Re: [secdir] secdir review of draft-kuegler-ipsecme-pace-ikev2

Nico Williams <> Thu, 14 April 2011 18:44 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id F0734E080D for <>; Thu, 14 Apr 2011 11:44:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.857
X-Spam-Status: No, score=-1.857 tagged_above=-999 required=5 tests=[AWL=0.120, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id sOwY8Bm3WXF9 for <>; Thu, 14 Apr 2011 11:44:11 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 2C2DAE084C for <>; Thu, 14 Apr 2011 11:44:11 -0700 (PDT)
Received: from (localhost []) by (Postfix) with ESMTP id 3825D438080 for <>; Thu, 14 Apr 2011 11:44:10 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; c=nofws;; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc: content-type; q=dns;; b=CUH6V6Vgk3UbrsIVZVK7t 6g4dzHvvvo+WQ7AHGjUFvKVfhxxa96Ckd240r77yDMiUYfUZelcmwx9Mt1O2uloc dIOdvDjmivenfktCRZUyXDB1vUa7yplHkLMU1aB/bovwz1+5rU/BCB8Jfa2sX/WZ hvhsztycOsW9rdFUhnuueU=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type;; bh=JsOUtVQp1nPFsYQ/0BEa sDMz/xU=; b=biPyuze9QQZK2WMVeHZNnRp1wDENm5fPozkk3+XnPPfYQ831lOLX xyqJjs3W/47ALctfURCXf4MFMSAGTGcZIMZLLjjk3g/G4KJla2pqvxW3W+V8OL2G xc4VarIFyMbGWKzQK+5MjG1F9fr+Aq54EU/2j7GEODLxWxz4TvMIXmM=
Received: from ( []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: by (Postfix) with ESMTPSA id 14BAB43807C for <>; Thu, 14 Apr 2011 11:44:10 -0700 (PDT)
Received: by vxg33 with SMTP id 33so1934591vxg.31 for <>; Thu, 14 Apr 2011 11:44:09 -0700 (PDT)
MIME-Version: 1.0
Received: by with SMTP id eq8mr1543471vdc.214.1302806649302; Thu, 14 Apr 2011 11:44:09 -0700 (PDT)
Received: by with HTTP; Thu, 14 Apr 2011 11:44:09 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <>
Date: Thu, 14 Apr 2011 13:44:09 -0500
Message-ID: <>
From: Nico Williams <>
To: Yaron Sheffer <>
Content-Type: text/plain; charset="UTF-8"
Cc: "" <>, "" <>
Subject: Re: [secdir] secdir review of draft-kuegler-ipsecme-pace-ikev2
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 14 Apr 2011 18:44:12 -0000

On Thu, Apr 14, 2011 at 1:25 PM, Yaron Sheffer <> wrote:
> ENONCE in and of itself is not vulnerable to an off-line dictionary attack
> because the password encrypts a random bit string, and we take care that
> there is no stray entropy (padding, MAC) that such an attacker could use.

But the ENONCE paired with the AUTH payloads is subject to off-line
dictionary attacks (the attacker will have to have impersonated the
responder in order to obtain the necessary material).

> As to the bigger question of why the protocol as a whole is not vulnerable
> to the attack, you will have to follow the proof in the paper (or maybe just
> ask my coauthor).

It sounds like you're asserting that PACE is a ZKPP.  Is that right?

> And regarding the usage scenario: the primary scenario is password-based
> machine-to-machine authentication. Yes, sysadmins are human (in most cases
> :-) and they tend to use short passwords for machine auth, much more often
> than we would have liked.

You might want to clarify this in the abstract and introduction then.
But even so, as long as the passwords are human memorable and the
mechanism is not a ZKPP, then my other comments stand.  However, if
this is really for machine authentication then I'll be happy with text
exhorting admins to pick good passwords.

> There is a secondary use case that's the usual human-to-server auth, where
> the peers are too lazy to use EAP. I'm questioning whether this scenario is
> interesting enough to add a salted "mode" into the protocol.

Fair enough.