[secdir] secdir review of draft-harkins-ipsecme-spsk-auth-03

Richard L. Barnes <rbarnes@bbn.com> Wed, 20 April 2011 18:55 UTC

Return-Path: <rbarnes@bbn.com>
X-Original-To: secdir@ietfc.amsl.com
Delivered-To: secdir@ietfc.amsl.com
Received: from localhost (localhost []) by ietfc.amsl.com (Postfix) with ESMTP id 08494E067D; Wed, 20 Apr 2011 11:55:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfc.amsl.com []) (amavisd-new, port 10024) with ESMTP id 66GpC2A1z9jz; Wed, 20 Apr 2011 11:55:35 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com []) by ietfc.amsl.com (Postfix) with ESMTP id 80206E066B; Wed, 20 Apr 2011 11:55:35 -0700 (PDT)
Received: from [] (port=55636 helo=col-dhcp-192-1-255-191.bbn.com) by smtp.bbn.com with esmtps (TLSv1:AES128-SHA:128) (Exim 4.74 (FreeBSD)) (envelope-from <rbarnes@bbn.com>) id 1QCcYp-000Phk-8j; Wed, 20 Apr 2011 14:55:35 -0400
From: "Richard L. Barnes" <rbarnes@bbn.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Wed, 20 Apr 2011 14:55:33 -0400
Message-Id: <1E5F005F-8CC3-41B9-B860-A36ABA95E708@bbn.com>
To: secdir@ietf.org, The IESG <iesg-secretary@ietf.org>, draft-harkins-ipsecme-spsk-auth@tools.ietf.org
Mime-Version: 1.0 (Apple Message framework v1082)
X-Mailer: Apple Mail (2.1082)
Subject: [secdir] secdir review of draft-harkins-ipsecme-spsk-auth-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Apr 2011 18:55:36 -0000

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

This document defines a new mechanism for using pre-shared keys for IPsec authentication in IKE, in a way that addresses some vulnerabilities of the current mechanism.

I am not a cryptographer, but the cryptographic protocol described in this document seems basically sound, and its security properties are explained well in the Security Considerations.

A question and couple of minor comments follow.

Question: I haven't thought deeply about it, but it's not clear to me what the advantage is over this cryptographic protocol vs. the SRP protocol that has been used for TLS [RFC5054], besides the fact that SRP requires a user "identity" in addition to a password.

Minor: There appears to be a typo at the top of Page 7.  It seems that the equation should be as follows:
scalar-op(x,Y) = element-op(Y, scalar-op(x-1), Y)), for x > 1
Also, for completeness, you might note that scalar-op(0,Y) is the identity element of the group.

Minor: It might be helpful to mention somewhere that scalars are always non-negative integers.