On Tue, 23 Feb 2016, Tero Kivinen wrote:
The fact that IKEv1 stirred the preshared keys when generating the
keying material for the IKE SA encryption etc keys was the reason that
Main mode of the IKEv1 cannot be used in general case.
I.e. as in IKEv1 when using main mode and preshared keys the responder
needs to know the identity of the initiator based solely on the
IP-address, as it cannot decrypt the Identity payload before it knows
the pre shared keys.
This "feature" of the protocol is really bad, and we should not copy
anything like that to the IKEv2.
It was solved in for instant the GSSAPI drafts, by sending the ID in
the first packet exchange, and mixing it into the SKEYSEED to avoid
MITM token/id passing. So it _can_ be done but it does reveal the
ID's in the clear unless this is done in an AUTH roundtrip to add
protection against passive attackers at the expense of one roundtrip.
I.e. in addition to the g^ir (new) and nonces, we can add the PPK
there:
KEYMAT = prf+(SK_d, PPK | Ni | Nr)
KEYMAT = prf+(SK_d, PPK | g^ir (new) | Ni | Nr)
So devil's advocate here. Haven't we just reduced all of IKE to a
convoluted one time pad scheme?
Paul
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
