Michael, The document lists these conditions: > > 3. The attacker must either has a long-term authentication key for > one of the peers or must be able to break authentication > algorithm used by one of the peers in real time. >
To clarify, this precondition is for the key-compromise impersonation attack. Jun is asking about the identity-misbinding attack, which doesn't require compromising the key of either peer. See: https://datatracker.ietf.org/doc/html/draft-smyslov-ipsecme-ikev2-downgrade-prevention-01#section-4-7 So sorry for the confusion! > It's subject to it's *own* downgrade attack, where the CRQC-enabled > attacker removes this new Notify :-) so we have to lock that down by > policy. > The assumption is that it is easier to do that than to lock the policy down > to insist on a hybrid or quantum-safe algorithm. > I initially thought the same thing, that the extension would have to be negotiated and therefore subject to downgrade attacks. I believe what Valery came up with avoids this, but we should be careful to make sure it does. The extension semantics is a bit unusual: 1. The initiator always notifies support. (If the peer doesn't support the extension, they'll ignore the notification.) 2. The responder always notifies support, even if the peer didn't. (Again, the peer will ignore the notification if they don't support it.) 3. If you support the extension and your peer notifies support, then you always sign the full IKE_INIT_SA exchange. So consider what happens if both peers support the extension and the attacker rewrites the initiator IKE_INIT_SA to drop the notification. The responder will notify anyway (2.), which will prompt the initiator to sign the entire IKE_INIT_SA exchange (3.) The responder however expects the initiator to sign a different string, since it did not see a notification from the client. This will cause the IKE_AUTH exchange to fail, which is how we detect the attack. Chris P.
_______________________________________________ IPsec mailing list -- [email protected] To unsubscribe send an email to [email protected]
