> > I understand that the nonces exchanged in IKE_AUX are included through > > complex function. > > My concern is about which nonces are included in signature. From my > > recollection of SIGMA each party must sign (among other things, e.g. > > his MACed ID) his peer's nonce. I.e., initiator must sign responder's > > nonce and responder must sign initiator's nonce. > > With nonces exchanged in IKE_AUX this is not true, each party signs > > his own nonces sent in IKE_AUX, not peer's ones. So, the initiator > > still signs responder's nonce received in IKE_SA_INIT but signs only > > his own nonces that he sent in IKE_AUX exchanges (implicitly, by > > including AUX_I which is PRF over initiator's IKE_AUX messages). The same > for responder. > > Hmmmm, reviewing your draft, I see your point. I had assumed that both > sides signed a hash of the entire AUX transcript; I now see that both sides sign > only what they sent.
Yes, that was inspired by the current IKE authentication scheme, when initiator includes only his IKE_SA_INIT message into the signature and separately includes responder's nonce (and of course initiator's MACed ID). Ditto for responder. Following this logic I added only each party relevant IKE_AUX messages (thinking of IKE_AUX as of extended IKE_SA_INIT) into their signatures. Note, that at that time no additional nonces were exchanged in IKE_AUX. > Sigma has both sides sign the other side's nonces to avoid potential replay > attacks (where the adversary replays a previously recorded signature). > > This may be a concern in our case; the first obvious thing to do would be to > modify the AUX draft to have both sides sign everything. > > So, we would have (in terms of your draft): > > AUX_I = [AUX_PRF_I_1 | AUX_PRF_R_1 [ | AUX_PRF_I_2 | AUX_PRF_R_2 [ ... ] ] > ] > > (and AUX_R could be exactly the same) > > Does this sound reasonable? II believe yes. And I have no problem with this from implementer's point of view. Regards, Valery. _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec