On 8/29/19 5:11 PM, Tero Kivinen wrote:
[removed cfrg from CC, as I do not think this issue really belongs
there as we are discussing IKE signaling here].
Dan Harkins writes:
First of all this suggestion is for a particular PAKE and I'm not
suggesting that any of the other candidates would slide in so effortlessly.
In fact an augmented PAKE is, IMHO, not suitable for a protocol like IKE
where either side can initiate. The PAKE I'm describing here is SPEKE,
a balance PAKE.
SPEKE does a simple Diffie-Hellman but uses a secret generator that is
deterministically obtained from the password. This technique is basically
one of the hash-to-curve functions from the CFRG's hash-to-curve I-D
or a simple hashing and exponentiation for MODP groups. All this happens
at password provisioning time prior to IKE being run.
Then when IKE is run the secret generator for the negotiated group is
used to do the D-H, the IKE_SA_INIT exchange is basically SPEKE. The
result is, if they both have the same generator (which means they had the
same password), an authenticated shared secret. This secret is verified in
the IKE_AUTH exchange.
How does the responder know which of the one million username password
pairs to pick to generate the generator when calculating D-H in the
IKE_SA_INIT? The actual identity of the user is only sent in the
encrypted IKE_AUTH message.
I.e., I think this has exactly same problem than IKEv1 has with
pre-shared keys for main mode. You must know the initiator identity
based on the IP-addresses, thus makes this completely unusable for
non static VPN cases.
HA! I did miss something :-)
Yes, I guess a new payload is needed to express the username. This can
be added to the IKE_SA_INIT message. Or maybe it can be a special type of
NOTIFY, that's a six-of-one-and-a-half-dozen-of-the-other issue. But this
should not involve an extra Auth exchange (as the framework PAKEs do)
since SPEKE is just a Diffie-Hellman exchange which is exactly what IKE
is.
regards,
Dan.
This would require a new Auth Method defined for SPEKE/PAKE to indicate
that the SPEKE shared secret is used. And that should be all that's needed.
It should be that simple. The protocol shouldn't have to change, no new
messages, no new payloads, no new nuthin. If I'm missing something please
let me know.
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
