Re: [IPsec] Take a stand for key hygine
Hi Watson, the problem is not that the host cannot deduce from received AUTH payload what kind of signature was used – the AUTH payload includes AlgorithmIdentifier, so these signatures are treated differently. The problem is that host cannot guess what kind of signatures the peer supports, that can lead to SA setup failure. This is not a cryptographic problem, this is IKEv2 protocol problem. And it was probably not very precise text in my presentation – it meant that we have a problem if the same kind of key (say RSA) can be used with different signature schemes (say RSA-PKCS and RSA-PSS), not necessary the same key. Regards, Valery. From: Watson Ladd Sent: 18 ноября 2016 г. 13:01 To: Tero Kivinen Cc: ipsec@ietf.org WG; Yoav Nir Subject: Re: [IPsec] Take a stand for key hygine On Thu, Nov 17, 2016 at 7:38 PM, Tero Kivinen wrote: > Watson Ladd writes: >> I might be confused, but the slides in >> https://www.ietf.org/proceedings/97/slides/slides-97-ipsecme-signature-forms-ambiguity-in-ikev2-00.pdf >> seem to very clearly want something else. Apologies for my >> insufficient context inclusion. > > Yes, with RSA I think it might be quite common for people to use same > key for both RSA PKCS#1 v1.5 and RSA-PSS, and there is not really > anything we can do for that. > > On the other hand the interoperability issue we have now does not > really care whether you have one or two RSA private keys, as long as > initiator can use either RSA-PSS or RSA PKCS#1 v1.5, and do not know > which one responder will accept. What about the approach of treating these as different authentication methods? Or am I misunderstanding the scope of the problem? I'm not that familiar with IKE2. > > I think we might want to add text in the rfc4307bis saying that same > key should not be used with both RSA-PSS and PKCS#1 v1.5. > > The rfc4307bis will be in IETF Last Call soon, so if you can read that > and see what it says about the signature algorithms and see if there > is something we need to add there, that would be great. I will look over it. > -- > kivi...@iki.fi -- "Man is born free, but everywhere he is in chains". --Rousseau. ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
Re: [IPsec] Take a stand for key hygine
Hi Yoav, or the servers must be provided with two certificates – one for TLS 1.2 and the other for TLS 1.3, that won’t make server owners happy. I think it is a good idea to raise this issue in TLS WG. Regards, Valery. From: Yoav Nir Sent: 19 ноября 2016 г. 7:21 To: Tero Kivinen Cc: ipsec@ietf.org WG; Watson Ladd Subject: Re: [IPsec] Take a stand for key hygine > On 18 Nov 2016, at 5:38, Tero Kivinen wrote: > > Watson Ladd writes: >> I might be confused, but the slides in >> https://www.ietf.org/proceedings/97/slides/slides-97-ipsecme-signature-forms-ambiguity-in-ikev2-00.pdf >> seem to very clearly want something else. Apologies for my >> insufficient context inclusion. > > Yes, with RSA I think it might be quite common for people to use same > key for both RSA PKCS#1 v1.5 and RSA-PSS, and there is not really > anything we can do for that. If that is a problem, then it is more serious for TLS. TLS 1.2 has only PKCS#1. TLS 1.3 has only PSS. So a server that uses a single certificate with RSA for both versions (probably most servers in 1-2 years) will be producing both kinds of signatures from the same key. If that’s a problem, it should be raised during WGLC of TLS 1.3 (which si now) Yoav ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
Re: [IPsec] Take a stand for key hygine
> On 18 Nov 2016, at 5:38, Tero Kivinen wrote: > > Watson Ladd writes: >> I might be confused, but the slides in >> https://www.ietf.org/proceedings/97/slides/slides-97-ipsecme-signature-forms-ambiguity-in-ikev2-00.pdf >> seem to very clearly want something else. Apologies for my >> insufficient context inclusion. > > Yes, with RSA I think it might be quite common for people to use same > key for both RSA PKCS#1 v1.5 and RSA-PSS, and there is not really > anything we can do for that. If that is a problem, then it is more serious for TLS. TLS 1.2 has only PKCS#1. TLS 1.3 has only PSS. So a server that uses a single certificate with RSA for both versions (probably most servers in 1-2 years) will be producing both kinds of signatures from the same key. If that’s a problem, it should be raised during WGLC of TLS 1.3 (which si now) Yoav ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec