> -----Original Message----- > From: IPsec [mailto:ipsec-boun...@ietf.org] On Behalf Of Valery Smyslov > Sent: Thursday, August 20, 2015 3:24 AM > To: Mike Borza; Michael Richardson; Dan Harkins > Cc: IPsecME WG > Subject: Re: [IPsec] PSK mode > > Hi, > > IKEv2 has symmetrick PSK authentication method. However, it is different > from IKEv1. > The difference is that in IKEv1 the session keys computation involves both > preshared key and DH shared secret > > SKEYID = prf(pre-shared-key, Ni_b | Nr_b) SKEYID_d = prf(SKEYID, g^xy | > CKY-I | CKY-R | 0) SKEYID_a = prf(SKEYID, SKEYID_d | g^xy | CKY-I | CKY-R | > 1) SKEYID_e = prf(SKEYID, SKEYID_a | g^xy | CKY-I | CKY-R | 2) > > while in IKEv2 it involves only DH shared secret, so preshared key is used for > authentication only and is not used for session keys calculations > > SKEYSEED = prf(Ni | Nr, g^ir) > {SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr} = prf+ (SKEYSEED, Ni | > Nr | SPIi | SPIr) > > This change was intentional, it was made by Hugo Krawczyk during work on > IKEv2 due to complaints from the community that if IKEv1 PSK auth mode > was used in IKEv2 then it would be impossible for responder to select proper > preshared secret based on initiator's identity (like in IKEv1 Main Mode). As > far as I remember, when making this change Hugo mentioned, that it would > weaken security of the protocol. > > Does NSA mean this difference when claiming that IKEv1 PSK mode is the > only QC-safe protocol?
I believe so. > Should we add similar mode to IKEv2? I believe that there is an easier alternative; the problem is that IKEv2 is relying on the security of the (EC)DH exchange, and that is breakable with a Quantum Computer. A cleaner approach would be to replace the DH exchange with something that does the same functionality, but in a Quantum Resistant manner. NTRU (using an ephemeral key) can do precisely this (and performs quickly enough, and with small enough KE payloads not to cause fragmentation); we could negotiate NTRU as "yet another 'DH group'". That way, we don't need to have this as a separate option to be negotiated. > > Regards, > Valery Smyslov. > > > > > They don't mention IKEv2. I don't know IKEv2 well enough to know > > whether there are any symmetric PSK authentication schemes, but if not, > perhaps there should be. > > The point they're making is that the ECC-based authentication methods > > become insecure when quantum computers of sufficient power become > > available, and in light of recent progress in the field the indications are > > that > they will become available in a reasonably short timeframe. > > (And they should know that timeframe better than just about anybody > > else.) I view this as an indication that they believe there may be > > viable QCs of that capability in the five to ten years timeframe. > > > > Mike > > > > -----Original Message----- > > From: IPsec [mailto:ipsec-boun...@ietf.org] On Behalf Of Michael > > Richardson > > Sent: Wednesday, August 19, 2015 13:17 > > To: Dan Harkins <dhark...@lounge.org> > > Cc: IPsecME WG <ipsec@ietf.org> > > Subject: Re: [IPsec] PSK mode > > > > > > Dan Harkins <dhark...@lounge.org> wrote: > > > https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml > > > > > "CSfC deployments involving an IKE/IPsec layer may use RFC > > > 2409-conformant implementations of the IKE standard (IKEv1) > > > together with large, high-entropy, pre-shared keys and the > > > AES-256 encryption algorithm. RFC 2409 is the only version > > > of the IKE standard that leverages symmetric pre-shared keys > > > in a manner that may achieve quantum resistant confidentiality." > > > > So, all of IKEv2 is out, according to them? > > Or they just didn't consider it yet? > > > > -- > > Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software > Works > > -= IPv6 IoT consulting =- > > > > > > > > _______________________________________________ > > IPsec mailing list > > IPsec@ietf.org > > https://www.ietf.org/mailman/listinfo/ipsec > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
