Re: [IPsec] Call for independent experts (IKEv2) for Stage 4 of the PAKE selection process

Tero Kivinen <> Fri, 30 August 2019 09:27 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id AAD60120C74 for <>; Fri, 30 Aug 2019 02:27:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.419
X-Spam-Status: No, score=-3.419 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 8D361NxVtCQ2 for <>; Fri, 30 Aug 2019 02:27:56 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C0C7612004F for <>; Fri, 30 Aug 2019 02:27:54 -0700 (PDT)
Received: from (localhost []) by (8.15.2/8.15.2) with ESMTPS id x7U9Rp23029256 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 30 Aug 2019 12:27:51 +0300 (EEST)
Received: (from kivinen@localhost) by (8.15.2/8.14.8/Submit) id x7U9Roc1014214; Fri, 30 Aug 2019 12:27:50 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Message-ID: <>
Date: Fri, 30 Aug 2019 12:27:50 +0300
From: Tero Kivinen <>
To: Dan Harkins <>
In-Reply-To: <>
References: <> <> <> <>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 13 min
X-Total-Time: 13 min
Archived-At: <>
Subject: Re: [IPsec] Call for independent experts (IKEv2) for Stage 4 of the PAKE selection process
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 30 Aug 2019 09:28:00 -0000

Dan Harkins writes:
> > How does the responder know which of the one million username password
> > pairs to pick to generate the generator when calculating D-H in the
> > IKE_SA_INIT? The actual identity of the user is only sent in the
> > encrypted IKE_AUTH message.
> >
> > I.e., I think this has exactly same problem than IKEv1 has with
> > pre-shared keys for main mode. You must know the initiator identity
> > based on the IP-addresses, thus makes this completely unusable for
> > non static VPN cases.
>    HA! I did miss something :-)
>    Yes, I guess a new payload is needed to express the username. This can
> be added to the IKE_SA_INIT message. Or maybe it can be a special type of
> NOTIFY, that's a six-of-one-and-a-half-dozen-of-the-other issue. But this
> should not involve an extra Auth exchange (as the framework PAKEs do)
> since SPEKE is just a Diffie-Hellman exchange which is exactly what IKE
> is.

We had similar discussion in the postquantum preshared keys case,
i.e., we needed to know the identity of the other end to pick the PPK,
but the identity is only transmitted in the IKE_AUTH, and IKE_AUTH is
encrypted with the key which is generated in IKE_SA_INIT. We solved
this issue in qr-ikev2 by making so that encryption of the IKE_AUTH
does not need the PPK, but uses only normal Diffie-Hellman and PPK is
only added to the actual IPsec trafic keys.

The problem is that if we add the identity to the IKE_SA_INIT, then we
loose the identity protection part of the IKEv2, as we then cannot
encrypt the identity.

Current solutions have been trying to keep the identity protection
part as good as it is without those extensions, i.e., qr-ikev2 still
provides same identity protection than what normal IKEv2 does, and
then provides extended protection for the actual trafic keys. Attacker
who can break Diffie-Hellman can see the identities, but will not see
the actual trafic protected by PPK.

With PAKEs, I think it is important to do the same, i.e., keep the
identity protection parts of the IKEv2 at least as good as they are
now, and that usually needs we need to do normal IKEv2 Diffie-Hellman
first to protect identities, and then inside that when we know
identities do the actual authentication using PAKE.

Hybrid qske does things bit differently as it adds IKE_INTERMEDIATE
exchanges between IKE_SA_INIT and IKE_AUTH but all of those
IKE_INTERMEDIATE exchanges are anonymous, i.e., the identity of the
other end is not yet known, the authentication is done in the end with
IKE_AUTH, and only then the identity of the other end is known, and we
can use per user information like shared keys or password etc.