> I'm very concerned that we don't wind up with insecure Group PSKs as > we had with IKEv1.
This description does not reduce IKEv2 security - the PPK is used next to IKEv2 security. Furthermore, the description can also support pairwise keys. I had a look at the description, and a later addition of a scheme such as HIMMO is straightforward and such scheme can generate all those pairwise keys very easily. Instead of exchanging a PPK identity, you exchange the HIMMO identity that is used to generate the pairwise PPKs. Since the generated keys depend on the exchanged identities, the scheme could also provide authentication. The communication overhead is very small (a few tens of bytes). -----Original Message----- From: IPsec [mailto:[email protected]] On Behalf Of Tero Kivinen Sent: Monday, October 31, 2016 11:21 AM To: Michael Richardson Cc: IPsecme WG ([email protected]); Scott Fluhrer (sfluhrer) Subject: Re: [IPsec] FW: Quantum Resistance Requirements Michael Richardson writes: > > - Authentication; if someone with a Quantum Computer can break the DH > > in real time, do we care if he can act as a man-in-the-middle? Scott > > Fluhrer: not important Michael Richardson: important, provided that we > > don't run into the same issues that IKEv1 PSKs ran into Tommy Pauly: > > not important Valery Smylsov: this would be nice to have Oscar > > Garcia-Morchon: this would be nice to have > > I'm very concerned that we don't wind up with insecure Group PSKs as > we had with IKEv1. As this document is written (or how I think it is written, as I have not yet had time to read the latest version), the PPK used to provide to quantum resistance is not used in the authentication, there is still normal IKEv2 authentication step using normal IKEv2 shared secret, or certificates. So even if the people would be using group PPK, that would not allow similar issues than what happend with IKEv1. Of course everybody sharing the same PPK will be able to attack other users of the same group by just breaking the Diffie-Hellman :-) On the other hand even if you know the PPK, you cannot do anything without breaking the Diffie-Hellman, as it does not allow you do to man-in-the-middle without breaking the normal authentication. So, yes, there is some dangerous things that can happen, but I do not think it will be reducing IKEv2 security even if such insecure practices are used (except than it will reduce the quantum resistance provided by PPK, if everybody knows PPK). -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec ________________________________ The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message. _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
