IETF Logo Mail Archive

Re: [IPsec] Privacy attack vectors against IKEv2 and Postquantum

Paul Wouters <paul@nohats.ca> Wed, 16 August 2017 16:34 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D2621321B6 for <ipsec@ietfa.amsl.com>; Wed, 16 Aug 2017 09:34:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AKxhQVxlXAy0 for <ipsec@ietfa.amsl.com>; Wed, 16 Aug 2017 09:34:38 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5463E12EC06 for <ipsec@ietf.org>; Wed, 16 Aug 2017 09:34:38 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3xXZgZ2sFgz5RC; Wed, 16 Aug 2017 18:34:34 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1502901274; bh=WpTgFjrSSP2AlmU9FRvJ5xsNFv3g8td4Shavt38xnN8=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=P//a3SXI3GeavKmeq8+orwA8raPZmJSeVvRWm4NksEHB7T6n4V25YzwOkth/lmT81 D4TP5KmMCKhIL1e4vHUpqZbTJCgzk1Xra7fBqhiryUJOXCt7EYvW5Vj5hWhQK3Bnq9 l0LdyKAYTvR1i6bRrtJNTcSxAz+3NVp0BcbvMhNw=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id wmvVUfpCFjhy; Wed, 16 Aug 2017 18:34:33 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 16 Aug 2017 18:34:32 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 125B52E75B2; Wed, 16 Aug 2017 12:34:31 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 125B52E75B2
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id F259140D3592; Wed, 16 Aug 2017 12:34:31 -0400 (EDT)
Date: Wed, 16 Aug 2017 12:34:31 -0400
From: Paul Wouters <paul@nohats.ca>
To: David Schinazi <dschinazi@apple.com>
cc: IPsecME WG <ipsec@ietf.org>
In-Reply-To: <3B9A8971-611E-4B88-9EB8-A79432D8C6CC@apple.com>
Message-ID: <alpine.LRH.2.21.1708161226340.14400@bofh.nohats.ca>
References: <776D38D0-7EEC-46DA-873D-CA1B9394E515@apple.com> <alpine.LRH.2.21.1708112112220.21721@bofh.nohats.ca> <3B9A8971-611E-4B88-9EB8-A79432D8C6CC@apple.com>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/nimkdaTO6B4kMP4rBiM8O2WcdMU>
Subject: Re: [IPsec] Privacy attack vectors against IKEv2 and Postquantum
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Aug 2017 16:34:41 -0000

On Mon, 14 Aug 2017, David Schinazi wrote:

> [DS] I think "showing ID" is exactly what we're avoiding here. You can think of this in terms of the Socialist Millionaire Problem - we want to be able to assert identity without anyone disclosing anything first. And the proposed solution is to send a MAC without the identity of the key used to MAC. Peers can than iterate their list of peers to check the MAC against.

But when you are using X.509 based clients, you will have never seen the
cert/ID until you receive it via IKE ? So your use case is limited to
very static type deployments (which suffer less from this issue as they
tend to not move around)

> [DS] Some security is still better than less security, you can imagine timing attacks and such but this is better than what we have today.

But I think we would need something a little better to make it part of
an RFC standard.

> [DS] I was initially going to make this a separate proposal that only involved a pre shared key and SA_INIT MAC, but it was pointed out to me that once you have that might as well include the benefits of PPK. If you know of a way to solve the described privacy attack vectors without a pre shared key and without adding round trips, I'm interested - I couldn't come up with one myself.

A PreSharedKey based solution is also very limiting, and people should
be migrating away from PSK in favour of RSA/ECC based solutions :P

I understand your use case (prevent blocking of hidden IKE over TCP/TLS
servers) but it might not be a use case the IETF can solve. From an
IETF perspective, the way to solve this would be to IPsec everything,
so that blocking based on ESP visibility becomes impossible. Which
is why I'd like to see more Opportunistic IPsec.

But if we can fit in your goal, that would be great. And I think if
that takes another roundtrip people can make that decision. But I
think nation state actors are already active attackers, so I see
not too much value in a passive attackers only solution, which
IKE over TCP/TLS already is.

Paul

v2.23.0 | Report a Bug | By Email