IETF Logo Mail Archive

Re: [IPsec] Privacy attack vectors against IKEv2 and Postquantum

Christopher Wood <christopherwood07@gmail.com> Wed, 16 August 2017 16:50 UTC

Return-Path: <christopherwood07@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDCD9132692 for <ipsec@ietfa.amsl.com>; Wed, 16 Aug 2017 09:50:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.45
X-Spam-Level:
X-Spam-Status: No, score=-2.45 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g6B4VkTNoJUH for <ipsec@ietfa.amsl.com>; Wed, 16 Aug 2017 09:50:21 -0700 (PDT)
Received: from mail-oi0-x22a.google.com (mail-oi0-x22a.google.com [IPv6:2607:f8b0:4003:c06::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27424132339 for <ipsec@ietf.org>; Wed, 16 Aug 2017 09:50:21 -0700 (PDT)
Received: by mail-oi0-x22a.google.com with SMTP id f11so41901833oic.0 for <ipsec@ietf.org>; Wed, 16 Aug 2017 09:50:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=W+DnZGqHD1KFVNNAl+ESlsuFCUJRrlaBdx3ryEdnPhM=; b=tMs6j8U92d0L3eV0NpYa7VP0Pg6gVSLpNgQU4M/Hf5yOx4rxAkidYuPioYtoJjw2hh W8a0KsT1ciHWv5hcmdyK1BcUwLDnQqww4EnBO47w4C/yW50aPfq9Qh9eqUIbX0oxW3Ph wSQODnVmQjKE51MB0fii+qKry8v+YdCEhbegLIagKRE/4BcP/l4kexH9OxxGLnAM5fRl m3nYHZYtQP8GuMdAkkfRPR6Fnck0riki+tMWntm/z+xvVvriy3l+rTGdY1uKPb7AOSqq QvmcT1e2JGWXUOshMgeDOiiEOSOrd1vrPeYFF8BwqGgdJzaiksHwk8P6patgltOUf+Vd Mw+A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=W+DnZGqHD1KFVNNAl+ESlsuFCUJRrlaBdx3ryEdnPhM=; b=RUflAXBs9feqLhm9aVVn99RK0cdEjcoxb/glLZqPkd5129trlMkZGMidLp4mQUwAtk CdqM7f4cEace9amF5kz80NOSOVGk5sy6/cCqiHEO5d9r/F1lrAEvcNn14mkn9V2TkOkV V4hcZ1NVbGTDXW2RagiawEcqz06Nb6dcFyUfvMkCo7mWiEILuaF1FpxghUVgfsyZlLYY 9ooOMqGRca50LVqCHBjp7ndRMt+I+u9bE5V9V1DPCDO8RG+mX8J96wFnBaAEN7olJKeC k07T10Q1ARSwQ6w/2va1jpcEMQdq7n5xThIL07lnu3GF9mDwZvtpqzaUs0bbhv4XdfgN wetA==
X-Gm-Message-State: AHYfb5iRfZiingJPiJz7m9WSiVpV/dP1vqNUwDM3nGbtTRB712C0pSeX 3d8nE2OvX2xlF8kfS1OO8NVheHH4qA==
X-Received: by 10.202.87.2 with SMTP id l2mr2672669oib.277.1502902219072; Wed, 16 Aug 2017 09:50:19 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.182.91.73 with HTTP; Wed, 16 Aug 2017 09:50:18 -0700 (PDT)
In-Reply-To: <alpine.LRH.2.21.1708161226340.14400@bofh.nohats.ca>
References: <776D38D0-7EEC-46DA-873D-CA1B9394E515@apple.com> <alpine.LRH.2.21.1708112112220.21721@bofh.nohats.ca> <3B9A8971-611E-4B88-9EB8-A79432D8C6CC@apple.com> <alpine.LRH.2.21.1708161226340.14400@bofh.nohats.ca>
From: Christopher Wood <christopherwood07@gmail.com>
Date: Wed, 16 Aug 2017 09:50:18 -0700
Message-ID: <CAO8oSXmg2eok5FRatPfP_4-BgS4Uo9e14TT_Qo1QDCT6jTEx5g@mail.gmail.com>
To: Paul Wouters <paul@nohats.ca>
Cc: David Schinazi <dschinazi@apple.com>, IPsecME WG <ipsec@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/hls2DBPW4wy1-T7THUVGPwXu4nU>
Subject: Re: [IPsec] Privacy attack vectors against IKEv2 and Postquantum
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Aug 2017 16:50:23 -0000

On Wed, Aug 16, 2017 at 9:34 AM, Paul Wouters <paul@nohats.ca> wrote:
> On Mon, 14 Aug 2017, David Schinazi wrote:
>
>> [DS] I think "showing ID" is exactly what we're avoiding here. You can
>> think of this in terms of the Socialist Millionaire Problem - we want to be
>> able to assert identity without anyone disclosing anything first. And the
>> proposed solution is to send a MAC without the identity of the key used to
>> MAC. Peers can than iterate their list of peers to check the MAC against.
>
>
> But when you are using X.509 based clients, you will have never seen the
> cert/ID until you receive it via IKE ? So your use case is limited to
> very static type deployments (which suffer less from this issue as they
> tend to not move around)
>
>> [DS] Some security is still better than less security, you can imagine
>> timing attacks and such but this is better than what we have today.
>
>
> But I think we would need something a little better to make it part of
> an RFC standard.
>
>> [DS] I was initially going to make this a separate proposal that only
>> involved a pre shared key and SA_INIT MAC, but it was pointed out to me that
>> once you have that might as well include the benefits of PPK. If you know of
>> a way to solve the described privacy attack vectors without a pre shared key
>> and without adding round trips, I'm interested - I couldn't come up with one
>> myself.
>
>
> A PreSharedKey based solution is also very limiting, and people should
> be migrating away from PSK in favour of RSA/ECC based solutions :P

David's original email suggested that this technique was enabled by
(and perhaps constrained to) draft-fluhrer-qr-ikev2, which assumes the
existence of a long-term PPK.

Best,
Chris

v2.23.0 | Report a Bug | By Email