IETF Logo Mail Archive

Re: [IPsec] Proposed method to achieve quantum resistant IKEv2

"Valery Smyslov" <svanru@gmail.com> Tue, 22 August 2017 08:35 UTC

Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38F11132357 for <ipsec@ietfa.amsl.com>; Tue, 22 Aug 2017 01:35:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.199
X-Spam-Level:
X-Spam-Status: No, score=-1.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_WEB=1.5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HE50rN08hWR0 for <ipsec@ietfa.amsl.com>; Tue, 22 Aug 2017 01:35:07 -0700 (PDT)
Received: from mail-lf0-x22d.google.com (mail-lf0-x22d.google.com [IPv6:2a00:1450:4010:c07::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24DDA12EC06 for <ipsec@ietf.org>; Tue, 22 Aug 2017 01:35:07 -0700 (PDT)
Received: by mail-lf0-x22d.google.com with SMTP id y15so76134052lfd.5 for <ipsec@ietf.org>; Tue, 22 Aug 2017 01:35:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-transfer-encoding:thread-index :content-language; bh=GBNVvzhOz5+f8SgXZDRk2Os7PHbLwRvG/V3ztDHcWgs=; b=I+/ENe1d1m//KCunj/X28HDY0Z88ZjiK028T+GvpTdnlvX7yT8R7PV8n0dDPBDtqPa 06+wsaGxHeR9zhcg8ZDOYuT/okTW5hTnCL5qc3CJZTX38CVucJSc39vVKl2JtPfoWBXa pQ88czMYKkEqWS7ezPvx/KeR9b4v7m78rML8EyeFp/PyuSlEcGNIuySloQX4OHR0UB59 PlVe6QAOAiXPqaj9TfHO32QnfVWnqshJrl0UtXL2QGzw9NruSw1a+PKBq6Gl0J1HwwxR GBa/BFoLzsFL9jkCswAh+GTgXtLY5biyv8V+/zgKt9XUiv01xmtg9d1h/jKYCMQYcr+E 3FSw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=GBNVvzhOz5+f8SgXZDRk2Os7PHbLwRvG/V3ztDHcWgs=; b=qdQVz58erihEv9rb84T+AOmanVUSAk/l60j9Pi0LONBT/SnXPvg4f3v2FYRmrpTO4c CWfqJBLWJ57R3NrVefA9yiXyRHWxQj10JtmQbDsvTlZB9OnWOn3ZKZwUkFPuunFIsn37 J8f9f67JEqHCppLr/ZQjrOubWCRlh0D2eZSBgfPFAolZefxiRYeh12iiba/+LlhMAZoT 2qGKKz+PlYk2wZ6o2eh8xFXHMzmZiX/V90JCHGuqUNiRZOaYZODFpP/WYRPxczU5i4hJ BsUIGcNJs4ridOrGANdy1NB9wUNJ9lIBXz6kZPwEIiZW3ydqL7627RH+XnmoBnbxBwDn 03cQ==
X-Gm-Message-State: AHYfb5gUVABs8V8jIERcUxF6GvC+cic/GO20pplEGgkrZbZsds+1vCoG yeCMIhoFxMZ71w==
X-Received: by 10.25.214.10 with SMTP id n10mr1419497lfg.124.1503390905453; Tue, 22 Aug 2017 01:35:05 -0700 (PDT)
Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id w17sm56564lff.6.2017.08.22.01.35.04 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 22 Aug 2017 01:35:04 -0700 (PDT)
From: Valery Smyslov <svanru@gmail.com>
To: 'Cen Jung Tjhai' <CJT@post-quantum.com>, 'Tero Kivinen' <kivinen@iki.fi>
Cc: ipsec@ietf.org
References: <BBEB2C9C-9B96-4C6C-BB9B-4415F096FAE1@cisco.com> <041b01d30d21$8d33f230$a79bd690$@gmail.com> <22922.55551.190123.31763@fireball.acr.fi> <E8A3B50A-62D1-4211-B39F-932C9C959AF1@post-quantum.com>
In-Reply-To: <E8A3B50A-62D1-4211-B39F-932C9C959AF1@post-quantum.com>
Date: Tue, 22 Aug 2017 11:35:03 +0300
Message-ID: <006601d31b21$8d59ce20$a80d6a60$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJGClSbub5RkghZHKgMD6H8pOsCcwJfffzfAjQj/cMC0HHoQKFvA/cw
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/nl-PLTHU-2mYW8hrDTxKSqa3o9k>
Subject: Re: [IPsec] Proposed method to achieve quantum resistant IKEv2
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Aug 2017 08:35:09 -0000

Hi,

>     >>> The only reason that comes to my mind is that you don’t fully trust
>     >>> QSKE. Are there any other reasons?
> 
>     >>I think that is one of the main reasons. Especially as we do not know
>     >>which QSKE we are talking about.
> 
> Another reason for not removing KE is potentially due to FIPS requirement. According to NIST
> (http://csrc.nist.gov/groups/ST/post-quantum-crypto/faq.html#Q1), if we have a hybrid key exchange, i.e. KE
> + post-quantum KE, the KE part can still go through FIPS validation and can still be FIPS-certified (until FIPS
> covers post-quantum algorithms).

Well, that are valid reasons. However, what makes me uncomfortable is that this design looks like yet another
short-term (or medium-term) solution. We already have draft-fluhrer-qr-ikev2 that was declared as 
a temporary short-term approach to countermeasure immediate threat until cryptography science gives us 
new well-studied QC-proof primitives to replace classic public key cryptography. Now it turns out that we don't have 
primitives we are certain in (at least for key exchange), so we decide to combine several different primitives
(which we don't fully trust in) with classic DH. That's a valid approach for transition to PQ cryptography,
but it doesn't look like long-term standard solution.

What particularly makes me unhappy:
- the design looks like violation of the "gold rule" of cryptography - "don't combine several week primitives, it doesn't add 
   to security, instead use one strong primitive" (I understand that each rule has exceptions, so that's probably the case, but still)
- when (and if) workable QC appears, the classic DH exchange will provide zero security, but will still consume resources,
   that will just be wasted. And the proposed design doesn't allow to get rid of DH completely, so the resulting
   protocol will be inefficient. 

So we end up with yet another temporary solution. That's not good.

Regards,
Valery.

v2.23.0 | Report a Bug | By Email