Valery Smyslov writes:
> It is not clear for me (and I raised this concern in Prague) why do
> you use QSKE as an additional Key Exchange mechanism instead of
> replacing DH KE with it? We’ve been being told by cryptographers
> that conventional public key cryptography won’t provide security in
> presence of QC, so why bother with it?
For me the main reason is that we have been told that current protocol
used in IKE is safe, and if we do not break it (i.e., remove it), but
instead just add some more random data to SKEYSEED, I think it should
be quite easy to proove that this new construct is also safe. I.e., us
adding PPK/QSKE etc stuff to our calculations will not weaken the
security of the IKEv2.
> The only reason that comes to my mind is that you don’t fully trust
> QSKE. Are there any other reasons?
I think that is one of the main reasons. Especially as we do not know
which QSKE we are talking about.
IPsec mailing list