Hi, Tero and all, One thing I would like to see is: the weak DH is just a "weak" DH or PQ KEM in the view point of the attacker. Namely, it is beneficial to the atrltacker amounting online attack.
The main source of "weak" algorithm may be the quantum threat. However, other sources or reasons could be possible, say, flawed implentations, which have been spotted by the attacker earlier. So, the "weak" DH is not necessarily the normal sense according to the recommendation by IKEv2 specifications. Guilin 发件人:Tero Kivinen <[email protected]<mailto:[email protected]>> 收件人:Jun Hu (Nokia) <[email protected]<mailto:[email protected]>> 抄 送:Daniel Van Geest <[email protected]<mailto:[email protected]>>;Valery Smyslov <[email protected]<mailto:[email protected]>>;'Christopher Patton' <[email protected]<mailto:[email protected]>>;ipsec <[email protected]<mailto:[email protected]>> 时 间:2025-07-22 15:27:30 主 题:[IPsec] Re: Binding properties of draft-ietf-ipsecme-ikev2-mlkem-00 Jun Hu \(Nokia\) writes: > ● Sure, downgrade attack also works for hybrid if initial DH is weak, but > you could use ML-KEM as the initial DH (I understand concern of having > large IKE_SA_INIT packet, but it could work in network support large mtu) > ● In hub-and-spoke case, gateway has gateway config which is likely not per > client, but client do typically has per-gateway config; and also nothing > could prevent misconfiguration (e.g. misconfiguration could also disable > strong DH) > > Finally, I am not saying this downgrade attack is not valid, just saying it > could be addressed with proper config in typical IPsec deployments Also this attack requires online attack against weak DH, meaning the quantum computer needs to break that weak DH in less than a minute... For RSA authentication that would be possible as breaking it would allow access to private key. In IKEv2 we do not use RSA authentcation, so no issue here. For normal modp DH the quantum computers allows precalculation per group, but even after that I think it will require significant time per each separate exchange. For elliptic curves DH I think there is no precalculation that can be used, i.e., each exchange needs to be broken separately, again taking sinigicant time. That is at least my understanding on the quantum computer attacks as assumed now, but people who know more can correct me if I am wrong. Anyways even when we have quantum computers I think the first attacks are going to be slow, and will be targetting the traffic that has been harvested before and where no online attacks are needed. By the time quantum computers can do online attacks we most likely have already disabled weak DH anyways. -- [email protected] _______________________________________________ IPsec mailing list -- [email protected] To unsubscribe send an email to [email protected]
_______________________________________________ IPsec mailing list -- [email protected] To unsubscribe send an email to [email protected]
