IETF Logo Mail Archive

Re: [IPsec] Alternative Approach for Postquantum Preshared Keys in IKEv2

Paul Wouters <paul@nohats.ca> Tue, 03 December 2019 18:34 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E1431201E5 for <ipsec@ietfa.amsl.com>; Tue, 3 Dec 2019 10:34:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mZl00B8KWzbI for <ipsec@ietfa.amsl.com>; Tue, 3 Dec 2019 10:34:30 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4258412010D for <ipsec@ietf.org>; Tue, 3 Dec 2019 10:34:30 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 47S9cf4Pn1zF4Y; Tue, 3 Dec 2019 19:34:26 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1575398066; bh=ApZgO3njPq/wD0Es8Y2lzXJeeSrfbhIJlKj+2agU8Hk=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=uREaehFoyClZIkSMGKe9HHsn85+RNC0i6JMHsP5pZ13Gl8Ggrmm/8WczsCsThAqFP 4EPghOBxXJV1R7K5o/BjOzCfGJ5AaZCYuCz4JHP3j62fw1eJML292Hl4s89cI5BHUM aFSJC8cjYB/ExVUpo8zBpgXgLDYohPYu0WXysu4E=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id gxbZ6InDDjc1; Tue, 3 Dec 2019 19:34:24 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 3 Dec 2019 19:34:24 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 91AA960015B8; Tue, 3 Dec 2019 13:34:23 -0500 (EST)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 8DCA3308EB; Tue, 3 Dec 2019 13:34:23 -0500 (EST)
Date: Tue, 03 Dec 2019 13:34:23 -0500
From: Paul Wouters <paul@nohats.ca>
To: Valery Smyslov <smyslov.ietf@gmail.com>
cc: IPsecME WG <ipsec@ietf.org>
In-Reply-To: <036d01d5a5c5$d301f980$7905ec80$@gmail.com>
Message-ID: <alpine.LRH.2.21.1912031305330.13739@bofh.nohats.ca>
References: <036d01d5a5c5$d301f980$7905ec80$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/shHR9NmARzaLddBZ6eRgVhThcPg>
Subject: Re: [IPsec] Alternative Approach for Postquantum Preshared Keys in IKEv2
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Dec 2019 18:34:33 -0000

On Thu, 28 Nov 2019, Valery Smyslov wrote:

> some time ago I've posted a new draft "An Alternative Approach for Postquantum Preshared Keys in IKEv2".

> AS you all know we have "Postquantum Preshared Keys for IKEv2" (draft-ietf-ipsecme-qr-ikev2) draft
> that is already in Publication Requested state. This draft defines a mechanism to achieve PQ security
> by means of additional Preshared Key (PPK) that is mixed up in IKE SA keys calculation.
> This approach is believed to be a temporary solution until new PK KE primitives are standardized.

Yes, PPK is for use with non-PQ algorithms as a stop-gap meassure until
we have PQ algorithms/exchanges. But that means ideally that if or when
IKE_INTERMEDIATE is used, we are using PQ-safe algorithms and PPK's are
not used anymore.  We might also end up with something PA-safe that does
not require IKE_INTERMEDIATE.

> The problem is that in the "Group Key Management using IKEv2" (draft-yeung-g-ikev2),
> that is just adopted as a WG document, the responder (Group Controller / Key Server)
> transfers session keys to the initiator (Group Member) immediately once IKE SA between
> them is created. Obviously, keys are sensitive information and they are not protected
> by PPK in this case. The workaround suggested in draft-yeung-g-ikev2-16 is to perform
> quite long series of exchanges (consuming more resources) to postpone session
> keys transfer until the initial SA is rekeyed.

Understood.

> The draft "An Alternative Approach for Postquantum Preshared Keys in IKEv2" proposes
> an alternative approach for using PPK by utilizing the IKE_INTERMEDIATE exchange,
> in which PPK IDs are exchanged. This allows an initial IKE SA to be secure
> against QC, that would substantially simplify G-IKEv2 implementation if PQ security
> using PPK is needed.

Wouldn't this introduce the same bad error handling in IKE_INTERMEDIATE
we had in IKEv1 of getting unreadable messages?

> This alternative approach can also be used in regular IKEv2. Compared
> with draft-ietf-ipsecme-qr-ikev2 it has few advantages and a single
> drawback - it requires an additional exchange for IKE SA to set up.

That is likely less problematic than the PPK management involved? And
presumable this goes away when we have PQ-safe algorithms, so it is only
a temporary extra round trip? (still hoping that the new PQ-safe stuff
does not require the IKE_INTERMEDIATE exchange :)

> However, if IKE_INTERMEDIATE is used for some other (not yet defined)
> purposes too, the PPK IDs can be piggybacked and thus having no such penalty
> as an extra exchange.

But ideally, neither PPK or IKE_INTERMEDIATE would be needed for PQ-safe exchanges :P

> Comments, reviews, opinions are very welcome.
> Is it worth to adopt this draft as a WG document?

There is also another solution to your original problem: require PQ-safe
algorithms for Group SA's that need to be PQ-safe and don't use PPKs
at all. Since PPK's are a "stop gap" method meant for existing things,
and group SA's are still being designed, developed and implemented,
by the time the group sa work is done, we might already have PQ-safe
exchanges so PPK is no longer needed.

I'd be tempted to wait a bit for now before we do too much work that
ends up not being needed. I suspect most implementors would wait as
well anyway.

specific comments on the draft:

I don't like returning AUTHENTICATION_FAILED outside of IKE_AUTH as
proposed in your document. Since the only thing that could possibly
cause that is PPK failure, you might as well return a new error
that clearly states that (eg the original IKEv2 assumption to hide
presenting too much info by returning AUTHENTICATION_FAILED in many
cases does not apply here)

    If using PPK is optional for the responder, then she returns the
    empty PPK_IDENTITY notification, thus informing the initiator that
    the IKE SA can be created only without using PPK.

This is a strange concept of "optional" :)

Another issue I see is with connection selection and PPK selection.
At the IKE_INTERMEDIATE exchange, we don't know yet which connection
this will map to, as we haven't seen the AUTH payload nor the IDr
payload. So I think you would at the minimum need to also send the
IDr payload if you are sending a PPK payload. Or you need to overload
or derive this information from the supplied PPK_ID. I feel this might
cause operational problems.

For computing the IKE SA keys, I would prefer to leave this method as
unchanged as possible. Adding PPK mixing into the prf+ differently
from the standard one will make the code more complex. Isn't it enough
to make the PPK part of SKEYSEED? Why do we need to use this from the
additional prf+ calls as well?

Paul
Paul

v2.23.0 | Report a Bug | By Email