Re: [IPsec] Privacy attack vectors against IKEv2 and Postquantum
David Schinazi <dschinazi@apple.com> Mon, 14 August 2017 18:51 UTC
Return-Path: <dschinazi@apple.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F0D91200F3 for <ipsec@ietfa.amsl.com>; Mon, 14 Aug 2017 11:51:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k6hm8Hqe5T70 for <ipsec@ietfa.amsl.com>; Mon, 14 Aug 2017 11:51:51 -0700 (PDT)
Received: from mail-in5.apple.com (mail-out5.apple.com [17.151.62.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD174132399 for <ipsec@ietf.org>; Mon, 14 Aug 2017 11:51:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1502736711; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-transfer-encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=U84akn2yboEfif3Udda0JIDPuuLDqixRYSMJ+aZYnWM=; b=zk8Qhe1LR8KQW7X7Lns9B3qS/wrQKhpGP5umCSymIlPwERsU3Fa7RA8FYerd8xuW IZbd+tsqmZRSY1cfWv7wmSalFB7kPrLBB3q6IDCxiOfmhl2atuA/V7un/iGaS5Lk JpWKIcpULwUaPpJIti7tqzCJBF8q1I1B2SaKhTVj7qo4tGw86KfaQMZrZx/8nng9 +MZZ/f4QVykIFPSGxWZU0HTi/5qeAh49/77IMPbhCnNClIl93IV/zHANvO2hIClx /HyKGw5fwPJtyBFNyP7OsLUh3jomdryMAJyRyQoWYqrVMpIPkXw5YXwXkCTan2UY EEUBHDGHdn40vgwji1zSMA==;
Received: from relay7.apple.com (relay7.apple.com [17.128.113.101]) (using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail-in5.apple.com (Apple Secure Mail Relay) with SMTP id DD.6F.06802.741F1995; Mon, 14 Aug 2017 11:51:51 -0700 (PDT)
X-AuditID: 11973e13-e30ed9c000001a92-26-5991f147eb00
Received: from nwk-phonehomebzp-sz01.apple.com (nwk-phonehomebzp-sz01.apple.com [17.151.62.64]) by relay7.apple.com (Apple SCV relay) with SMTP id 34.18.07283.741F1995; Mon, 14 Aug 2017 11:51:51 -0700 (PDT)
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-type: text/plain; CHARSET="US-ASCII"
Received: from [17.234.125.69] (unknown [17.234.125.69]) by nwk-phonehomebzp-sz01.apple.com (Oracle Communications Messaging Server 8.0.1.2.20170621 64bit (built Jun 21 2017)) with ESMTPSA id <0OUO00LQ2V2FJ850@nwk-phonehomebzp-sz01.apple.com>; Mon, 14 Aug 2017 11:51:51 -0700 (PDT)
Sender: dschinazi@apple.com
From: David Schinazi <dschinazi@apple.com>
In-reply-to: <alpine.LRH.2.21.1708112112220.21721@bofh.nohats.ca>
Date: Mon, 14 Aug 2017 11:51:49 -0700
Cc: IPsecME WG <ipsec@ietf.org>
Message-id: <3B9A8971-611E-4B88-9EB8-A79432D8C6CC@apple.com>
References: <776D38D0-7EEC-46DA-873D-CA1B9394E515@apple.com> <alpine.LRH.2.21.1708112112220.21721@bofh.nohats.ca>
To: Paul Wouters <paul@nohats.ca>
X-Mailer: Apple Mail (2.3273)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrKLMWRmVeSWpSXmKPExsUi2FCYquv+cWKkwaanChb7t7xgs3h/6xKT A5PHkiU/mTy+z2MKYIrisklJzcksSy3St0vgypi9t5Ol4Jt4xfmvd1kbGPuEuxg5OCQETCRu rFboYuTiEBJYwySxasFWRpj46x/WEPELjBIXT79k7mLk5OAVEJT4MfkeC0gNs4C8xMHzsiBh ZgEtie+PWlkg6hcySTSt/MAGkhAWkJbounCXFcL2lJjTuJodpJcNqOHAGiOQMKeAo0T7uZts IGEWAVWJ7QfYIUbKS/T+38gIsdVG4sb8ThYQW0igWGLt96NgNSICihKTzjwCi0sIyErcmn2J GcL+yyqxpzlyAqPwLCRHz0I4ehaSoxcwMq9iFMpNzMzRzcwz1UssKMhJ1UvOz93ECArn6XbC OxhPr7I6xCjAwajEw8txYWKkEGtiWXFl7iFGaQ4WJXHeaJu+SCGB9MSS1OzU1ILUovii0pzU 4kOMTBycUg2MihetFAvPO4Svn/Rgxw/jZ0JbJvNnb+iR5Ar++n3GzAX/NXN4pnRUFFnNnJ6l 8W2iU4JL2yYDs8u/2aPDvzmf+pXf8j6IbcLZO+KTHd58r3d++z3jHUPgwXidYz5vLm2a/eCb 7a+aTYIZDNM4QgSsLR5HrdIwioj8KiL/fUU/t3ztgs1n6pvZlViKMxINtZiLihMBvpa/40gC AAA=
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrFLMWRmVeSWpSXmKPExsUiON3OQdf948RIg6vfZS32b3nBZvH+1iUm ByaPJUt+Mnl8n8cUwBTFZZOSmpNZllqkb5fAlTF7bydLwTfxivNf77I2MPYJdzFycEgImEi8 /mHdxcjFISRwgVHi4umXzF2MnBy8AoISPybfYwGpYRaQlzh4XhYkzCygJfH9USsLRP1CJomm lR/YQBLCAtISXRfuskLYnhJzGlezg/SyATUcWGMEEuYUcJRoP3eTDSTMIqAqsf0AO8RIeYne /xsZIbbaSNyY38kCYgsJFEus/X4UrEZEQFFi0plHYHEJAVmJW7MvMU9gFJiF5NBZCIfOQnLo AkbmVYwCRak5iZXmeokFBTmpesn5uZsYQSHYUJi6g7FxudUhRgEORiUeXo4LEyOFWBPLiitz DzFKcDArifAmtQOFeFMSK6tSi/Lji0pzUosPMUpzsCiJ887o6I4UEkhPLEnNTk0tSC2CyTJx cEo1MJqcenylfMWkcl8lgU9patKTXf8zlv4XSM3tXH3SVuR5TGFAV2rLfUmNf+XebEcnhil0 HeW0jLz0rvNtet2e+27FK7RDivX/OO7QtS/bF3B7b887A75TC5/s9XX6JvmR+0S8eHScfUf6 D3PGsrdH9i7kE2Wf6xP5/Webde7nryJVnmsmGAgkK7EUZyQaajEXFScCAL9XJcw9AgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/mjbgx9QCAhryeIoifr7o-17Dg1M>
