Jun Hu \(Nokia\) writes: > ● Sure, downgrade attack also works for hybrid if initial DH is weak, but > you could use ML-KEM as the initial DH (I understand concern of having > large IKE_SA_INIT packet, but it could work in network support large mtu) > ● In hub-and-spoke case, gateway has gateway config which is likely not per > client, but client do typically has per-gateway config; and also nothing > could prevent misconfiguration (e.g. misconfiguration could also disable > strong DH) > > Finally, I am not saying this downgrade attack is not valid, just saying it > could be addressed with proper config in typical IPsec deployments
Also this attack requires online attack against weak DH, meaning the quantum computer needs to break that weak DH in less than a minute... For RSA authentication that would be possible as breaking it would allow access to private key. In IKEv2 we do not use RSA authentcation, so no issue here. For normal modp DH the quantum computers allows precalculation per group, but even after that I think it will require significant time per each separate exchange. For elliptic curves DH I think there is no precalculation that can be used, i.e., each exchange needs to be broken separately, again taking sinigicant time. That is at least my understanding on the quantum computer attacks as assumed now, but people who know more can correct me if I am wrong. Anyways even when we have quantum computers I think the first attacks are going to be slow, and will be targetting the traffic that has been harvested before and where no online attacks are needed. By the time quantum computers can do online attacks we most likely have already disabled weak DH anyways. -- [email protected] _______________________________________________ IPsec mailing list -- [email protected] To unsubscribe send an email to [email protected]
