Valery Smyslov writes: > After some thinking and recollecting I realized, that things are not that > simple. > It's true that SK_w is derived in QC-resistant way, but it is only used > for providing confidentiality of the wrapped keys. Note, that their > authenticity and integrity is provided only on G-IKEv2 message level, > so it is SK_a[i/r] that are responsible for these properties, and > these keys are not QC-resistant. So, a QC-equipped attacker > cannot learn the keys, but can substitute them if they are > transferred in GSA_AUTH.
True, but note, that this requires active attack with real time attack against the IKEv2 Diffie-Hellman. The main reason for PPK is to provide protection against the store and attack later cases, i.e., where attackers store all traffic now, and then later break the Diffie-Hellman and then can see the traffic keys and then will be able to decrypt the traffic protected by those keys. I.e. PPK is not properly trying to protect against the cases where there is real time quantum computers, for that we most likely need to have quantum safe key exchange, and authentication algorithms too, i.e., multiple-ke and ikev2 intermediate... I think we can simply document this to the security considerations section saying that if that kind of protection against real time attacks is needed then quantum safe key exchange is needed, and most likely also quantum safe authentication algorithms... -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec