IETF Logo Mail Archive

Re: [IPsec] I-D Action: draft-fluhrer-qr-ikev2-02.txt

"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Tue, 09 August 2016 12:44 UTC

Return-Path: <sfluhrer@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BCE912D7F9 for <ipsec@ietfa.amsl.com>; Tue, 9 Aug 2016 05:44:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.768
X-Spam-Level:
X-Spam-Status: No, score=-15.768 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.247, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XtWEo0NkJvYN for <ipsec@ietfa.amsl.com>; Tue, 9 Aug 2016 05:44:10 -0700 (PDT)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E908412D7F8 for <ipsec@ietf.org>; Tue, 9 Aug 2016 05:44:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3240; q=dns/txt; s=iport; t=1470746649; x=1471956249; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=o69hkTFdDJ6V8vbc5FcJHYxIfM/hGFIXluOxZexB0Q0=; b=S6hpy7jjnwD8CtZgJhU7Knqwp1LOcSQSo0ZclzUpXTwXrAemIvuO1N+B 07QIL3pO8T8AsoCjHvg84XEa8o31ok7tt/2KucULopgHz9j9ehwW3H9xG cdvY5TFDm6DM1Bhly6z4uanVR5sBxf3aqLJYG7RzZKpBIA4o7bzQVqkFw M=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BcAgATz6lX/51dJa1dg0VWfAe5HYF9JIV5AoFMOBQBAQEBAQEBXSeEXgEBBAE6MQ4MBAIBCBEEAQEBHgkHMhQJCAIEAQ0FCAyIFQgOwjMBAQEBAQEBAQEBAQEBAQEBAQEBAQEXBYYqhE2KGwWZOQGPAo9KjDSDdwEeNoN6boZOfwEBAQ
X-IronPort-AV: E=Sophos;i="5.28,494,1464652800"; d="scan'208";a="307975569"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by alln-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 09 Aug 2016 12:44:08 +0000
Received: from XCH-RTP-010.cisco.com (xch-rtp-010.cisco.com [64.101.220.150]) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id u79Ci86p028152 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 9 Aug 2016 12:44:08 GMT
Received: from xch-rtp-006.cisco.com (64.101.220.146) by XCH-RTP-010.cisco.com (64.101.220.150) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Tue, 9 Aug 2016 08:44:07 -0400
Received: from xch-rtp-006.cisco.com ([64.101.220.146]) by XCH-RTP-006.cisco.com ([64.101.220.146]) with mapi id 15.00.1210.000; Tue, 9 Aug 2016 08:44:07 -0400
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: Tero Kivinen <kivinen@iki.fi>, Paul Hoffman <paul.hoffman@vpnc.org>
Thread-Topic: [IPsec] I-D Action: draft-fluhrer-qr-ikev2-02.txt
Thread-Index: AQHR7y/10NkmpxmQkkWhx9nlDv4V5aA/UmuAgAFBhqA=
Date: Tue, 09 Aug 2016 12:44:07 +0000
Message-ID: <496a3c96a34741e48f8ec4d9d2e2a031@XCH-RTP-006.cisco.com>
References: <20160805034543.15860.28796.idtracker@ietfa.amsl.com> <bd8018f8-f507-5721-5cba-976dd5a013fb@gmail.com> <04fc3cc06274464ca4b94746e50a67bc@XCH-RTP-006.cisco.com> <ac88df20-a086-6bbe-b90c-3d7bd27eb40c@gmail.com> <84F0EC1D-02BC-4892-9FC0-29B5E47A6D7F@vpnc.org> <22440.34261.193865.786849@fireball.acr.fi>
In-Reply-To: <22440.34261.193865.786849@fireball.acr.fi>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.98.2.57]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/auaPX3mMBzGaHQiYn39fmKtokYk>
Cc: "ipsec@ietf.org" <ipsec@ietf.org>
Subject: Re: [IPsec] I-D Action: draft-fluhrer-qr-ikev2-02.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Aug 2016 12:44:11 -0000

> -----Original Message-----
> From: Tero Kivinen [mailto:kivinen@iki.fi]
> Sent: Monday, August 08, 2016 9:15 AM
> To: Paul Hoffman
> Cc: Yaron Sheffer; ipsec@ietf.org; Scott Fluhrer (sfluhrer)
> Subject: Re: [IPsec] I-D Action: draft-fluhrer-qr-ikev2-02.txt
> 
> Paul Hoffman writes:
> > On 5 Aug 2016, at 8:23, Yaron Sheffer wrote:
> >
> > > The trick to that is to add a new column to the IANA table
> > > https://www.iana.org/assignments/ikev2-parameters/ikev2-
> parameters.x
> > > html#ikev2-parameters-5
> >
> > That's the first of two tricks: the second is getting agreement about
> > the rules for the values in that column. It seems like there is still
> > disagreement in the crypto community about how susceptible different
> > algorithms and modes are to quantum.
> 
> As an IANA expert, I am not that happy adding yet another column to that
> table. The ESP/IKEv2 reference columns already seem to make enough
> confusion for people :-)

On the other hand, we need to give people some guidance somehow...

> 
> Also I think it is bad idea to list which ciphers are quantum computing safe, as
> I have no idea whether RC5 or Blowfish are really in that category, even
> when they do have long keys...

There's no known Quantum attack against either (assuming long keys), and so they're in the same category as AES-256.

> 
> It might be better to list ciphers which we consider not to be safe, i.e.,
> explictly note that PRF_AES128_XCBC and PRF_AES128_CMAC are using 128-
> bit keys so they might be vulnerable. (Btw it is PRF_AES128_CMAC, not
> PRF_AES_CBC).

That makes a lot of sense; ultimately, we don't really know which ones are strong against Quantum Computers (then again, we really don't know which ones are strong against conventional computers using undiscovered attacks :-); we do know some are likely weak.

> 
> Also this is something we might want to add to the rfc4307bis provided we
> can agree on the text before it goes forward. I.e. I do not think the
> RFC4307bis should wait for the text, as we can add it the QR document also,
> but if we can agree on that now, then we can add this kind of warning to
> rfc4307bis too. That text could be something like
> this:
> 
>    Quantum computers might able to perform Grover's algorithm; that
>    effectively halves the size of a symmetric key. Because of this, to
>    provide 128-bit security even when we have quantum computers, the
>    symmetric algorithm keys needs to have least 256 bits of entropy.
> 
> Btw, both PRF_AES128_XCBC and PRF_AES128_CMAC do use 128-bit keys
> always, they cannot use longer keys, so the text saying "even though they
> can use larger keys" is wrong, as those versions cannot use longer keys.

Actually, if you look through the definitions of the transforms that IANA points to, RFC4434 and RFC4615, the transform can take as input a "key" longer than 128 bits.  Yes, if you look inside the definition of the transform, you see that they transform the arbitrary-length "key" into a 128 bit one; people quite often don't look into the innards of their crypto (nor should they have to).

> --
> kivinen@iki.fi

v2.23.0 | Report a Bug | By Email