Re: [IPsec] draft-fluhrer-qr-ikev2-01
"Valery Smyslov" <svanru@gmail.com> Thu, 25 February 2016 07:38 UTC
Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1E131A03A6 for <ipsec@ietfa.amsl.com>; Wed, 24 Feb 2016 23:38:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.409
X-Spam-Level:
X-Spam-Status: No, score=0.409 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_12=0.6, J_CHICKENPOX_32=0.6, RCVD_IN_SORBS_WEB=0.77, SPF_PASS=-0.001, STOX_REPLY_TYPE=0.439] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id esxOZCJqLfv2 for <ipsec@ietfa.amsl.com>; Wed, 24 Feb 2016 23:38:17 -0800 (PST)
Received: from mail-lf0-x232.google.com (mail-lf0-x232.google.com [IPv6:2a00:1450:4010:c07::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DCD351A03AA for <ipsec@ietf.org>; Wed, 24 Feb 2016 23:38:16 -0800 (PST)
Received: by mail-lf0-x232.google.com with SMTP id m1so27684529lfg.0 for <ipsec@ietf.org>; Wed, 24 Feb 2016 23:38:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:from:to:cc:references:subject:date:mime-version :content-type:content-transfer-encoding; bh=IccK+MyvsvBTTfgZVkb81oMkuaVtzFqgldjQrTND+kQ=; b=vOJYpbq9QO8j5iysP6Gm09XBLjwfffOHcBSeIZCyNiRssgh7+9Gy6O4EIgwimIszPX +/FYqdKFg5OiiKa5/NGItKUoOtGvDYEKcAYogT4GpLevyOCwu9DOLtPq7o8Ypyk3NHUU Dj8kTuY7Z4ji90cH5uuGImFzSuYkebqojGaaY+CucUwhs3vzQ3epQUeKLl2Z3Okb4AgI LsuNZVtNTduNL9Niru1UFLCXvOXxCEqo5KvDoY3znQitA79dedqHwpUQDFNzQCUlTRHW SbWhc791UrY5VUvdISzUdcz6RTRmBA+vlxKfLXn6x11t+v3FpUG1m7hblhxThtNA+fe7 26OA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:from:to:cc:references:subject:date :mime-version:content-type:content-transfer-encoding; bh=IccK+MyvsvBTTfgZVkb81oMkuaVtzFqgldjQrTND+kQ=; b=msd3TS7xTH2LdTA+U9qQIw29+DIsjAYbsxStarZLa8YrgZBPPPtEZtX4DPobcxJpIb 4AIA3ENedY6w+AxXvDCU9nin+aZzJf9WP6ae4Kp7a0UwMsH7YRTSGTF1X5z44OagBOdr E4qN+lMBEp9OFNoon70xVlYBDEFyvrAG0Ab17NF9uO7wwoHNfskwvsCln0HL4FL34W+K PO+V4rOrKpVrQ4nM9L7iYArvDSQLdYPtb9oUHQ+an4oLKnT4v+nN4VKcmpKvkcp8Jivv ZXJtMb46I0Of9ZIWe4c7AP6CGhgLZANfj7oX+DVqRghVqQWIPDBsqIpA+YwVprXvPJz8 mBIw==
X-Gm-Message-State: AG10YORri9/47/LoVnY9EvR+hQZsa6BsUrEnh39uEXAOShHQknHo1df+rJLBsS5Qi6hc1w==
X-Received: by 10.25.144.12 with SMTP id s12mr16608138lfd.114.1456385894972; Wed, 24 Feb 2016 23:38:14 -0800 (PST)
Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id dt9sm943916lbc.47.2016.02.24.23.38.13 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 24 Feb 2016 23:38:13 -0800 (PST)
Message-ID: <3C4D164CF08843258CE30B5B21363397@buildpc>
From: Valery Smyslov <svanru@gmail.com>
To: Tero Kivinen <kivinen@iki.fi>
References: <46cc66173e324ae0b788f36cd58f5dfa@XCH-RCD-006.cisco.com><22220.36465.788794.855413@fireball.acr.fi><D174E691CC934614A1A9AC83D76266D7@buildpc> <22222.1834.892900.623823@fireball.acr.fi>
Date: Thu, 25 Feb 2016 10:38:13 +0300
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="original"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/ZQGyceQf36fwLYdHPwSnS9fb40A>
Cc: ipsec@ietf.org, "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
Subject: Re: [IPsec] draft-fluhrer-qr-ikev2-01
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Feb 2016 07:38:19 -0000
Hi Tero, >> I think this proposal is worse than presented in the draft. >> It leaves information in the IKE SA vulnerable to QC-based attacks. > > And what information do you think is there that is really worth of > protecting? If we are talking about the original IKEv2 as specified in the RFC 7296, then there are not much sensitive data inside the IKE SA - mostly identities, traffic selectors and configuration attributes (althouth I think all these items must still receive due protection). However, I've been always thinking that IKE SA can be used as a transport for low volume data (for example using Transaction exchange). I'm sure there are propriatory extensions out there and I wonder why nobody try to standardize it yet. There is also a draft describing IKEv2 based protocol for group key management (draft-yeung-g-ikev2) and it does tramsmit sensitive information (including session keys) inside IKE SA. It is a pity if QC protection mechanism won't work for these IKEv2 variants (as in your proposal). > My understanding is that when there really are attackers using > QC-based attacks in real, we need to change the IKEv2 again, to make > the authentication methods also protected against QC-based attacks. Note, that the proposed solution also protects authentication (since SK_px are used in calculation of the AUTH payload content). > What we are solving now is the fact that someone can save all the > IKEv2 / IPsec traffic now, and when they do get the quantum computers, > they can break the Diffie-Hellman and then get the traffic keys used > to protect the IPsec traffic. > > I.e. the saving of traffic happens now and breaking of the traffic > happens much later. > > What information there are in the IKEv2 SA which is important to > protect for that kind of attacks? See above. For some derivation of IKEv2 (like G-IKEv2) there are a lot of sensitive information to protect. >> Moreover, the way PPK is used in the draft is more clear and >> easier to implement. Note, that the only difference