IETF Logo Mail Archive

Re: [IPsec] Beginning discussion on secure password-only authentication for IKEv2

<Black_David@emc.com> Tue, 02 March 2010 23:49 UTC

Return-Path: <Black_David@emc.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 24D8128C196; Tue, 2 Mar 2010 15:49:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 11bJm-oW1nU2; Tue, 2 Mar 2010 15:49:34 -0800 (PST)
Received: from mexforward.lss.emc.com (mexforward.lss.emc.com [128.222.32.20]) by core3.amsl.com (Postfix) with ESMTP id B572328C0DC; Tue, 2 Mar 2010 15:49:33 -0800 (PST)
Received: from hop04-l1d11-si01.isus.emc.com (HOP04-L1D11-SI01.isus.emc.com [10.254.111.54]) by mexforward.lss.emc.com (Switch-3.3.2/Switch-3.1.7) with ESMTP id o22NnYSa031645 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 2 Mar 2010 18:49:34 -0500
Received: from mailhub.lss.emc.com (nagas.lss.emc.com [10.254.144.15]) by hop04-l1d11-si01.isus.emc.com (RSA Interceptor); Tue, 2 Mar 2010 18:49:31 -0500
Received: from corpussmtp4.corp.emc.com (corpussmtp4.corp.emc.com [10.254.169.197]) by mailhub.lss.emc.com (Switch-3.4.2/Switch-3.3.2mp) with ESMTP id o22NnU9Q017153; Tue, 2 Mar 2010 18:49:30 -0500
Received: from CORPUSMX80B.corp.emc.com ([10.254.89.202]) by corpussmtp4.corp.emc.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 2 Mar 2010 18:49:30 -0500
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 02 Mar 2010 18:49:29 -0500
Message-ID: <C2D311A6F086424F99E385949ECFEBCB01C7551E@CORPUSMX80B.corp.emc.com>
In-Reply-To: <bcc4d01cd3d8be09590e22bc5066bab2.squirrel@www.trepanning.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [IPsec] Beginning discussion on secure password-only authentication for IKEv2
Thread-Index: Acq6XFd06v4lPJs6SDyaR07JlFPXKwAA/HCA
References: <p0624081ac7b20a6459c5@[10.20.30.158]><3a17cf9ee724023e307fc446a871f9bf.squirrel@www.trepanning.net><p06240812c7b33427a351@[10.20.30.158]> <bcc4d01cd3d8be09590e22bc5066bab2.squirrel@www.trepanning.net>
From: Black_David@emc.com
To: dharkins@lounge.org, paul.hoffman@vpnc.org
X-OriginalArrivalTime: 02 Mar 2010 23:49:30.0279 (UTC) FILETIME=[0048F370:01CABA63]
X-EMM-EM: Active
Cc: ipsec@ietf.org, cfrg@irtf.org, Black_David@emc.com
Subject: Re: [IPsec] Beginning discussion on secure password-only authentication for IKEv2
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Mar 2010 23:49:35 -0000

Dan,

> >>  For instance, I do not believe EKE is suitable for any of the
> >>groups currently in the IANA registry of groups that can be used with
> >>IKE(v2).

There was an analogous experience with SRP for iSCSI - completely different groups were used up to 2048 bits and beyond there, the modulus primes from the larger IKEv2 groups were combined with different generators (i.e., not 2) - see Appendix A of RFC 3723.

[... snip ...]

OTOH, I think you've oversimplified here ...

>   The candidate exchanges all rely on the "hard problem" of doing a
> discrete logarithm in one of the defined groups. It's the same "hard
> problem" that makes the Diffie-Hellman portion of IKE secure. If the
> group negotiated or demanded in IKE allows for an "easier attack" then
> it shouldn't be used in the IKE exchange to do the Diffie-Hellman. 

If I follow your logic, I think you're arguing that because the existing groups allow easier attacks on password authentication (e.g., based on checks on what a guessed password decrypts to) then they allow easier attacks on IKE with existing authentication, *hence* those groups are unacceptable to use with IKE.  I think the *hence* is off the mark due to the much larger candidate search space when other techniques (e.g., certificate-based) are used to authenticate.

> And
> if the group is good enough to use for the Diffie-Hellman key exchange
> then, by definition, it is good enough for password authentication.

No argument here, but I don't think that statement implies its converse.

[... snip ..]

>   I think there is value in being able to use the same group (a lesson
> learned from IKEv1 is that not everything needs to be negotiated and the
> increase in complexity just isn't worth it). Some may find value in
> negotiating groups separately. Whatever. But I think this should be
> included in the criteria for selection so we can discuss the pros and
> cons.

I would agree with that - the ability to use the existing groups should be a plus for evaluation.

