> -----Original Message----- > From: Tero Kivinen [mailto:[email protected]] > Sent: Tuesday, February 23, 2016 11:53 AM > To: Scott Fluhrer (sfluhrer) > Cc: IPsecme WG ([email protected]) > Subject: [IPsec] draft-fluhrer-qr-ikev2-01 > > Scott Fluhrer (sfluhrer) writes:> > > It was considered important to minimize the changes made to IKEv2. > > From a cryptographical prespective, the only change we make is that we > > modify the nonces that we present to the KDF. By keeping the > > cryptographical changes minimal, we reduce the risk of accidentally > > introducing a weakness. > > I think you are doing this wrong. There is no need to change the SKEYSEED > calculation. That only prototects the IKE SA encryption, authentication keys. > It would be much better to change the KEYMAT calculation only, and keep > the SKEYSEED calculation as it is now.
Why would it be much better? By keeping SK_e, etc unprotected, you are allowing an attacker with a Quantum Computer to decrypt the IKE protocol traffic. That means that he gets things like the traffic selectors. That is a reduction in the security model that IKEv2 presents; yes, an active attacker can get the identities, but we can't get the rest of the IKEv2 traffic. I would wonder if the WG would agree to that, given that there is an alternative that doesn't do that. > > This also gets rid of the complicated PPK_REQUEST and PPK_ACK from the > IKE_SA_INIT. Is that the sole reason it is "much better"? The notification exchange really isn't that hard... _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
