On Fri, 19 Feb 2016, Scott Fluhrer (sfluhrer) wrote:
Last year, NSA made an announcement about how to deal with the potentiality of
someone developing a Quantum Computer;
(https://www.nsa.gov/ia/programs/suiteb_cryptography/). Among their
recommendations was the advice that:
“CSfC deployments involving an IKE/IPsec layer may use RFC 2409-conformant
implementations of the IKE standard (IKEv1) together with large, high-entropy,
pre-shared keys and the AES-256
encryption algorithm. RFC 2409 is the only version of the IKE standard that
leverages symmetric pre-shared keys in a manner that may achieve quantum
resistant confidentiality.
The reason they gave this advise was the IKEv1, unlike IKEv2, stirred in the
preshared key into the KDF function (along with the (EC)DH shared secret);
hence if the preshared key was
strong, then Shor’s algorithm (which can recover the (EC)DH shared secret) is
not enough to recover the negotiated keys.
Now, we don’t want people to migrate back to an obsolete version of the
protocol; hence we’ve devised a way to strengthen IKEv2 the same way.
Would anyone be willing to review this draft? I believe that we have a need
for such a solution.
Yes, I am happy to review. I also think this might make a good topic to
discuss face to face at the next meeting.
Paul
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
