Hi Scott,
please see inline.
ppk_indicator = PRF(PRF(ppk, "A"), ppk_indicator_input)
This proposal has the following advantages.
1. Reusing existing IKEv2 registry
2. Better interoperability, since the PRF transform is mandatory in the SA
payload
in IKEv2 and the responder can always be sure that the chosen PRF is
supported
by the initiator. With the current proposal the situation is possible when
the initiator includes, for example, only AEAD transforms in SA payload.
In this case even AEAD transform is (for example) AES based, there is no
guarantee
that plain AES encryption is also supported by the initiator.
3. The current PPK Indicator Algorithm field combines 2 algorithms - encryption
and prf.
Actually, it doesn’t – it only implements the “PPK hint” algorithm.
I meant that in your proposal the “PPK hint” algorithm uses two
crypto primitives – a cipher (AES) and a prf (HMAC_SHA256).
I’d rather get rid of cipher and redefine the “PPK hint” algorithm
using sole prf (as shown above). Why do I want this?
Because it would allow to reuse an existing IKEv2 registry
that defines Transforms of Type PRF. Why is it important for me?
Currently you defined the only value for “PPK hint” algorithm -
AES256+HMAC_SHA256. If additional values are defined, then
the responder will have to decide what algorithm to choose
talking with particular initiator. One (and probably the most important)
of selection criterias is the following: the algorithm must be mutually
supported
by the initiator and the responder. In your current proposal there is no
explicit
indication from the initiator which algorithms it supports and the responder
will need to use a heuristics (for example, if the initiator proposes using
AES-GCM for an encryption, does it mean that AES-ECB is also supported?
It may sound silly, but I can imagine the situation when AES-GCM is
supported, while AES-ECB – not, for example if all crypto is performed
in dedicated hardware). Redefining “PPK hint” algorithm to use
sole PRF would allow the responder to have explicit and reliable
information when choosing the mutually supported algorithm:
it is the list of PRFs present in the initiator’s SA payload.
Once more algorithms are supported as PPK indicator the size
of the registry will be grown quickly since every new prf will be combined
with every new cipher (yes, it can be limited by combining only
selected prfs with only selected ciphers, but that would reduce
interoperability).
I would personally be surprised if there are any more algorithms added to the
registry. The current algorithm works quite well, if we believe that AES is
even slightly secure. The only reason I could see if someone asked for
something new is if they had issues actually implementing AES.
>From my point of view there are two main reasons for defining additional
>algorithms,
both quite real. First, some countries have a legacy restrictions on using
non-government approved
crypto algorithms in some situations. For example, here in Russia you must use
only GOST if you
make products for government structures. Second, some constrained devices may
implement
very limited set of crypto primitives, and it doesn’t necessary includes AES
and SHA2.
As an implementer I don’t want to waste resources (both device’s and human) to
add AES and SHA2
to them if it is possible to reuse existing crypto.
This would make the idea of precomputing ppk indicators on responder
less efficient (you may easily precompute the whole ppk database using few
popular PRFs, but if these PRFs are combined with ciphers -
the resulting number of their combinations could become too big).
With my idea, if you support only one PPK indicator algorithm, you need to
precompute each PPK once (if the server fixes the PPK indicator input). With
your idea, you’d need to redo it for every PRF you support. How is this an
advantage for your idea?
It is a local matter of responder how it manages its PPKs. I can see at least
three possible
approaches. The first one – the responder may choose not to precompile PPK
hints at all.
It is the worst case in terms of consuming its CPU power, but it would allow
the server to use random data for each initiator, thus completely protecting
their privacy.
Second approach – as you suggest, when the responder fixes the PPK indicator
input for some perion of time and then precompiles PPK hints for all the
supported PRFs.
You are right - the more PRFs it supports the more resources it consumes while
precompiling.
Both approaches are trivial.
I’d envision third approach, which is a combination of the two. The responder
needs not
to precompile hints beforehand. When it receives a PPK hint from the initiator
it starts searching for the PPK by applying “PPK hint” algorithm to every PPK,
as in the first
approach, until the correct PPK is found. However, the responder saves every
usuccessful result
in a PPK hint cache, so that when the next client appears, the cache is
consulted first and
only if the PPK is not found via the cache, the responder continues to search
remaining
PPKs with PPK algorithm. This approach allows the responder not to waste
resources
precompiling the hints for every PPK it has and every PRF it supports if some
PPKs
and PRFs are not used during the lifetime of the PPK indicator input.
