Michael Richardson writes: > > - Authentication; if someone with a Quantum Computer can break the DH > > in real time, do we care if he can act as a man-in-the-middle? Scott > > Fluhrer: not important Michael Richardson: important, provided that we > > don't run into the same issues that IKEv1 PSKs ran into Tommy Pauly: > > not important Valery Smylsov: this would be nice to have Oscar > > Garcia-Morchon: this would be nice to have > > I'm very concerned that we don't wind up with insecure Group PSKs as we had > with IKEv1.
As this document is written (or how I think it is written, as I have not yet had time to read the latest version), the PPK used to provide to quantum resistance is not used in the authentication, there is still normal IKEv2 authentication step using normal IKEv2 shared secret, or certificates. So even if the people would be using group PPK, that would not allow similar issues than what happend with IKEv1. Of course everybody sharing the same PPK will be able to attack other users of the same group by just breaking the Diffie-Hellman :-) On the other hand even if you know the PPK, you cannot do anything without breaking the Diffie-Hellman, as it does not allow you do to man-in-the-middle without breaking the normal authentication. So, yes, there is some dangerous things that can happen, but I do not think it will be reducing IKEv2 security even if such insecure practices are used (except than it will reduce the quantum resistance provided by PPK, if everybody knows PPK). -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
