[removed cfrg from CC, as I do not think this issue really belongs there as we are discussing IKE signaling here].
Dan Harkins writes: > First of all this suggestion is for a particular PAKE and I'm not > suggesting that any of the other candidates would slide in so effortlessly. > In fact an augmented PAKE is, IMHO, not suitable for a protocol like IKE > where either side can initiate. The PAKE I'm describing here is SPEKE, > a balance PAKE. > > SPEKE does a simple Diffie-Hellman but uses a secret generator that is > deterministically obtained from the password. This technique is basically > one of the hash-to-curve functions from the CFRG's hash-to-curve I-D > or a simple hashing and exponentiation for MODP groups. All this happens > at password provisioning time prior to IKE being run. > > Then when IKE is run the secret generator for the negotiated group is > used to do the D-H, the IKE_SA_INIT exchange is basically SPEKE. The > result is, if they both have the same generator (which means they had the > same password), an authenticated shared secret. This secret is verified in > the IKE_AUTH exchange. How does the responder know which of the one million username password pairs to pick to generate the generator when calculating D-H in the IKE_SA_INIT? The actual identity of the user is only sent in the encrypted IKE_AUTH message. I.e., I think this has exactly same problem than IKEv1 has with pre-shared keys for main mode. You must know the initiator identity based on the IP-addresses, thus makes this completely unusable for non static VPN cases. > This would require a new Auth Method defined for SPEKE/PAKE to indicate > that the SPEKE shared secret is used. And that should be all that's needed. > It should be that simple. The protocol shouldn't have to change, no new > messages, no new payloads, no new nuthin. If I'm missing something please > let me know. -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