I think this approach would mitigate the need to spend more resources in case
of several PRFs are supported.
I see the only disadvantage of this proposal. As you wrote you specifically
used combination of encryption and PRF since AES is supported in hardware
on some CPUs and thus gives some performance advantages over PRF-only
scheme. I don't think it is a compelling argument.
Actually, I would argue that it is. One complaint I’ve heard is that this
would require the server to scan through its list of PPK’s for every session it
gets. The current draft allows a server to reissue PPK indicator inputs to
reduce this impact; however we would prefer servers to reissue PPK indicator
inputs are rarely as possible. Making the evaluation of the PPK algorithm
cheaper encourages implementations to do this.
That’s true. The question is whether what is “cheaper” today will still be
“cheaper” tomorrow
(and please multiple this by the number of HW platforms that exists in the
world).
It reflects only the current
situation in the industry and may change over time.
It may, but likely won’t. Intel has announced hardware support for
accelerating SHA-1 and SHA-256; however I believe that even with that support,
one AES-NI evaluation of AES-256 will be faster than two evaluations of the
block compression of either SHA-1 or SHA-256 (assuming the PRF is either
HMAC-SHA1 or HMAC-SHA256)
Sorry, I can’t buy this. Intel is not the only CPU manufacturer out there. And
don’t forget about dedicated crypto hardware.
I’d like to see a generic solution not based on momentary trends in the
industry.
I don't think the protocol
should be based on such shaky grounds. Am I missing something?
>From where I stand, it would appear that the main advantage of your proposal
>is “we won’t have to ask IANA for another registry”. Am I missing something?
Mostly, however that’s a bit oversimplified. Reusing existing registry is not
the most important advantage per ce,
it would just allow to get other advantages, like better interoperability when
more PPK algorithms are defined,
reusing of existing code for parsing PRF transform in SA payload, easying the
procedure of adding new
PPK algorithms (once new PRF is added by IANA it automatically can be used in
PPK hint algorithm) and so on.
By the way, it even decreases the size of PPK_REQUEST notification by 2 bytes!
:-)
Regards,
Valery.
Few editorial issues:
1. Abstract
No point at the end of the abstract.
2. Section 1
[The general idea is that we add an additional secret that is shared
between the initiator and the responder; this secret is in addition
to the authentication method that is already provided within IKEv2.]
s/in addition/an addition ?
3. IANA Considerations section is missing.
Regards,
Valery Smyslov.
Last year, NSA made an announcement about how to deal with the potentiality
of someone developing a Quantum Computer;
(https://www.nsa.gov/ia/programs/suiteb_cryptography/). Among their
recommendations was the advice that:
“CSfC deployments involving an IKE/IPsec layer may use RFC 2409-conformant
implementations of the IKE standard (IKEv1) together with large, high-entropy,
pre-shared keys and the AES-256 encryption algorithm. RFC 2409 is the only
version of the IKE standard that leverages symmetric pre-shared keys in a
manner that may achieve quantum resistant confidentiality.
The reason they gave this advise was the IKEv1, unlike IKEv2, stirred in the
preshared key into the KDF function (along with the (EC)DH shared secret);
hence if the preshared key was strong, then Shor’s algorithm (which can recover
the (EC)DH shared secret) is not enough to recover the negotiated keys.
Now, we don’t want people to migrate back to an obsolete version of the
protocol; hence we’ve devised a way to strengthen IKEv2 the same way.
It was considered important to minimize the changes made to IKEv2. >From a
cryptographical prespective, the only change we make is that we modify the
nonces that we present to the KDF. By keeping the cryptographical changes
minimal, we reduce the risk of accidentally introducing a weakness.
Like IKEv1, this solution assumes that the initiator and the responder share
a secret string (called a PPK in the draft). However, unlike IKEv1, that is
not the only authentication that’s in the system. We leave the existing
authentication methods in place, and add this in addition.
One thing that was a source of complexity was that we did not want to assume
that every system had the same PPK; that instead that systems would want a
pairwise PPK. However, if a responder configured its PPK on a per-peer basis,
and didn’t learn the peer until after an IKEv2 tunnel has been established,
that would mean that the responder would need to know the PPK before it
officially learned the peer. To solve this, we added the
PPK_REQUEST/PPK_ENCODE notifications to give the responder a hint about which
PPK to use (without leaking the identity to third parties).
Would anyone be willing to review this draft? I believe that we have a need
for such a solution.
------------------------------------------------------------------------------
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