between the crypto >> formulas from RFC7296 and the draft is that every use of Nx (where x = [ir]) >> is replaced with PRF(PPK | Nx). It is simple and modular from >> implementer's point of view. > > The draft had all kind of talks about AES and SHA256, so I just assume > that was there to confuse people and it is not needed? Please, re-read the draft. In the last version it is not tied with any particular algorithms (AES, SHA256) and uses the negotiated PRF for SKEYSEED calculation. >> Moreover, in this case the PPK is used as the key for PRF, while in >> your proposal the PPK is used as additional data fetched into PRF. > > The reason I used that is that cryptographers who designed the IKEv2 > did that same thing with the share secret output from the > Diffie-Hellman, i.e., the g^ir. So I do assume that is safe, and if it > not then we need some proper cryptographer to tell me why not. > > Also using the PPK as key to the PRF will limit the size of the PPK to > match you PRF key length. Using it as a data is supposed to be better > if I remember right why this method was selected for the IKEv2. Most PRFs accept key of arbitrary length. And if some PRF is defined with a fixed length key, that there will be a problem with this PRF in IKEv2 anyway - with calculation of SKEYSEED, where key is a concatenation of the nonces. That's why an ugly hack for AES-XCBC-PRF-128 and AES-CMAC-PRF-128 is included in the protocol. > Anyways I am not cryptographer, I just assume that the people who are > and who said it is ok to do > > KEYMAT = prf+(SK_d, g^ir (new) | Ni | Nr) > > know what they were doing. I'm not a cryptographer either, but I think that from cryptography point of view your construction is sound. The problem resides in implementation, not in mathematics. See below. >> Using secret material (PPK) as a data is always a pain for the >> products that maintain "security core", while using secret as a key >> is simple and natural. > > But this what we do in IKEv2 for all cases, also the SKEYSEED is > calculated in same way: > > SKEYSEED = prf(Ni | Nr, g^ir) > > I.e. the public values Ni and Nr are used as key, and the shared > secret g^ir is used as data. > > If you think that is unsafe, I would like to get more information > about that, as that would mean that we need to change the > cryptographic protocol used in the IKEv2... I never meant that it is unsafe. I meant that sometimes it causes a headache for implementers when long-term secret is used as a data in cryptographic formulas. Consider the situation when you have a dedicated hardware (HSM, token) where long-term secrets reside. Very often this hardware has an API that never allows the secrets to be exposed and allows them to be used only as keys in cryptographic primitives (i.e. you can encrypt some data using these key). If you need to use these keys as data in cryptographic primitives then you must either contact the hardware manufacturer and ask him for a new API function specific for your needs or to find some workarounds, that are often based on undocumented features. Note that g^xy is a different beast - it is not a long-term secret, and usually APIs allow using session keys as a data in key derivation functions. Regards, Valery.
- [IPsec] draft-fluhrer-qr-ikev2-01 Scott Fluhrer (sfluhrer)
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Paul Wouters
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Valery Smyslov
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Paul Hoffman
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Valery Smyslov
- [IPsec] draft-fluhrer-qr-ikev2-01 Tero Kivinen
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Paul Wouters
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Tero Kivinen
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Paul Wouters
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Scott Fluhrer (sfluhrer)
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Valery Smyslov
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Michael Richardson
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Tero Kivinen
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Tero Kivinen
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Tero Kivinen
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Valery Smyslov
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Tero Kivinen
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Valery Smyslov
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Scott Fluhrer (sfluhrer)
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Tero Kivinen
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Tero Kivinen
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Valery Smyslov
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Valery Smyslov
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Michael Richardson
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Valery Smyslov
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Scott Fluhrer (sfluhrer)
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Scott Fluhrer (sfluhrer)
- Re: [IPsec] draft-fluhrer-qr-ikev2-01 Valery Smyslov