IETF Logo Mail Archive

[IPsec] Privacy attack vectors against IKEv2 and Postquantum

David Schinazi <dschinazi@apple.com> Fri, 11 August 2017 18:39 UTC

Return-Path: <dschinazi@apple.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE2BC132643 for <ipsec@ietfa.amsl.com>; Fri, 11 Aug 2017 11:39:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3ZTyQ9Oa_Bfk for <ipsec@ietfa.amsl.com>; Fri, 11 Aug 2017 11:39:27 -0700 (PDT)
Received: from mail-in6.apple.com (mail-out6.apple.com [17.151.62.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9C11132642 for <ipsec@ietf.org>; Fri, 11 Aug 2017 11:39:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1502476767; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-transfer-encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=jPNS29/BlG8o01Ozjk/oRjHRkog1E/TZhwqNIF45ZZA=; b=299iM8HDTjKhIHR/iA75ZHTq95j25jM7/wdTOB8smP05QhYcZG9IQ8Pakr4FjGkB u2xuRKWXZKPdTWgFKGo69hbsAuKyu1Z5u7AKe9j5DSN+Oiz1sME+eOr9j4bBDhDd mx23NDWlT+LBdR44/mD3GHlDogPwlwteix/Uzd+RdQpYzy2LWo+XejqJwVcieRBn Gl89jyZB41RQUbs7ejGLykH5kP9t8AfZUW48bKyU1ID/ivj0c85qFb+DKeXQEQHd zJZBO97XF3mwValQi8hu2iGTwvg97isOSD11Wjn5auG0r+1afB7jt1mqoCuika/7 3jACAOKp2aoF0tv+SavV5A==;
Received: from relay4.apple.com (relay4.apple.com [17.128.113.87]) (using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail-in6.apple.com (Apple Secure Mail Relay) with SMTP id A1.DB.06961.FD9FD895; Fri, 11 Aug 2017 11:39:27 -0700 (PDT)
X-AuditID: 11973e15-9dace9c000001b31-77-598df9df3935
Received: from koseret.apple.com (koseret.apple.com [17.151.62.39]) by relay4.apple.com (Apple SCV relay) with SMTP id A5.68.06992.FD9FD895; Fri, 11 Aug 2017 11:39:27 -0700 (PDT)
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-type: text/plain; CHARSET="US-ASCII"
Received: from da0602a-dhcp130.apple.com (da0602a-dhcp130.apple.com [17.226.23.130]) by koseret.apple.com (Oracle Communications Messaging Server 8.0.1.2.20170621 64bit (built Jun 21 2017)) with ESMTPSA id <0OUJ0051ZAHRN040@koseret.apple.com> for ipsec@ietf.org; Fri, 11 Aug 2017 11:39:27 -0700 (PDT)
Sender: dschinazi@apple.com
From: David Schinazi <dschinazi@apple.com>
Message-id: <776D38D0-7EEC-46DA-873D-CA1B9394E515@apple.com>
Date: Fri, 11 Aug 2017 11:39:26 -0700
To: IPsecME WG <ipsec@ietf.org>
X-Mailer: Apple Mail (2.3273)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupiluLIzCtJLcpLzFFi42IRbCgM173/szfS4EyDksX+LS/YHBg9liz5 yRTAGMVlk5Kak1mWWqRvl8CVMW3mDLaCR2IV36/eYm9gPCDUxcjBISFgItGzIqSLkYtDSGA1 k8S07vPMXYycYPGmzdvZIRJbGCWad9xgA0nwCghK/Jh8jwWkmVlAXuLgeVmQMLOAlsT3R60s EPXbmCTOvz3LCpIQFpCW6LpwlxWkng2o6MAaI4iwrcTRs69ZIEbaSDS0HwazWQRUJT637GID KRcBGj/zRibEObISt2ZfYgYZLyFwllXi+MmzrBMYBWYhuWgWwkWzkFy0gJF5FaNQbmJmjm5m npleYkFBTqpecn7uJkZQ4E23E93BeGaV1SFGAQ5GJR7eirO9kUKsiWXFlbmHGKU5WJTEeV8+ 7IkUEkhPLEnNTk0tSC2KLyrNSS0+xMjEwSnVwDgn4kvfHZ4lFdpJuycw1OfLnPox+3yewCvO orfPFxw2/pFo/WF/dfunkzNEX4eknDyptUgzXifQY3aodnvpxVnnpRaeZrNgVnvmXnTKdIrx Ju/crrfxXzeW/lu+NTDSQTTT89mUiSbdkvfeppycG5B16OSD6tXSC43m/4iaX9yZv/vmy+uW USlKLMUZiYZazEXFiQD6Mf4jHQIAAA==
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrHJMWRmVeSWpSXmKPExsUiON1OXff+z95Ig8Ob5C32b3nB5sDosWTJ T6YAxigum5TUnMyy1CJ9uwSujGkzZ7AVPBKr+H71FnsD4wGhLkZODgkBE4mmzdvZuxi5OIQE tjBKNO+4wQaS4BUQlPgx+R5LFyMHB7OAvMTB87IgYWYBLYnvj1pZIOq3MUmcf3uWFSQhLCAt 0XXhLitIPRtQ0YE1RhBhW4mjZ1+zQIy0kWhoPwxmswioSnxu2cUGUi4CNH7mjUyIc2Qlbs2+ xDyBkXcWkiNmIRwxC8kRCxiZVzEKFKXmJFaa6CUWFOSk6iXn525iBIVKQ2H4DsZ/y6wOMQpw MCrx8M542RspxJpYVlyZe4hRgoNZSYR37jegEG9KYmVValF+fFFpTmrxIUZpDhYlcd7pHd2R QgLpiSWp2ampBalFMFkmDk6pBsbFpe3fO0rVtk1pTLlQ9LZ/n5/O9Lxn+dYrzCwZfBLPL5s8 Z4Gn8BXRBn07e/PLRRXC+yNj/hWEM+WYBWk7ztrpv5s76o7OzI6swHX20rueX1vX/ffl2eNN cVZKOnP2K8gt8FjPfiBh51leDceEWVcPCDAEvN4663299xrl75pnLlzc8YTpuaoSS3FGoqEW c1FxIgCM8R5oEQIAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/iH8JSJ3dcxxFpQ4AMD9czO12na8>
Subject: [IPsec] Privacy attack vectors against IKEv2 and Postquantum
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Aug 2017 18:39:29 -0000