I'd also suggest that if new groups are defined for password authentication, those groups ought to be usable for IKE as well *provided that* the resulting negotiation complexity doesn't get out of hand.  I don't think we can retire/replace the existing groups, and I don't think you're suggesting that.

Thanks,
--David
----------------------------------------------------
David L. Black, Distinguished Engineer
EMC Corporation, 176 South St., Hopkinton, MA  01748
+1 (508) 293-7953             FAX: +1 (508) 293-7786
black_david@emc.com        Mobile: +1 (978) 394-7754
----------------------------------------------------

> -----Original Message-----
> From: ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] On Behalf Of Dan Harkins
> Sent: Tuesday, March 02, 2010 5:55 PM
> To: Paul Hoffman
> Cc: IPsecme WG; cfrg@irtf.org; Dan Harkins
> Subject: Re: [IPsec] Beginning discussion on secure password-only authentication for IKEv2
> 
> 
>   Hi Paul,
> 
> On Tue, March 2, 2010 1:37 pm, Paul Hoffman wrote:
> [snip]
> >>  RFC 2409 supported negotiation of various parameters, like the group
> >>used for the Diffie-Hellman key exchange. That was removed in RFC 4306.
> >>All of the candidate exchanges listed in draft-sheffer-ipsecme-pake-
> >>criteria do some sort of discrete logarithm cryptography and therefore
> >>it would be useful to list whether the candidate algorithm can use
> >>any of the groups either negotiated or asserted by IKE(v2).
> >
> > OK, but...
> >
> >>  For instance, I do not believe EKE is suitable for any of the
> >>groups currently in the IANA registry of groups that can be used with
> >>IKE(v2). The MODP groups have a generator that is a quadratic residue
> >>which enables a passive attacker to eliminate passwords from the
> >>dictionary if they do not decrypt to a value that is, itself, a quadratic
> >>residue and ECP groups are unsuitable because a passive attacker can
> >>eliminate passwords from the group if they do not decrypt to a valid
> >> point
> >>on the curve. In either case, after seeing a trivial number of exchanges
> >>a passive attacker is able to determine the password with high
> >> probability.
> >
> > Those two paragraphs don't line up. Why would you want to use the groups
> > negotiated or demanded in the IKEv2 exchange if they allow for easier
> > attacks? Wouldn't it be better to allow the PAKE to negotiate or demand
> > its own, presumably better, groups?
> 
>   The candidate exchanges all rely on the "hard problem" of doing a
> discrete logarithm in one of the defined groups. It's the same "hard
> problem" that makes the Diffie-Hellman portion of IKE secure. If the
> group negotiated or demanded in IKE allows for an "easier attack" then
> it shouldn't be used in the IKE exchange to do the Diffie-Hellman. And
> if the group is good enough to use for the Diffie-Hellman key exchange
> then, by definition, it is good enough for password authentication.
> 
>   If someone wants to use a 521-bit ECP group for the Diffie-Hellman key
> exchange then requiring him to use a 2048-bit MODP group for authentication
> seems a bit odd and constraining. It would make more sense, to me at least,
> if the same 521-bit ECP group was used for authentication. Substitute the
> group based on your own policy or whim-- 192-bit ECP, 8192-bit MODP,
> 1024-bit MODP-- and it's still odd and constraining to be forced to use
> a different one for authentication.
> 
>   I think there is value in being able to use the same group (a lesson
> learned from IKEv1 is that not everything needs to be negotiated and the
> increase in complexity just isn't worth it). Some may find value in
> negotiating groups separately. Whatever. But I think this should be
> included in the criteria for selection so we can discuss the pros and
> cons.
> 
> >>  So EKE requires a hard-coded special group to be used for its discrete
> >>logarithm operations and since negotiation has been removed in RFC 4306
> >>it means that the ability to change the group to suit the policy or whim
> >>of the user (what is popularly termed "crypto agility") goes away. EKE
> >>also requires specification of the mode of encryption used which may or
> >>may not be the same as the one negotiated or asserted in IKE(v2). It
> >>could be hard-coded into the specification, like the group, but this too
> >>further limits "crypto agility".
> >
> > Yaron disagreed with this assessment. I would like to hear from others
> > with EKE experience.
> 
>   Yaron points out that EAP-EKE negotiates the special group but we're
> not using EAP here so the point he makes is neither here nor there.
> 
> >>  The other candidates, I believe, can use the same group, whether MODP
> >>or ECP, that the IKE(v2) exchange is using. I think it would be good to
> >>add these criteria to the draft.
> >
> > See above. I think the requirement should be "crypto agility, which means
> > X Y Z" unless that agility itself opens up a security hole, such as a
> > downgrade attack.
> 
>   No downgrade attacks. I agree. An attacker will go after the weakest
> point. Which in this case has to be repeated active guessing attack
> (which should be easy enough to notice and deal with).
> 
>   regards,
> 
>   Dan.
> 
> 
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email