Re: [secdir] secdir review of draft-kuegler-ipsecme-pace-ikev2

Nico Williams <> Thu, 14 April 2011 15:39 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A2AF5E08B9 for <>; Thu, 14 Apr 2011 08:39:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.886
X-Spam-Status: No, score=-1.886 tagged_above=-999 required=5 tests=[AWL=0.091, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ag3gIKOgb2ER for <>; Thu, 14 Apr 2011 08:39:32 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id AA8F6E08B1 for <>; Thu, 14 Apr 2011 08:39:32 -0700 (PDT)
Received: from (localhost []) by (Postfix) with ESMTP id E239967809B for <>; Thu, 14 Apr 2011 08:39:18 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; c=nofws;; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc: content-type; q=dns;; b=LJLW+NsP5CCaR8X4GN7Em KbqZD3cOdbMrI6ZACu+H1peGilyJPZazbzppLDIbIcscjEwpval5Scz2e2TjT+AZ bZbuyW7Teu8Zh4NwDaaAYaeSp6h+im8IS5kTAW0nFbsaWeZ5yZlr4tfhwZ+YyjgT /TFEXM5fJqtR3K3c9FsH8c=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type;; bh=95BwcV46u8R6y8YHWe79 I/sXtWM=; b=YLx+tDusuM8j0WKunj/AtjorSgqqCKkA7BAfS/gTE9tBtyQ7bCQj SwgPK1i/1He+fH2p1CENI9zKmJeff9JUCWuX+S3Ol3vNlMhy9sTTnnGY0B0FX/lZ rTZhHRiVafKTIDzccMjnBMlFlddsg71ygiLTkISyUR+tfn8AxPlVHdg=
Received: from ( []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: by (Postfix) with ESMTPSA id F2BB4678056 for <>; Thu, 14 Apr 2011 08:38:33 -0700 (PDT)
Received: by vxg33 with SMTP id 33so1744715vxg.31 for <>; Thu, 14 Apr 2011 08:38:32 -0700 (PDT)
MIME-Version: 1.0
Received: by with SMTP id l2mr1378005vdv.14.1302795512720; Thu, 14 Apr 2011 08:38:32 -0700 (PDT)
Received: by with HTTP; Thu, 14 Apr 2011 08:38:32 -0700 (PDT)
In-Reply-To: <>
References: <> <>
Date: Thu, 14 Apr 2011 10:38:32 -0500
Message-ID: <>
From: Nico Williams <>
To: Yaron Sheffer <>
Content-Type: text/plain; charset="UTF-8"
Cc: "" <>, "" <>
Subject: Re: [secdir] secdir review of draft-kuegler-ipsecme-pace-ikev2
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 14 Apr 2011 15:39:33 -0000

[Resend.  Forgot to reply-all.]

On Thu, Apr 14, 2011 at 2:04 AM, Yaron Sheffer <> wrote:
> This document was published on the ipsecme list. During Last Call we
> received comments form Dan Harkins, who is certainly "an expert in
> authentication protocols."
> The cryptographic part (PACE) has been published in the past, both as an
> academic paper and as a component of another standard. Both are referenced
> in the draft.

PACE does not use a standard PBKDF.  That's not necessarily a problem,
of course, but it could be.  There's no iteration count, for example,
in the SPwd nor KPwd derivations (an iteration count belongs in the
SPwd derivation, if anything).  Nor is there any password salting(!),
nor any discussion regarding the absence of salting.  The lack of
salting should be considered fatal, IMO.  The lack of an iteration
count is less significant, but I'd still rather see an iteration
count.  Note that negotiating a salt and iteration count requires an
extra round-trip.  And note that iteration count negotiation has
security considerations.

Of course, PACE is targeting Experimental... do we care about
cryptographic issues in Experimental RFCs?  I'd say we should, though
less so than for Standards Track RFCs since we can only spare so much

I'm rather disappointed to see this wheel reinvented.  SCRAM (RFC5802)
would fit right in instead of PACE, for example, and has the same
kinds of properties as PACE, but with a number of advantages over PACE
(SCRAM is on the Standards Track, received much more review, uses a
PBKDF with salt and iteration count, is implemented, is reusable in
many contexts, does channel binding, there's an LDAP schema for
storing SCRAM password verifiers, ...).

We, secdir, should be encouraging wheel reuse wherever possible over
wheel reinvention.