EX10.ad.checkpoint.com> <A113ACFD9DF8B04F96395BDEACB340421C9045@xmb-rcd-x04.cisco.com> <50B9DC95.80202@gmail.com> <A113ACFD9DF8B04F96395BDEACB340421CA383@xmb-rcd-x04.cisco.com> <50BA5A70.6030808@gmail.com>
In-Reply-To: <50BA5A70.6030808@gmail.com>
X-Enigmail-Version: 1.4.6
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 03 Dec 2012 10:52:17.0280 (UTC) FILETIME=[42D44000:01CDD144]
Cc: Manfred Lochter <manfred.lochter@bsi.bund.de>, Yoav Nir <ynir@checkpoint.com>, Dan Harkins <dharkins@lounge.org>, IPsecme WG <ipsec@ietf.org>, "rfc-ise@rfc-editor.org" <rfc-ise@rfc-editor.org>, "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>, "Sean P. Turner" <turners@ieca.com>
Subject: Re: [IPsec] I-D on Using the ECC Brainpool Curves for IKEv2 Key Exchange
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Dec 2012 10:52:23 -0000
Hi Yaron, > > OK, I see your point (no pun intended). Regarding ECDH secret reuse, can you please review > http://tools.ietf.org/html/rfc5996#section-2.12. That section was supposed to cover the relevant security > considerations. In fact I think your attack is alluded to in the paper we reference from that section (see Sec. 5, first > paragraph). > I agree with you that this is a general issue that should be addressed generally. Yet, as a precaution, I could also include such a requirement in the current draft. > If this needs to become a MUST requirement for IKEv2 peers using ECDH, it needs to be spelled out and not left as an > exercise to the reader. But we have to understand whether this is a general requirement, or it only applies to peers > that are reusing ECDH private keys for multiple IKE sessions. > If the ECDH key is chosen at random for each negotiation, then the attacker can only gain knowledge on the shared secret and private key of the current negotiation. There is no other secret information involved that could be learned. Johannes
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Andrey Jivsov
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Johannes Merkle
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Andrey Jivsov
- [IPsec] I-D on Using the ECC Brainpool Curves for… Johannes Merkle
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… David McGrew (mcgrew)
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Johannes Merkle
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… David McGrew (mcgrew)
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Johannes Merkle
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Tero Kivinen
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Johannes Merkle
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Derek Atkins
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Dan Harkins
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… David McGrew (mcgrew)
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Yoav Nir
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Tero Kivinen
- [IPsec] I-D on Using the ECC Brainpool Curves for… Johannes Merkle
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Dan Harkins
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Scott Fluhrer (sfluhrer)
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Yaron Sheffer
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Yoav Nir
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Scott Fluhrer (sfluhrer)
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Dan Harkins
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Yoav Nir
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Yaron Sheffer
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Scott Fluhrer (sfluhrer)
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Yaron Sheffer
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Johannes Merkle
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Tero Kivinen
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Scott Fluhrer (sfluhrer)
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Scott Fluhrer (sfluhrer)
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Stephen Kent
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Johannes Merkle
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Johannes Merkle
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Johannes Merkle
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Yaron Sheffer
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Tero Kivinen
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Scott Fluhrer (sfluhrer)
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Andrey Jivsov
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Johannes Merkle
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Stephen Kent
- Re: [IPsec] I-D on Using the ECC Brainpool Curves… Andrey Jivsov