Hi,
IKEv2 has symmetrick PSK authentication method. However, it is different from
IKEv1.
The difference is that in IKEv1 the session keys computation involves both
preshared key
and DH shared secret
SKEYID = prf(pre-shared-key, Ni_b | Nr_b)
SKEYID_d = prf(SKEYID, g^xy | CKY-I | CKY-R | 0)
SKEYID_a = prf(SKEYID, SKEYID_d | g^xy | CKY-I | CKY-R | 1)
SKEYID_e = prf(SKEYID, SKEYID_a | g^xy | CKY-I | CKY-R | 2)
while in IKEv2 it involves only DH shared secret, so preshared key is used for
authentication only and is not used for session keys calculations
SKEYSEED = prf(Ni | Nr, g^ir)
{SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr} = prf+ (SKEYSEED, Ni |
Nr | SPIi | SPIr)
This change was intentional, it was made by Hugo Krawczyk during work on IKEv2
due to complaints from the community that if IKEv1 PSK auth mode was used in
IKEv2
then it would be impossible for responder to select proper preshared secret
based on initiator's
identity (like in IKEv1 Main Mode). As far as I remember, when making this
change Hugo mentioned,
that it would weaken security of the protocol.
Does NSA mean this difference when claiming that IKEv1 PSK mode is the only
QC-safe protocol? Should we add similar mode to IKEv2?
Regards,
Valery Smyslov.
They don't mention IKEv2. I don't know IKEv2 well enough to know whether there
are
any symmetric PSK authentication schemes, but if not, perhaps there should be.
The point they're making is that the ECC-based authentication methods become
insecure
when quantum computers of sufficient power become available, and in light of
recent progress
in the field the indications are that they will become available in a
reasonably short timeframe.
(And they should know that timeframe better than just about anybody else.)
I view this as an indication that they believe there may be viable QCs of that
capability
in the five to ten years timeframe.
Mike
-----Original Message-----
From: IPsec [mailto:[email protected]] On Behalf Of Michael Richardson
Sent: Wednesday, August 19, 2015 13:17
To: Dan Harkins <[email protected]>
Cc: IPsecME WG <[email protected]>
Subject: Re: [IPsec] PSK mode
Dan Harkins <[email protected]> wrote:
> https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
> "CSfC deployments involving an IKE/IPsec layer may use RFC
> 2409-conformant implementations of the IKE standard (IKEv1)
> together with large, high-entropy, pre-shared keys and the
> AES-256 encryption algorithm. RFC 2409 is the only version
> of the IKE standard that leverages symmetric pre-shared keys
> in a manner that may achieve quantum resistant confidentiality."
So, all of IKEv2 is out, according to them?
Or they just didn't consider it yet?
--
Michael Richardson <[email protected]>, Sandelman Software Works -= IPv6
IoT consulting =-
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
