[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
IKEv2 and SIGMA
The editors of IKEv2 have done a great work in simplifying the specifications
setup for IKE. While the current specification is not complete in all
aspects it seems to provide a strong basis for converging to a final
fully-detailed and implementable specification. This is real progress!
I have quite a few comments on the current specification (cryptographic and
functional aspects). But by now I'd like to address one fundamental issue
related to the cryptographic soundness of the current design.
Namely, the protocol does not achieve a strong cryptographic binding
between the exchanged DH key and the party identities (an essential security
requirement put forth by the STS paper [DVW]).
This can be indirectly achieved in IKEv2 via ESP if one MANDATES
strong integrity in ESP (otherwise integrity is optional in ESP),
but even then a truly sound key exchange protocol should not rely on
external mechanisms to provide the most essential security properties
(in contrast, using ESP for id protection is perectly reasonable).
The solution to this problem is quite simple: put back the prf (or HASH)
computation under the signature; a detailed specification can be found in
my recent SIGMA proposal [SIGMA].
Moreover, I would recommend integrating the SIGMA protocol to the current
IKEv2 specification framework. This would have the effect of providing full
cryptographic security AND improving performance by reducing the number of
messages and the latency of SA activation. Given the IKEv2 draft, specifying
SIGMA in this context requires minimal work.
In addition, the SIGMA protocol would allow to have, in addition to the
main PK-based protocol, a single mode that simultaneously supports
Phase 2 functionality AND provides support for pre-shared keys.
Hugo
[DVW] W. Diffie, P. van Oorschot and M.Wiener, "Authentication and
authenticated key exchanges", Designs, Codes and Cryptography, 2, 1992.
[SIGMA] H. Krawczyk, "The IKE-SIGMA Protocol",
http://www.ee.technion.ac.il/~hugo/draft-krawczyk-ipsec-ike-sigma-00.txt.
Follow-Ups: