[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IKEv2 and SIGMA

To: IPsec WG <ipsec@lists.tislabs.com>
Subject: IKEv2 and SIGMA
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Mon, 26 Nov 2001 13:28:56 +0200 (IST)
Sender: owner-ipsec@lists.tislabs.com

The editors of IKEv2 have done a great work in simplifying the specifications
setup for IKE.  While the current specification is not complete in all 
aspects it seems to provide a strong basis for converging to a final 
fully-detailed and implementable specification.  This is real progress!

I have quite a few comments on the current specification (cryptographic and
functional aspects). But by now I'd like to address one fundamental issue 
related to the cryptographic soundness of the current design. 
Namely, the protocol does not achieve a strong cryptographic binding
between the exchanged DH key and the party identities (an essential security 
requirement put forth by the STS paper [DVW]).

This can be indirectly achieved in IKEv2 via ESP if one MANDATES
strong integrity in ESP (otherwise integrity is optional in ESP), 
but even then a truly sound key exchange protocol should not rely on 
external mechanisms to provide the most essential security properties 
(in contrast, using ESP for id protection is perectly reasonable).

The solution to this problem is quite simple: put back the prf (or HASH)
computation under the signature; a detailed specification can be found in 
my recent SIGMA proposal [SIGMA].

Moreover, I would recommend integrating the SIGMA protocol to the current
IKEv2 specification framework.  This would have the effect of providing full 
cryptographic security AND improving performance by reducing the number of 
messages and the latency of SA activation. Given the IKEv2 draft, specifying
SIGMA in this context requires minimal work.

In addition, the SIGMA protocol would allow to have, in addition to the 
main PK-based protocol, a single mode that simultaneously supports
Phase 2 functionality AND provides support for pre-shared keys.

Hugo

[DVW] W. Diffie, P. van Oorschot and M.Wiener, "Authentication and 
authenticated key exchanges", Designs, Codes and Cryptography, 2, 1992.

[SIGMA] H. Krawczyk, "The IKE-SIGMA Protocol", 
http://www.ee.technion.ac.il/~hugo/draft-krawczyk-ipsec-ike-sigma-00.txt.

Follow-Ups:

Re: IKEv2 and SIGMA

From: Dan Harkins <dharkins@tibernian.com>

Prev by Date: I-D ACTION:draft-ietf-ipsec-ike-modp-groups-03.txt
Next by Date: Re: IKEv2 and SIGMA
Prev by thread: RE: I-D ACTION:draft-ietf-ipsec-ike-modp-groups-03.txt
Next by thread: Re: IKEv2 and SIGMA
Index(es):
- Main
- Thread