Hi everyone,

I'd like to start off by saying that I have read draft-fluhrer-qr-ikev2-04 and I really like it, particularly the fact that it is a minor change, does not add RTTs and keeps existing properties.

I have however come across two privacy attack vectors that IKEv2 is vulnerable to, with and without postquantum, that I think the postquantum draft could also help mitigate.

1) Active man-in-the-middle attack against the initiator
An attacker that can intercept and spoof packets can complete the SA_INIT part of the exchange with both sides and get the initiator to disclose its IDi (and PPK_id). This allows an attacker to fingerprint devices and/or users.

2) Passive off-path attack against a "hidden" responder
Today an IKEv2 server cannot hide the fact that it exists - the initiator's SA_INIT is not authenticated so the responder must respond to it even if it is forged, leaking the fact that it is running an IKEv2 server. Hypothetically speaking, if one were to run IKEv2 over TLS and sharing port 443 with a web server to obfuscate the fact that it is using IKEv2, an attacker could open a TLS connection and sending an SA_INIT to divulge the fact that this HTTPS server also supports IKEv2.

Straw man Proposal:

We slightly change the PPK_SUPPORT status notification payload to include notification data, and that data would contain a MAC of the SA_INIT using the PPK. Note that this would not contain the PPK_ID, just the MAC. The MAC would be defined as
PPK_MAC = prf( prf(PPK, "PPK MAC for IKEv2"), <SAInitOctets>)
where SAInitOctets is the entire SA_INIT, starting with the first octet of the first SPI in the header and ending with the last octet of the last payload, with PPK_MAC set to all zeroes (this is inspired by the IP header checksum) and where prf is the PRF of the first proposal in the SA_INIT.
Both peers MUST send this PPK_MAC on all SA_INIT that contain PPK_SUPPORT.

Upon receiving an SA_INIT, each endpoint has two options:
- if it knows only of a small number of PPKs, it tries all of them and if none of them match it silently drops the SA_INIT.
- if it has too many PPKs or if it is worried about DoS attacks, it MAY choose to ignore PPK_MAC entirely (and continue the IKEv2 exchange with PPK in the IKE_AUTH exchange)

If the responder does not support the PRF from the first initiator's proposal, it can either
- ignore PPK_MACi entirely and continue the IKEv2 exchange with PPK in the IKE_AUTH exchange
- silently drop the SA_INIT if it was configured to only use a set of PRFs when provisioned with the PPK. The initiator can retry with a different PRF.

I believe this proposal does not reduce the security properties of the current draft, it also does not leak any information to any party that does not possess PPK, and it mitigates the attack vectors discussed above.

What are your thoughts?

Thanks,
David Schinazi
Apple

v2.23.0 | Report a Bug | By Email