Re: [secdir] secdir review of draft-kuegler-ipsecme-pace-ikev2

Nico Williams <> Thu, 14 April 2011 17:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id ADAF7E07C2 for <>; Thu, 14 Apr 2011 10:32:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.554
X-Spam-Status: No, score=-1.554 tagged_above=-999 required=5 tests=[AWL=-0.177, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_23=0.6]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id bqAhP8BkzUSF for <>; Thu, 14 Apr 2011 10:32:05 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id A850BE0768 for <>; Thu, 14 Apr 2011 10:32:05 -0700 (PDT)
Received: from (localhost []) by (Postfix) with ESMTP id 331D621DE7D for <>; Thu, 14 Apr 2011 10:32:05 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; c=nofws;; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc: content-type; q=dns;; b=txj3KdWn08mSM5tAVXRjJ kPG3RjU+98Z1rzh+f6CsqhCF77SOSEKA3LC9QBuW4va3qQe61UBHRzQLb/WcWTNS MjH1vQkYF7+sGmRhZWDZVOd+mn0KXjGIXa5vUGQTYBpvCfBPIyN/f9YWB9iQCV3f DBFAu91dkrWu16aSVL7bW4=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type;; bh=0ZztB1yKEHI6Acd0cs0H buC69GE=; b=S3YcGdO8av3AOQYRP8rSBXeU/7Bv8Bbpuf3WpLOgufvIvt/moWoE BqlluJXorQpdQS91MRIXsSxZCTH0DFVtnuzCUI5APtBo3/M+w9D2hQ+U5A32NVgR crIJ6IMJfvv/LHHpaMBfkpiHolu1qPn4YT4zyI+EoU0OtpcEqMrYH6s=
Received: from ( []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: by (Postfix) with ESMTPSA id E2F6521DE6A for <>; Thu, 14 Apr 2011 10:32:04 -0700 (PDT)
Received: by vws12 with SMTP id 12so1877564vws.31 for <>; Thu, 14 Apr 2011 10:32:04 -0700 (PDT)
MIME-Version: 1.0
Received: by with SMTP id io5mr1461361vdb.94.1302802324342; Thu, 14 Apr 2011 10:32:04 -0700 (PDT)
Received: by with HTTP; Thu, 14 Apr 2011 10:32:04 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <> <>
Date: Thu, 14 Apr 2011 12:32:04 -0500
Message-ID: <>
From: Nico Williams <>
To: Yaron Sheffer <>
Content-Type: text/plain; charset="UTF-8"
Cc: "" <>, "" <>
Subject: Re: [secdir] secdir review of draft-kuegler-ipsecme-pace-ikev2
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 14 Apr 2011 17:32:06 -0000

On Thu, Apr 14, 2011 at 12:24 PM, Yaron Sheffer <> wrote:
> I am unfamiliar with SCRAM, and never claimed otherwise. I just quoted your
> own analysis during the ipsec ML discussion. *Still* not having read the
> documents, I'd like to remind you that any auth protocol over IKE is
> vulnerable to passive attackers until authentication is complete, channel
> binding or not.

Not if you encrypt the relevant bits with the session key agreed via
the KE payloads (which PACE sure does, near as I can tell, since the
"ENONCE" is sent protected by the session key: "IKE_PACE: HDR, SK{IDi,
[IDr,], SAi2, TSi, TSr, ENONCE, PKEi}").

But the protocol is vulnerable to an active attack.  If you
authenticate the responder with PKIX first then PACE would not be
vulnerable even to an active attack.  Certainly an option to be able
to authenticate the responder this way would be nice.

> We can apply random salt, not just salt with the user name, because the PACE
> "action" only starts at the *second* exchange of IKEv2. So we can piggyback
> a salt payload along with the Responder's notification that it supports the
> protocol.

Ah, good point.  SCRAM would not allow you to get that one round-trip
optimization because it'd be an abstraction violation to run its
initial round-trip in parallel with the KE exchange then add in the
channel binding in the second round-trip of SCRAM.  *This* could be a
good reason to not use SCRAM (though I won't concede that just yet),
but the points regarding salting and iteration count remain.