> -----Original Message----- > From: IPsec [mailto:[email protected]] On Behalf Of Paul Wouters > Sent: Monday, July 04, 2016 5:44 AM > To: Yoav Nir > Cc: [email protected]; Mark McFadden > Subject: Re: [IPsec] Further thoughts on draft-flutter-qr-ikev2 as an IPsecME > WG document > > On Sun, 3 Jul 2016, Yoav Nir wrote: > > >> 3) The Internet Draft Currently under consideration is not the best > >> starting > point as it assumes that post-quantum pre-shared keys are the preferred > solution for quantum resistance. This is not obviously the case; there are a > number of drawbacks with the suggested system: > > > > I think this misstates the problem that the draft is trying to solve. The > > draft > is not a solution to the problem of authenticating peers in a world where > adversaries have quantum computers. The draft is a solution to the problem > of authenticating peers *using pre-shared keys* in such a world. There may > be different solutions for authenticating peers with other credentials.
Actually, the draft is a bolt-on to existing authentication methods; the authentication method uses is the new 'postquantum preshared keys' plus whatever IKEv2 authentication mechanism that the peers use. For example, you can use certificates to authenticate; the draft assumes there's also a shared secret that the peers have. You might object "how is this different from a having a possibly global authentication key"; the answer here is that this postquantum preshared key isn't making anything worse; if the adversary learns the ppk, they still can't break in (unless they also break the existing IKEv2 authentication mechanism). So: - An adversary can't break confidentiality unless they learn the ppk AND they can break the IKEv2 key exchange (such as with a Quantum Computer). - An adversary can't break authentication unless they learn the ppk AND they can break the existing IKEv2 authentication mechanism. Going to the broader topic, I agree that it would be preferable to have a postquantum solution that would work in all cases, without assuming a distributed secret. However, in general, this would require a postquantum key exchange, and that's the rub; we're not there yet. We have McEliece (which requires huge keys; key shares if we use it to do key exchange), we have NTRU (which some people don't trust), and they we have a large number of more recent schemes discovered in the last 5 years or so (and so haven't had enough time to be cryptographically vetted). Now, eventually we'll come up with a scheme which is both deployable and has a reasonable amount of trust; however that'll be a few years from now. On the other side, we can look at the need; no one really knows when a viable quantum computer (which can break the DH and ECDH groups that we use) will be built; the guesses that I've heard is that it might be in 10-15 years (maybe). That would make it sound like we have time, except that when a quantum computer does become available, then someone will be able to decrypt previously recorded sessions; this might mean that, in 10 years, someone might be able to decrypt encrypted traffic from today. Because of this, it wouldn't appear to be advisable to wait for the full solution; for people who are concerned about Quantum Computers, it would be appropriate to have a short term solution. In my mind, it's OK if the short term solution doesn't address all possible scenarios; it's sufficient if it provides a way to address the immediate need for those people who are concerned. > > That was not clear to me when we were asking for adoption of the > document. In one way, I have less issues with it if the document can clearly > state that is the scope of it. On the other hand, we might want to have a > discussion about the security of PSK in general, and whether the method > deserves to be obsoleted completely because of its continued weak > deployments (eg see Snowden leaks) > > > However, with my vendor hat on, I know that PSKs are used extensively > (and nobody’s asking me whether this is a good idea or not), and I have > heard that some users are beginning to ask questions about quantum > resistance.So I believe that there is a problem to solve here. > > I can see that point. As vendor it is hard to tell people not to do a certain > deployment because it is seen as "easiest". However with our IETF protocol > designer hats on, this should not be a strong argument. If we think that this WG should have a long term goal of designing a protocol that is easy to use securely, and is postquantum secure, I would agree that's a fine idea. However, that's a long term goal; I would claim that we shouldn't ignore the short term requirements as well. _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
