[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Some comments to draft-ietf-ipsec-ikev2-00.txt
> > 3.1 Generating Keying Material for the IKE-SA
> ...
> > SKEYSEED = prf(Ni | Nr, g^ir)
>
> As this is the only place where nonces are used their entropy is
> limited to the output of the PRF. I.e it is no use of using nonces
> whose combined entropy is more than 128 bits if we using the HMAC-MD5
> as PRF, as the output of the SKEYSEED is going to be 128 bits.
>
> > SKEYSEED_d = prf(SKEYSEED, g^ir | CKY-I | CKY-R | 0)
> > SKEYSEED_a = prf(SKEYSEED, SKEYSEED_d | g^ir |
> CKY-I | CKY-R | 1)
> > SKEYSEED_e = prf(SKEYSEED, SKEYSEED_a | g^ir |
> CKY-I | CKY-R | 2)
>
> I think that could be fixed by adding the nonces to the above
> calculations also in addition of the cookies.
Or by simply replacing the cookies with the nonces. That would be the
*obvious* method ;-)
Still, I notice that IKEv2 carries forward the "broken" phase 1 key
stretching algorithm from IKEv1:
K1 = prf(SKEYSEED_e, 0)
K2 = prf(SKEYSEED_e, K1)
K3 = prf(SKEYSEED_e, K2)
As was noted from earlier discussions, g^xy ought to be reintroduced at each
stage in order to preserve the full entropy of the key exchange.
Andrew
-------------------------------------------
There are no rules, only regulations. Luckily,
history has shown that with time, hard work,
and lots of love, anyone can be a technocrat.
Follow-Ups:
References: