IETF Logo Mail Archive

Re: [IPsec] Privacy attack vectors against IKEv2 and Postquantum

David Schinazi <dschinazi@apple.com> Wed, 16 August 2017 20:40 UTC

Return-Path: <dschinazi@apple.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2D8513233D for <ipsec@ietfa.amsl.com>; Wed, 16 Aug 2017 13:40:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EAPLvBERxBGh for <ipsec@ietfa.amsl.com>; Wed, 16 Aug 2017 13:40:46 -0700 (PDT)
Received: from mail-in24.apple.com (mail-out24.apple.com [17.171.2.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E33031326DB for <ipsec@ietf.org>; Wed, 16 Aug 2017 13:40:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1502916045; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-transfer-encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=T6jxOalsyRtTz2yS7EuWBmcTmKwcam1DZa9gI4wJyek=; b=K7gn4BEC2P6GCUdU0VWCq4PSf3ZedOEEby/7frecPorv9edt+/r+sRB1drGsBHog tjk5N/zXETQYXRYfm+lJvNr74FDjxLi2N836tD4GNCQoyUDUHUXrrnxdVTdQ1OOt 37OfvTMnZ6nM+t+opDBbjDg7BtyTPRPlkV+j2pZR7WYwbHOOedbHnIUSnAD+wkp3 tV9Fe9cQiUKB9myjl0lgqs1oy0+niTSxTUWf9kOofmrRy2N2FBPiNMWdOYOfPFsO 0FZeMBvO8PXcgWNj/iHSWROUrF/c32ceUJEjeM4LPgA5RGYHLHecNp9tuMjlzQTh 8wvSLMXWi2KO6KQMNXPeXw==;
Received: from relay6.apple.com (relay6.apple.com [17.128.113.90]) (using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail-in24.apple.com (Apple Secure Mail Relay) with SMTP id 3F.A7.25405.CCDA4995; Wed, 16 Aug 2017 13:40:45 -0700 (PDT)
X-AuditID: 11ab0218-751d39c00000633d-53-5994adcce2fb
Received: from koseret.apple.com (koseret.apple.com [17.151.62.39]) by relay6.apple.com (Apple SCV relay) with SMTP id 60.EE.03275.CCDA4995; Wed, 16 Aug 2017 13:40:44 -0700 (PDT)
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-type: text/plain; CHARSET="US-ASCII"
Received: from da0602a-dhcp158.apple.com (da0602a-dhcp158.apple.com [17.226.23.158]) by koseret.apple.com (Oracle Communications Messaging Server 8.0.1.2.20170621 64bit (built Jun 21 2017)) with ESMTPSA id <0OUS002JUPFW5V70@koseret.apple.com>; Wed, 16 Aug 2017 13:40:44 -0700 (PDT)
Sender: dschinazi@apple.com
From: David Schinazi <dschinazi@apple.com>
In-reply-to: <CAO8oSXmg2eok5FRatPfP_4-BgS4Uo9e14TT_Qo1QDCT6jTEx5g@mail.gmail.com>
Date: Wed, 16 Aug 2017 13:40:40 -0700
Cc: IPsecME WG <ipsec@ietf.org>
Message-id: <3C9D7AEC-0FCF-4F31-ADF8-56907720E9B6@apple.com>
References: <776D38D0-7EEC-46DA-873D-CA1B9394E515@apple.com> <alpine.LRH.2.21.1708112112220.21721@bofh.nohats.ca> <3B9A8971-611E-4B88-9EB8-A79432D8C6CC@apple.com> <alpine.LRH.2.21.1708161226340.14400@bofh.nohats.ca> <CAO8oSXmg2eok5FRatPfP_4-BgS4Uo9e14TT_Qo1QDCT6jTEx5g@mail.gmail.com>
To: Paul Wouters <paul@nohats.ca>
X-Mailer: Apple Mail (2.3273)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrJLMWRmVeSWpSXmKPExsUi2FAYpXt27ZRIg5c9rBb7t7xgs3h/6xKT A5PHkiU/mTy+z2MKYIrisklJzcksSy3St0vgyug8qV1wXrJi+vtVTA2MW0W6GDk5JARMJD5t fsHcxcjFISSwhklixp/HjDCJk40NrBCJLYwSfxedYgNJ8AoISvyYfI+li5GDg1lAXuLgeVmQ MLOAlsT3R60sEPWLmST2n/zBDJIQFpCW6LpwlxXC9pSY07iaHaSXDajhwBojkDCnQLDE9zN7 mUBsFgFVie6mi+wQM+Ulev9vZIRYayPR8fUOWI2QwBImiSuPOEBsEQFFiUlnHrFA3CwrcWv2 JbBnJAQa2SR6509knsAoPAvJ2bMQzp6F5OwFjMyrGIVzEzNzdDPzjEz0EgsKclL1kvNzNzGC wno1k8QOxi+vDQ8xCnAwKvHw3pg8JVKINbGsuDL3EKM0B4uSOG+MxaRIIYH0xJLU7NTUgtSi +KLSnNTiQ4xMHJxSDYwF/UEfjnbulZ727U+b1LObJm3vvq/T2XjrpElXcr7xsop/lflTvU4K VXBdXcFyTf0Pz3YZQeH38TvYror41q4NC37O5y/QOIPfxMXANPHKk+3rTknHbcp/Elr9bFX/ tWgOTp0H1tsvFJ+7N7M9q7Blh+V1e4HrWt/mC6Zx5u+p2SMvfT/4nKwSS3FGoqEWc1FxIgBS iZHcTAIAAA==
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrNLMWRmVeSWpSXmKPExsUiON1OXffM2imRBjO26Vjs3/KCzeL9rUtM DkweS5b8ZPL4Po8pgCmKyyYlNSezLLVI3y6BK6PzpHbBecmK6e9XMTUwbhXpYuTkkBAwkTjZ 2MDaxcjFISSwhVHi76JTbCAJXgFBiR+T77F0MXJwMAvISxw8LwsSZhbQkvj+qJUFon4xk8T+ kz+YQRLCAtISXRfuskLYnhJzGlezg/SyATUcWGMEEuYUCJb4fmYvE4jNIqAq0d10kR1iprxE 7/+NjBBrbSQ6vt4BqxESWMIkceURB4gtIqAoMenMIxaIm2Ulbs2+xDyBUWAWkktnIVw6C8ml CxiZVzEKFKXmJFaa6SUWFOSk6iXn525iBAVhQ2HUDsaG5VaHGAU4GJV4eCPypkQKsSaWFVfm HmKU4GBWEuHNXQEU4k1JrKxKLcqPLyrNSS0+xCjNwaIkzitXNDlSSCA9sSQ1OzW1ILUIJsvE wSnVwDir1u5QTcb3mYVJexVNrlzTVL5Zo7xu28P0k5P1ct6/DMuqlOPLavtw+dPEXfWnLtkw pjwVyRI6rPSgdYNmZmT18vVl1zJ4yw+KFAieO8j2Yr7s24ZzKaVbpz97bHyil7Pernfebd9v gotv3f6bL7uNm43dPuzkIpnOT/WyKRW6b9sOzDM2m6PEUpyRaKjFXFScCADm5wzwPgIAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/yvziGNgT72-28yYe-AEuuL-1mvE>
Subject: Re: [IPsec] Privacy attack vectors against IKEv2 and Postquantum
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Aug 2017 20:40:48 -0000

Paul,

I understand your concerns, and I do agree with them. However, the proposal isn't meant to solve all issues - the idea is that if we're building a PPK infrastructure already, I believe this is an incremental improvement to it that solves a few more attack vectors without compromising anything.

> On Aug 16, 2017, at 09:50, Christopher Wood <christopherwood07@gmail.com> wrote:
> 
> On Wed, Aug 16, 2017 at 9:34 AM, Paul Wouters <paul@nohats.ca> wrote:
>> On Mon, 14 Aug 2017, David Schinazi wrote:
>> 
>>> [DS] I think "showing ID" is exactly what we're avoiding here. You can
>>> think of this in terms of the Socialist Millionaire Problem - we want to be
>>> able to assert identity without anyone disclosing anything first. And the
>>> proposed solution is to send a MAC without the identity of the key used to
>>> MAC. Peers can than iterate their list of peers to check the MAC against.
>> 
>> 
>> But when you are using X.509 based clients, you will have never seen the
>> cert/ID until you receive it via IKE ? So your use case is limited to
>> very static type deployments (which suffer less from this issue as they
>> tend to not move around)

On the contrary, if you were to run IPsec over point-to-point links between several mobile devices you own then you have a configuration that doesn't change much but devices that are very mobile - this allows you to have this type of configuration and ensure that there is no way for attackers to fingerprint who you are and where you go.

>> 
>>> [DS] Some security is still better than less security, you can imagine
>>> timing attacks and such but this is better than what we have today.
>> 
>> 
>> But I think we would need something a little better to make it part of
>> an RFC standard.

I'm happy to hear proposals to make this a little better. Do you have an alternative that solves these use cases?

>>> [DS] I was initially going to make this a separate proposal that only
>>> involved a pre shared key and SA_INIT MAC, but it was pointed out to me that
>>> once you have that might as well include the benefits of PPK. If you know of
>>> a way to solve the described privacy attack vectors without a pre shared key
>>> and without adding round trips, I'm interested - I couldn't come up with one
>>> myself.
>> 
>> 
>> A PreSharedKey based solution is also very limiting, and people should
>> be migrating away from PSK in favour of RSA/ECC based solutions :P
> 
> David's original email suggested that this technique was enabled by
> (and perhaps constrained to) draft-fluhrer-qr-ikev2, which assumes the
> existence of a long-term PPK.
> 
>> I understand your use case (prevent blocking of hidden IKE over TCP/TLS
>> servers) but it might not be a use case the IETF can solve. From an
>> IETF perspective, the way to solve this would be to IPsec everything,
>> so that blocking based on ESP visibility becomes impossible. Which
>> is why I'd like to see more Opportunistic IPsec.

I don't see how adding a MAC in an extension data field is something the IETF can't handle. I'm being realistic here, and have an actual problem to solve. Are you telling me to go build and deploy my own proprietary solution instead of working with the IETF?

David

v2.23.0 | Report a Bug | By Email