Subject: Re: [IPsec] Privacy attack vectors against IKEv2 and Postquantum
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Aug 2017 18:51:54 -0000
Thanks Paul, responses inline. > On Aug 11, 2017, at 18:23, Paul Wouters <paul@nohats.ca> wrote: > > On Fri, 11 Aug 2017, David Schinazi wrote: > >> 1) Active man-in-the-middle attack against the initiator >> An attacker that can intercept and spoof packets can complete the SA_INIT part of the exchange with both sides and get the initiator to disclose its IDi (and PPK_id). This allows an attacker to fingerprint devices and/or users. > > One of the two will have to show ID before the other can make a decision > (before revealing itself) if it sees an attacker or a valid endpoint. > There have been suggestions in the past (eg BTNS with channel binding) > but no one thought it was worth the extra round trips. In theory you > could still do this using NULL-AUTH on the client, which authenticates > the server without losing any privacy and then running a second > authentication to 'upgrade' the client. [DS] I think "showing ID" is exactly what we're avoiding here. You can think of this in terms of the Socialist Millionaire Problem - we want to be able to assert identity without anyone disclosing anything first. And the proposed solution is to send a MAC without the identity of the key used to MAC. Peers can than iterate their list of peers to check the MAC against. >> 2) Passive off-path attack against a "hidden" responder >> Today an IKEv2 server cannot hide the fact that it exists - the initiator's SA_INIT is not authenticated so the responder must respond to it even if it is forged, leaking the fact that it is running an IKEv2 server. Hypothetically speaking, if one were to run IKEv2 over TLS and sharing port 443 with a web server to obfuscate the fact that it is using IKEv2, an attacker could open a TLS connection and sending an SA_INIT to divulge the fact that this HTTPS server also supports IKEv2. > > Maybe we should run DH on all webserver's for IKE :) > >> Straw man Proposal: > > [...] > >> I believe this proposal does not reduce the security properties of the current draft, it also does not leak any information to any party that does not possess PPK, and it mitigates the attack vectors discussed above. >> >> What are your thoughts? > > I think the tor people will tell you that you would still be able to > fingerprint this enough to tell it is IKE over TLS. [DS] Some security is still better than less security, you can imagine timing attacks and such but this is better than what we have today. > I'd also prefer a mechanism not tied to PPKs. Those are supposed to be > a bandaid that wouldn't be used anymore in the future where we have > quantum safe algorithms. [DS] I was initially going to make this a separate proposal that only involved a pre shared key and SA_INIT MAC, but it was pointed out to me that once you have that might as well include the benefits of PPK. If you know of a way to solve the described privacy attack vectors without a pre shared key and without adding round trips, I'm interested - I couldn't come up with one myself. David
- [IPsec] Privacy attack vectors against IKEv2 and … David Schinazi
- Re: [IPsec] Privacy attack vectors against IKEv2 … Paul Wouters
- Re: [IPsec] Privacy attack vectors against IKEv2 … David Schinazi
- Re: [IPsec] Privacy attack vectors against IKEv2 … Paul Wouters
- Re: [IPsec] Privacy attack vectors against IKEv2 … Christopher Wood
- Re: [IPsec] Privacy attack vectors against IKEv2 … David Schinazi