IETF Logo Mail Archive

Re: [IPsec] Proposed method to achieve quantum resistant IKEv2

Cen Jung Tjhai <CJT@post-quantum.com> Sat, 05 August 2017 21:29 UTC

Return-Path: <CJT@post-quantum.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07926120720 for <ipsec@ietfa.amsl.com>; Sat, 5 Aug 2017 14:29:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U1Ec7Tp_3lPs for <ipsec@ietfa.amsl.com>; Sat, 5 Aug 2017 14:29:27 -0700 (PDT)
Received: from relay.ezis.com (relay.ezis.com [5.153.73.19]) by ietfa.amsl.com (Postfix) with ESMTP id F1B5A12700F for <ipsec@ietf.org>; Sat, 5 Aug 2017 14:29:25 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.41,328,1498518000"; d="scan'208";a="2191513"
Received: from unknown (HELO pqex01.post-quantum.com) ([192.168.142.3]) by ironport.ezis.com with ESMTP; 05 Aug 2017 22:29:25 +0100
Received: from PQEX02.post-quantum.com (192.168.142.18) by PQEX01.post-quantum.com (192.168.142.3) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Sat, 5 Aug 2017 22:29:22 +0100
Received: from PQEX02.post-quantum.com ([fe80::f470:9812:e4eb:5bd3]) by PQEX02.post-quantum.com ([fe80::f470:9812:e4eb:5bd3%13]) with mapi id 15.00.1320.000; Sat, 5 Aug 2017 22:29:22 +0100
From: Cen Jung Tjhai <CJT@post-quantum.com>
To: Paul Wouters <paul@nohats.ca>
CC: "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: [IPsec] Proposed method to achieve quantum resistant IKEv2
Thread-Index: AQHTDE+mPH5PNqQgTkK9LOvm4SvL2qJyu5KAgAOD6bc=
Date: Sat, 05 Aug 2017 21:29:22 +0000
Message-ID: <1501968563280.70665@post-quantum.com>
References: <BBEB2C9C-9B96-4C6C-BB9B-4415F096FAE1@cisco.com>, <alpine.LRH.2.21.1708031149180.11277@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.21.1708031149180.11277@bofh.nohats.ca>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [90.200.167.13]
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/yCVWn6r4UIiVPLcmnfGLeohYCt0>
Subject: Re: [IPsec] Proposed method to achieve quantum resistant IKEv2
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Aug 2017 21:29:33 -0000

Hi Paul,

>>> 4.      The large quantum resistant ‘blob’ of data is only sent when it is known that the peer will accept this.

>>I don't understand this? You mean known by preconfiguration? That would
>>make migration really difficult and introduce a flag day. It would also
>>not be true for Opportunistic IPsec, where there is no preconfiguration
>>between peers.

It's not pre-configuration, but negotiated via a notify payload (QSKE Notify) that is sent in IKE_SA_INIT. 

>>> 7.      With regards to fragmentation attacks, the use of fragmentation in this idea has the same security as of
>>> RFC7383. Whereby an attacker that reveals her true IP address can send multiple fragments, but not the >>>complex chain.

>>I'm not sure how that can be, if it is the IKE_INIT that is getting
>>fragmented.

It's not entire IKE_SA_INIT message that is fragmented. The fragmentation only applies to post-quantum public data, where almost all of them has payload size larger than 1KB. Furthermore, there is a known type of post-quantum algorithm whose payload size is larger than 64KB and there could be more in the future. We think by fragmenting the payload in this way, it is possible to support this kind of algorithm.

>>> For devices that are operating in a mesh network, where many devices have multiple peers, where peers are using
>>> varying QSKE groups. In these instances the QSKE that is preferred by the Initiator might not be available or
>>> preferred on the Responder. To overcome scenarios where the Initiator will send a QSKE which is large in size and not
>>> supported by the Responder, (therefore wasting time and resource), the QSKE Notify payload can be used to query the
>>> responder to determine the supported security association attributes. The QSKE Notify payload is sent by the
>>> Initiator, which also excludes the QSKE payload (however a single KE payload should be included for backwards
>>> compatibility). If the Responder supports the QSKE notify payload it replies with the accepted security associations

>>Isn't this all unsafe against downgrade attacks?

If a peer declares support of post-quantum algorithm with QSKE Notify payload, but not sending the post-quantum blob, the other peer shall reject the connection. On the other hand, for backward compatibility, it is up to the initiator to set the fallback policy; does it allow standard SAs or only post-quantum SAs are supported. 

>>> For implementations that do not support the use of the QSKE, the QSKE Notify payload will be ignored and the IKEv2
>>> exchange will continue as per RFC7296.

>>What prevents an attacker from stripping out the QSKE Notify payload in
>>the IKE_INIT request?

If QSKE Notify payload is stripped, the peers won't be able to negotiate post-quantum algorithm for key-exchange, hence it depends on the configured fallback policy. 

>>> The QSKE is nearly identical to the KE payload, however the Fragment bit identifies if the receiver should handle
>>> this in a different manner to the KE payload. The KE and QSKE are negotiated/advertised using the transform type 4
>>> (Diffie Hellman groups).  By including the QSKE in the same transform type 4 as classic DH allows for minimal
>>> configuration changes for current implementations when configuring both DH and QSKE Groups.

>>Can this not be abused for an amplification attack by sending a really
>>small QSKE payload and causing the responder to send back a large QSKE
payload in multiple fragments?

In general, QSKE payloads sent by the initiator and responder are of pretty much of equal size. It is possible for an malicious initiator to send a small QSKE payload and expecting the responder to return large multiple fragments QSKE payload. In order to combat, the responder could employ existing mechanisms to minimise the impact of this attack, for example using COOKIE or for more sophisticated attacks, RFC8019. 


>>Why would the responder reply to two group suggestions with QSKE payloads?
>>Normally in IKEv2, the initiator sends a list of proposals/options, and
>>the responder picks one from it.

In order to support "crypto-agility", which allows peers to have flexibility in selecting cipher suites. In this way, peers are able to select a DH combined with multiple post-quantum algorithms. We are not sure how important this feature is, but it would be a great idea to get opinions from the group.

>>> As three groups were used, the keymat is generated with the combination of the output from the three public values.

>>How did the initiator signal support for all groups _and_ support for
>>combining them? What is gained by combining multiple groups?

The signalling is done via QKSE notify. I appreciate that we have not yet described how this work on the text.

Best regards,
CJ

v2.23.0 | Report a Bug | By Email