[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKEv2 and SIGMA



   Hugo,

   Thanks for pointing this out. It is our intent that the integrity
check in ESP be mandatory when ESP is protecting IKEv2 messages.
The peers sign each D-H exponential and each nonce and SKEYID_a,
derived from the D-H exponentials and the nonces, is used as the
key to the ESP integrity check. I think some wordsmithing in Appendix
B is in order.

   Dan.

On Mon, 26 Nov 2001 13:28:56 +0200 you wrote
 >
 > Namely, the protocol does not achieve a strong cryptographic binding
 > between the exchanged DH key and the party identities (an essential security 
 > requirement put forth by the STS paper [DVW]).
 > 
 > This can be indirectly achieved in IKEv2 via ESP if one MANDATES
 > strong integrity in ESP (otherwise integrity is optional in ESP), 
 > but even then a truly sound key exchange protocol should not rely on 
 > external mechanisms to provide the most essential security properties 
 > (in contrast, using ESP for id protection is perectly reasonable).
 > 
 > The solution to this problem is quite simple: put back the prf (or HASH)
 > computation under the signature; a detailed specification can be found in 
 > my recent SIGMA proposal [SIGMA].



Follow-Ups: References: